From owner-freebsd-pf@freebsd.org Thu May 28 01:22:55 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7AD922F5F72 for ; Thu, 28 May 2020 01:22:55 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49XVLk5JvQz4WNs for ; Thu, 28 May 2020 01:22:54 +0000 (UTC) (envelope-from dmickunas1954@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 7FA7F7C7; Wed, 27 May 2020 21:22:53 -0400 (EDT) Received: from imap4 ([10.202.2.54]) by compute3.internal (MEProxy); Wed, 27 May 2020 21:22:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm3; bh=Z+c23 F3V8EwkrWHWBFP9Kuv5cZN73vulz4VgbaWs9qU=; b=RiDVgV71WxRCrh31lyXzm 3RUXmSAdS23c56UFPl9OqcUmT9pnVGdyhCSUFmkcdlpqIxDWJoKyPpUNCdCDmdzV 2hJERpD0SZRRGq1Gh/aDOevqjhkrx5qr8KBO/aA+KDj2O0ThyVu+c5Vf3lxKOYoa assLmZnHdXlzdYflTsiEHbOJxs5SQUDt/5VPINKbuEVYvfVHPOLBF1z1DJrRye19 t0lowVFz7TPjkqewLxlIGmAl03OQhIQB0dTFoHNAo9xFgvioJhceYTubxpKzU3ir uSP/4ZBeRPHzGqQ7k6IggkVGSDKEsNK3iDH4gQE/05QqoL/ORz2i/ECy7NvAqpR9 g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Z+c23F3V8EwkrWHWBFP9Kuv5cZN73vulz4VgbaWs9 qU=; b=0WTOiChk35ip6COolYNT5YP+WGftP5tDF1Hsu3zxfSEoDXgmpK7WqHisc 5CDE+TaHlNxL2I3fbotpe8vErJXHGeyvNzz5wUO7JmT6nVISUdrU7sKqKRpdI6Uv CtPd3LazmwuI7kRBIIMXSxsfbMYJOtB6z73fFJJMISTmSQjTJsiFbe+UnGV93vnd YkvZVYW3IDAzvGw1R1Xzqtew+WYDkBvn97zCYropiRYJUUiCFYOlqgPHKMbplw25 ZJXJaGL6XbHmzP0Lnux3xI02nZ0Vu2Zjm8ET7gsOwF1u8C65x3bMgpK/S63fXxUW RlriFCUzheO72Zg3b7c0P+T4eTR0Q== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvhedggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffho nhgrlhguucfoihgtkhhunhgrshdfuceoughmihgtkhhunhgrshduleehgeesfhgrshhtmh grihhlrdgtohhmqeenucggtffrrghtthgvrhhnpefgveeuffehuedvffegheekgedtgfej keefhffgfeetffejhedtueegfeduieejueenucffohhmrghinhepfhhrvggvsghsugdroh hrghdpmhhitghrohhsvggtohhnughsrdhithenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpegumhhitghkuhhnrghsudelheegsehfrghsthhmrg hilhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id E0BD53C00A1; Wed, 27 May 2020 21:22:52 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-488-g9249dd4-fm-20200522.001-g9249dd48 Mime-Version: 1.0 Message-Id: <0845d793-2c53-4433-b7a4-a6ca185575c6@www.fastmail.com> In-Reply-To: References: <804eeda4-03ed-4ec8-8755-3130e06382d8@www.fastmail.com> <8347b16b-5b9b-4e62-88fc-a3f19dc138a8@www.fastmail.com> <0E48F161-081E-43F8-B00D-9888A48D7AA2@mail.sermon-archive.info> <51ae9da1-ccbb-4a1c-b1e3-155bce912cc5@www.fastmail.com> Date: Wed, 27 May 2020 21:22:32 -0400 From: "Donald Mickunas" To: "Cristian Cardoso" , "Doug Hardie" Cc: "FreeBSD PF List" Subject: Re: pkg slow down a lot with simple firewall. Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49XVLk5JvQz4WNs X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=fastmail.com header.s=fm3 header.b=RiDVgV71; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=0WTOiChk; dmarc=pass (policy=none) header.from=fastmail.com; spf=pass (mx1.freebsd.org: domain of dmickunas1954@fastmail.com designates 64.147.123.19 as permitted sender) smtp.mailfrom=dmickunas1954@fastmail.com X-Spamd-Result: default: False [-2.59 / 15.00]; XM_UA_NO_VERSION(0.01)[]; RWL_MAILSPIKE_GOOD(0.00)[64.147.123.19:from]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19:c]; FREEMAIL_FROM(0.00)[fastmail.com]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[fastmail.com:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[fastmail.com,none]; NEURAL_HAM_SHORT(-0.47)[-0.467]; FREEMAIL_TO(0.00)[gmail.com,lafn.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[fastmail.com]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.04)[-1.037]; R_DKIM_ALLOW(-0.20)[fastmail.com:s=fm3,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-0.998]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2020 01:22:55 -0000 Just a note. I have the manpage for pkg.conf printed and in a binder. = Thanks again. On Wed, May 27, 2020, at 20:36, Cristian Cardoso wrote: > I reinforce Doug's recommendation and if you want to log the things > that are possibly blocked, insert it in pf.conf >=20 > block in log all >=20 > About what Doug talked about starting the connection in IPv4 and > switching to IPv6, it is only the DNS request in IPv4 that is managing= > to answer the domain update.freebsd.org in IPv6, with that the pkg > requests come out via IPv6 >=20 > One thing that helped me a lot in the beginning was this URL: > https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&sektion=3D5&n=3D1 >=20 > Em qua., 27 de mai. de 2020 =C3=A0s 19:18, Doug Hardie escreveu: > > > > > On 27 May 2020, at 14:38, Donald Mickunas wrote: > > > > > > Thanks, Doug. > > > > > > Here are the results after running pkg update once. > > > > > > $ sudo tcpdump -n -e -ttt -r /var/log/pflog > > > Password: > > > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog f= ile) > > > 00:00:00.000000 rule 7/0(match): pass out on em0: 192.168.1.4.2533= 4 > 192.168.1.1.53: 18844+[|domain] > > > 00:00:00.049750 rule 7/0(match): pass out on em0: 192.168.1.4.4885= 5 > 192.168.1.1.53: 59873+[|domain] > > > 00:00:00.049459 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 209.94.190.139.123: NTPv4, Client, length 48 > > > 00:00:00.887723 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 64.6.144.6.123: NTPv4, Client, length 48 > > > 00:00:29.345987 rule 7/0(match): pass out on em0: 192.168.1.4.5171= 8 > 192.168.1.1.53: 49030+[|domain] > > > 00:00:00.442261 rule 7/0(match): pass out on em0: 192.168.1.4.1222= 8 > 192.168.1.1.53: 15101+[|domain] > > > 00:00:00.105498 rule 7/0(match): pass out on em0: 192.168.1.4.3165= 2 > 192.168.1.1.53: 56618+[|domain] > > > 00:00:00.136933 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.60802 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:34.523685 rule 9/0(match): pass out on em0: 192.168.1.4.123 = > 74.6.168.73.123: NTPv4, Client, length 48 > > > 00:00:00.526029 rule 3/0(match): pass out on em0: 192.168.1.4.1291= 3 > 96.47.72.71.80: Flags [S], seq 1540288966, win 65535, options [mss 1= 460,nop,wscale 6,sackOK,TS[|tcp]> > > > 00:00:00.075191 rule 7/0(match): pass out on em0: 192.168.1.4.1140= 3 > 192.168.1.1.53: 30468+[|domain] > > > 00:00:00.000800 rule 7/0(match): pass out on em0: 192.168.1.4.2714= 5 > 192.168.1.1.53: 3978+[|domain] > > > 00:00:00.000739 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.64864 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:18.977520 rule 3/0(match): pass out on em0: 192.168.1.4.5849= 7 > 96.47.72.71.80: Flags [S], seq 2776579475, win 65535, options [mss 1= 460,nop,wscale 6,sackOK,TS[|tcp]> > > > 00:00:00.082616 rule 7/0(match): pass out on em0: 192.168.1.4.1524= 8 > 192.168.1.1.53: 2366+[|domain] > > > 00:00:00.000531 rule 7/0(match): pass out on em0: 192.168.1.4.6547= 5 > 192.168.1.1.53: 41713+[|domain] > > > 00:00:00.000772 rule 3/0(match): pass out on em0: 2600:6c5c:6000:3= 2a0:1a03:73ff:fe3a:d596.55684 > 2610:1c1:1:606c::50:1.80: [|tcp] > > > 00:00:18.883826 rule 3/0(match): pass out on em0: 192.168.1.4.2503= 9 > 96.47.72.71.80: Flags [S], seq 222404333, win 65535, options [mss 14= 60,nop,wscale 6,sackOK,TS[|tcp]> > > > $ > > > > > > I have no idea how to interpret this. Any help would be appreciat= ed. > > > > That is quite unexpected. The connection starts out with IPv4 and t= hen switches to IPv6. It also only shows the output packets so delays c= aused at the server end cannot be distinguished. I would recommend usin= g tcpdump to see the entire transaction. > > > > In one window, start tcpdump with: > > tcpdump -ixxx -ttt -s0 -X port 80 > > > > Here you need to replace xxx above with your interface name. You ca= n find it in the output of ifconfig. It will be the interface that has = your IP address in it. For example, mine is: > > > > bge0: flags=3D8943 m= etric 0 mtu 1500 > > options=3Dc019b > > ether 38:c9:86:07:3b:5b > > inet 10.0.1.250 netmask 0xffffff00 broadcast 10.0.1.255 > > inet6 fe80::3ac9:86ff:fe07:3b5b%bge0 prefixlen 64 scopeid 0x= 1 > > inet6 fee1::250 prefixlen 64 > > media: Ethernet autoselect (100baseTX ) > > status: active > > nd6 options=3D23 > > > > and the interface name is bge0. > > > > Then in the second window start the pkg update command. Note, tcpdu= mp will produce a lot of output. The output will have a time stamp (hou= rs:minutes:seconds.microseconds). It will be a delta time from the prev= ious packet. Look for one where the seconds are greater than zero. Tha= t is where the delays are occurring. > > > > -- Doug >