reall slow restarting of pf service

blind0ne

Member


Messages: 27

Hello, I would like to ask how can I speed up my service pf restart process after adding new rules to my firewall? It's really slow.

Thnx Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,347
Messages: 38,863

How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables).

Post your pf.conf so we can actually see what you're trying to do. And you can simply do pfctl -f /etc/pf.conf to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).
 

cmoerz

Member

Reaction score: 37
Messages: 98

This is a complete shot in the dark... do you happen to have FQDNs in your ruleset? This might simply be your DNS being slow, which in turn appears like pf loading slowly?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,347
Messages: 38,863

This might simply be your DNS being slow, which in turn appears like pf loading slowly?
Yeah, I was thinking the same thing, that's why I asked for the ruleset. DNS could even be completely impossible due to the firewall rules themselves.
 

richardtoohey2

Aspiring Daemon

Reaction score: 314
Messages: 634

I was going to say it's always DNS but thought I'd wait until we saw the ruleset. Any 30 second or so delay with anything network-related has me checking DNS immediately. But sometimes it is surprising what touches networking.
 
OP
blind0ne

blind0ne

Member


Messages: 27

How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables).

Post your pf.conf so we can actually see what you're trying to do. And you can simply do pfctl -f /etc/pf.conf to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).
Theproblem was really in reloading service, thanks for this rule set loader command.
 

mer

Aspiring Daemon

Reaction score: 337
Messages: 551

If you look at /etc/rc.d/pf, on a 13.0-RELEASE at least, a reload command calls pfctl -f /etc/pf.conf $pf_flags to load the rules. Before that it does pfctl -n -f /etc/pf.conf $pf_flags to actually validate the ruleset before loading them, so the ruleset file is actually parsed twice.

Could that make it slower? Perhaps; but validating the ruleset before applying it "not a bad thing". I think pf is intelligent enough to not apply the new ruleset if it doesn't parse while leaving any current rules in place.

Could the "service" command add some overhead? Perhaps; its a /bin/sh script that loads /etc/rc.subr which could be doing other things before the "reload" command actually gets parsed and processed.

But that is all speculation, anything further, it would help if you posted your pf.conf or if you're satisfied with the command, that's fine too.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,347
Messages: 38,863

If you just want to reload the rules you can also use service pf reload, you don't have to 'restart' it.
 

mer

Aspiring Daemon

Reaction score: 337
Messages: 551

SirDice is correct (didn't expect otherwise) the sequence of commands I wrote about is what happens if you do service pf reload. Restart basically does "start" and then "stop" with a bunch of other checks and may even have delay somewhere.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,347
Messages: 38,863

A 'stop' also does a pfctl -d to disable to PF firewall. A restart is just a stop followed by a start. I guess disabling and enabling the firewall takes a bit of time. I rarely use it, simply sticking to pfctl -nf /etc/pf.conf and pfctl -f /etc/pf.conf.

I would recommend testing your rules before putting them live if you have to do this remotely. You don't want to lock yourself out with a bad rule (been there, done that). This usually does the trick for me:
pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf. You can put your new rules in /etc/pf.conf.new, load them, sleep for 60 seconds (so you can test you're not locked out), and then it'll revert back to the original rules. If you get locked out just wait 60 seconds and the original rules are loaded again. Once you're satisfied those new rules are working correctly you can replace /etc/pf.conf.
 
Top