Date: Wed, 10 Nov 2004 15:04:56 +0100 From: Gunnar Flygt <flygt@sr.se> To: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: 5.3-RELEASE kde 3.3 and pf Message-ID: <20041110140456.GA23273@sr.se> In-Reply-To: <20041110134853.GB87953@sr.se> References: <20041110134853.GB87953@sr.se>
next in thread | previous in thread | raw e-mail | index | archive | help
I reply to my own question. Since I found out it was pf causing this I
started to use tcpdump on pflog0 and found that traffic from 127.0.0.1
to 127.0.0.1 was blocked. So I added as in the examples for ipf :
# allow localhost
pass in quick on lo0
pass out quick on lo0
after the antispoof rule in pf.conf, and now KDE is loading quick as
without pf. Is this something that should perhaps be in the example file
for pf? Or are there any security reasons for not having it?
On Wed, Nov 10, 2004 at 02:48:54PM +0100, Gunnar Flygt wrote:
> I've had problems with DKE 3.3 since I upgraded to 5.3-RELEASE.
> I compared the same machine (Dell Latitude D600) with a different HD
> where Gentoo Linux (Sorry for that:) resides. Om the Gentto box KDE 3.3
> starts promply from kdm, no extra delays, but with FreeBSD 5.3 it takes
> about 2 minutes to get a running KDE environment.
>
> Got the "briliant" idea to stop pf before starting kdm AND alas KDE
> starts as fast as on the Gentoo system. (Actually it is even faster than
> login on the gentoo system:)
>
> Here is my /etc/pf.conf:
>
> # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp $
> # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
> #
> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
> # Required order: options, normalization, queueing, translation, filtering.
> # Macros and tables may be defined and used anywhere.
> # Note that translation rules are first match while filter rules are last match.
>
> # Macros: define common values, so they can be referenced and changed easily.
> ext_if="bge0" # replace with actual external interface name i.e., dc0
>
> # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
> scrub in all
>
> # block all incoming packets but allow ssh, pass all outgoing tcp and udp
> # connections and keep state, logging blocked packets.
> block in log all
> antispoof for { lo, $ext_if }
> pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
> pass out on $ext_if proto { tcp, udp } all keep state
> pass out quick proto icmp from any to any keep state
> pass in quick proto icmp from any to any
>
> # drop without log
> block in proto { tcp, udp } from any to any port 134 >< 140
> block in proto tcp from any to any port = 515
> block in from any to 255.255.255.255
> # my local network Class B
> block in from any to yyy.xx.255.255
> block in from any to 224.0.0.0/4
>
> What is it that makes KDE so slow when using pf with these simple rules.
> Have I missed something?
>
> --
> Gunnar Flygt
> SR Datadrift
> Sveriges Radio
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
--
Gunnar Flygt
SR Datadrift
Sveriges Radio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041110140456.GA23273>