pkg slow down a lot with simple firewall.
Donald Mickunas
dmickunas1954 at fastmail.com
Wed May 27 21:17:24 UTC 2020
Thank you for you suggestion, Cristian.
I have implemented your suggestion with unexpected results. Note: I did reboot the system after I changed rc.conf.
$ cat /etc/rc.conf
clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="donsoptiplex"
keymap="us.kbd"
ifconfig_em0="DHCP"
ifconfig_em0_ipv6="inet6 accept_rtadv"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
dbus_enable="YES"
hald_enable="YES"
autofs_enable="YES"
kld_list="/boot/modules/i915kms.ko"
sound_load="YES"
snda_hda_load="YES"
sddm_enable="NO"
cupsd_enable="YES"
devfs_system_ruleset="system"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
$ cat /etc/pf.conf
set skip on lo0
block all
pass in proto tcp to port { 22 }
pass out proto { tcp udp } to port { 22 53 80 123 443 }
pass out inet proto icmp icmp-type { echoreq }
$ ls -l /var/log/pflog
-rw------- 1 root wheel 24 May 25 21:51 /var/log/pflog
$ sudo pkg update
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
$ sudo pkg update
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
$ sudo tcdump -n -e -ttt -r /var/log/pflog
sudo: tcdump: command not found
$ sudo tcpdump -n -e -ttt -r /var/log/pflog
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
$
no output. Did I miss something?
Thanks
On Wed, May 27, 2020, at 16:22, Cristian Cardoso wrote:
> Hello
> Try to activate pf logs to see what is blocking or slowing you down,
> insert this in the /etc/rc.conf file
> pflog_enable = "YES"
> pflog_logfile = "/ var / log / pflog"
>
> To view the logs afterwards is via tcpdump, as follows:
> tcpdump -n -e -ttt -r / var / log / pflog
>
> Em qua., 27 de mai. de 2020 às 16:23, Donald Mickunas
> <dmickunas1954 at fastmail.com> escreveu:
> >
> > Hi all,
> >
> > I am new to firewalls and trying to learn. I am attempting to set up a pf firewall on FreeBSD 12.1-RELEASE-p5. This is a home computer for personal use and is not part of a server network. "pkg update" will take a minute or more to complete a verification that it is up to date with the firewall on vs. seconds when the firewall is off. I can find no reason for this. I have done a variety of searches online plus in the various forums with zero results. Any ideas?
> >
> > This is a simple firewall.
> > Here is my set up:
> >
> > */etc/pf.conf*
> >
> > set skip on lo0
> > block all
> > pass in proto tcp to port { 22 }
> > pass out proto { tcp udp } to port { 22 53 80 123 443 }
> > pass out inet proto icmp icmp-type { echoreq }
> >
> >
> > */etc/rc.conf*
> >
> > clear_tmp_enable="YES"
> > sendmail_enable="NONE"
> > hostname="donsoptiplex"
> > keymap="us.kbd"
> > ifconfig_em0="DHCP"
> > ifconfig_em0_ipv6="inet6 accept_rtadv"
> > ntpd_enable="YES"
> > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> > dumpdev="NO"
> > dbus_enable="YES"
> > hald_enable="YES"
> > autofs_enable="YES"
> > kld_list="/boot/modules/i915kms.ko"
> > sound_load="YES"
> > snda_hda_load="YES"
> > sddm_enable="NO"
> > cupsd_enable="YES"
> > devfs_system_ruleset="system"
> > pf_enable="YES"
> > pflog_enable="YES"
> >
> > Thanks!!
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list