reall slow restarting of pf service

Hello, I would like to ask how can I speed up my service pf restart process after adding new rules to my firewall? It's really slow.

Thnx Thanks.
 
How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables).

Post your pf.conf so we can actually see what you're trying to do. And you can simply do pfctl -f /etc/pf.conf to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).
 
This is a complete shot in the dark... do you happen to have FQDNs in your ruleset? This might simply be your DNS being slow, which in turn appears like pf loading slowly?
 
This might simply be your DNS being slow, which in turn appears like pf loading slowly?
Yeah, I was thinking the same thing, that's why I asked for the ruleset. DNS could even be completely impossible due to the firewall rules themselves.
 
I was going to say it's always DNS but thought I'd wait until we saw the ruleset. Any 30 second or so delay with anything network-related has me checking DNS immediately. But sometimes it is surprising what touches networking.
 
How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables).

Post your pf.conf so we can actually see what you're trying to do. And you can simply do pfctl -f /etc/pf.conf to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).
Theproblem was really in reloading service, thanks for this rule set loader command.
 
If you look at /etc/rc.d/pf, on a 13.0-RELEASE at least, a reload command calls pfctl -f /etc/pf.conf $pf_flags to load the rules. Before that it does pfctl -n -f /etc/pf.conf $pf_flags to actually validate the ruleset before loading them, so the ruleset file is actually parsed twice.

Could that make it slower? Perhaps; but validating the ruleset before applying it "not a bad thing". I think pf is intelligent enough to not apply the new ruleset if it doesn't parse while leaving any current rules in place.

Could the "service" command add some overhead? Perhaps; its a /bin/sh script that loads /etc/rc.subr which could be doing other things before the "reload" command actually gets parsed and processed.

But that is all speculation, anything further, it would help if you posted your pf.conf or if you're satisfied with the command, that's fine too.
 
SirDice is correct (didn't expect otherwise) the sequence of commands I wrote about is what happens if you do service pf reload. Restart basically does "start" and then "stop" with a bunch of other checks and may even have delay somewhere.
 
A 'stop' also does a pfctl -d to disable to PF firewall. A restart is just a stop followed by a start. I guess disabling and enabling the firewall takes a bit of time. I rarely use it, simply sticking to pfctl -nf /etc/pf.conf and pfctl -f /etc/pf.conf.

I would recommend testing your rules before putting them live if you have to do this remotely. You don't want to lock yourself out with a bad rule (been there, done that). This usually does the trick for me:
pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf. You can put your new rules in /etc/pf.conf.new, load them, sleep for 60 seconds (so you can test you're not locked out), and then it'll revert back to the original rules. If you get locked out just wait 60 seconds and the original rules are loaded again. Once you're satisfied those new rules are working correctly you can replace /etc/pf.conf.
 
Back
Top