PF pkg update very slow when pfctl enabled

Hi all,

I am very new to firewalls and trying to learn. I have posted a simple firewall. Everything seems to work fine except pkg. It slows down to a crawl when accessing files from the
net.

/etc/pf.conf
Code:
set skip on lo0
block all
pass in proto tcp to port { 22 }
pass out proto { tcp udp } to port {  22 53 80 123 443 }
pass out inet proto icmp icmp-type { echoreq }

/etc/rc.conf
Code:
clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="donsoptiplex"
keymap="us.kbd"
ifconfig_em0="DHCP"
ifconfig_em0_ipv6="inet6 accept_rtadv"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
dbus_enable="YES"
hald_enable="YES"
autofs_enable="YES"
kld_list="/boot/modules/i915kms.ko"
sound_load="YES"
snda_hda_load="YES"
sddm_enable="NO"
cupsd_enable="YES"
devfs_system_ruleset="system"
pf_enable="YES"
pflog_enable="YES"
Thanks.
 
Are you sure only your specified permitted ports are used? Have you checked the pf log if something is blocked. No you have not as you do not log anything. So I suggest you first log and analyse the log if you have any firewall related problems. In your case you could change the block rule to "block log all" and reload " pfctl -f /etc/pf.conf" and then follow what is blocked with for example...

# Real time
tcpdump -e -n -tttt -i pflog0

# From log file
tcpdump -e -n -tttt -i -r /var/log/pflog


But....

If it is a firewall where you should have no users or other odd services I would use something like this example...
Code:
LAN_INT="vlan20"
DMZ1_INT="vlan30"
DMZ2_INT="vlan40"
GUEST_INT="vlan600"
INTERNET_INT="wan0"
ALL_INTERFACES="{" $LAN_INT $GUEST_INT $DMZ1_INT $DMZ2_INT $INTERNET_INT "}"
pass out quick on $ALL_INTERFACES inet proto {tcp gre esp udp icmp ipv6} all keep state
pass out quick on $ALL_INTERFACES inet6  proto {tcp gre esp udp icmp6} all keep state

I personally allow all traffic out from the firewall. I only filter incoming on the firewall interfaces. If someone is inside your firewall as root, then you have a bigger problem anyway. Most commercial FW:s do the same.

/Peo
 
I personally allow all traffic out from the firewall. I only filter incoming on the firewall interfaces. If someone is inside your firewall as root, then you have a bigger problem anyway. Most commercial FW:s do the same.
/Peo

Same here, in the
Code:
pass out
of the external interface(Wan) rules permit everything and in the LAN interface
share the same allowed ports for
Code:
pass in and pass out
I'focus for security in the LAN rules and the Wan
Code:
in
rules
 
Thank you all for your helpful comments. I have discovered a solution for my issue. I changed the value for IP_VERSION in pkg.conf to 4. Having done that, everything started working just fine. Thanks again for your help. It is much appreciated.
 
Back
Top