# reall slow restarting of pf service



## blind0ne (Sep 22, 2021)

Hello, I would like to ask how can I speed up my `service pf restart` process after adding new rules to my firewall? It's really slow.

Thnx Thanks.


----------



## SirDice (Sep 22, 2021)

How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables). 

Post your pf.conf so we can actually see what you're trying to do. And you can simply do `pfctl -f /etc/pf.conf` to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).


----------



## cmoerz (Sep 23, 2021)

This is a complete shot in the dark... do you happen to have FQDNs in your ruleset? This might simply be your DNS being slow, which in turn appears like pf loading slowly?


----------



## SirDice (Sep 23, 2021)

cmoerz said:


> This might simply be your DNS being slow, which in turn appears like pf loading slowly?


Yeah, I was thinking the same thing, that's why I asked for the ruleset. DNS could even be completely impossible due to the firewall rules themselves.


----------



## richardtoohey2 (Sep 24, 2021)

I was going to say it's *always* DNS but thought I'd wait until we saw the ruleset. Any 30 second or so delay with anything network-related has me checking DNS immediately. But sometimes it is surprising what touches networking.


----------



## blind0ne (Sep 24, 2021)

SirDice said:


> How big is your ruleset? Because there's no reason why it should load slow, only if you try to load a humongous ruleset (or maybe have a couple of really large tables).
> 
> Post your pf.conf so we can actually see what you're trying to do. And you can simply do `pfctl -f /etc/pf.conf` to load your new set, you don't have to stop/start the service (it's not actually a service, it is a script in /etc/rc.d).


Theproblem was really in reloading service, thanks for this rule set loader command.


----------



## mer (Sep 24, 2021)

If you look at /etc/rc.d/pf, on a 13.0-RELEASE at least, a reload command calls  pfctl -f /etc/pf.conf $pf_flags to load the rules.  Before that it does pfctl -n -f /etc/pf.conf $pf_flags to actually validate the ruleset before loading them, so the ruleset file is actually parsed twice.

Could that make it slower?  Perhaps;  but validating the ruleset before applying it "not a bad thing".  I think pf is intelligent enough to not apply the new ruleset if it doesn't parse while leaving any current rules in place.

Could the "service" command add some overhead?  Perhaps;  its a /bin/sh script that loads /etc/rc.subr which could be doing other things before the "reload" command actually gets parsed and processed.

But that is all speculation, anything further, it would help if you posted your pf.conf or if you're satisfied with the command, that's fine too.


----------



## SirDice (Sep 24, 2021)

If you just want to reload the rules you can also use `service pf reload`, you don't have to 'restart' it.


----------



## mer (Sep 24, 2021)

SirDice is correct (didn't expect otherwise)  the sequence of commands I wrote about is what happens if you do service pf reload.  Restart basically does "start" and then "stop" with a bunch of other checks and may even have delay somewhere.


----------



## SirDice (Sep 24, 2021)

A 'stop' also does a `pfctl -d` to disable to PF firewall. A restart is just a stop followed by a start. I guess disabling and enabling the firewall takes a bit of time. I rarely use it, simply sticking to `pfctl -nf /etc/pf.conf` and `pfctl -f /etc/pf.conf`. 

I would recommend testing your rules before putting them live if you have to do this remotely. You don't want to lock yourself out with a bad rule (been there, done that). This usually does the trick for me:
`pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf`. You can put your new rules in /etc/pf.conf.new, load them, sleep for 60 seconds (so you can test you're not locked out), and then it'll revert back to the original rules. If you get locked out just wait 60 seconds and the original rules are loaded again. Once you're satisfied those new rules are working correctly you can replace /etc/pf.conf.


----------

