pfctl -f /etc/pf.conf
to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).Yeah, I was thinking the same thing, that's why I asked for the ruleset. DNS could even be completely impossible due to the firewall rules themselves.This might simply be your DNS being slow, which in turn appears like pf loading slowly?
Theproblem was really in reloading service, thanks for this rule set loader command.How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables).
Post your pf.conf so we can actually see what you're trying to do. And you can simply dopfctl -f /etc/pf.conf
to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).
pfctl -d
to disable to PF firewall. A restart is just a stop followed by a start. I guess disabling and enabling the firewall takes a bit of time. I rarely use it, simply sticking to pfctl -nf /etc/pf.conf
and pfctl -f /etc/pf.conf
. pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf
. You can put your new rules in /etc/pf.conf.new, load them, sleep for 60 seconds (so you can test you're not locked out), and then it'll revert back to the original rules. If you get locked out just wait 60 seconds and the original rules are loaded again. Once you're satisfied those new rules are working correctly you can replace /etc/pf.conf.