[Firehol-support] Issue with Huge IP blocklist ?
Carlos Rodrigues
cefrodrigues at gmail.com
Wed Jun 17 22:28:08 CEST 2009
On Wed, Jun 17, 2009 at 9:26 PM, Carlos Rodrigues<cefrodrigues at gmail.com> wrote:
> Well,
>
> You are effectively creating a single command with the total length of
> those 300.000 lines. The runtime errors are probably just bash hitting
> it's limits, and not exactly a problem with FireHOL itself.
>
> You can try putting something like the following inside your interface
> statement:
>
> cat BADNETS | while IP; do
> server all reject src $IP
> done
>
> Although I'm not sure exactly how the rules generated by that would
> compare with the ones generated from the interface statement itself.
>
> You can also try mixing in some iptables commands. For example, by
> putting something like this in your firehol.conf:
>
> iptables -N my_blocklist
> cat BADNETS | while IP; do
> iptables -A -s $IP -j DROP
That's "iptables -A my_blocklist -s $IP -j DROP", sorry.
> done
>
> iptables -I 1 INPUT -i eth0 -j my_blocklist
>
>
> Regards,
>
>
> On Thu, Jun 11, 2009 at 8:01 AM, shi ryu<shiryu38 at gmail.com> wrote:
>> Hi guys,
>>
>> I'm trying to use firehol to process some bluetack IP blocklist and I fear
>> that firehol cannot handle the size of the list.
>> Here is how I proceed :
>>
>> 1) I've put in CIDR format all the subnets I'd like to filter on (1 per
>> line) in the BADNETS file.
>> 2) I've modified the firehol.conf following line from
>>
>> interface eth0 internet src not "${UNROUTABLE_IPS}"
>>
>> to
>>
>> interface eth0 internet src not "${UNROUTABLE_IPS} `cat
>> /etc/firehol/BADNETS`"
>>
>> What happens :
>>
>> It seems that as long as my BADNETS file keeps a reasonable size, firehol is
>> able to process it (see the attached BADNETS.light file with its 17925
>> lines)....indeed with BADNETS.light file no problem, firehol starts without
>> errors.
>> But when I load the BADNETS.full file (see the attached BADNETS.full.zip
>> file with its 344396 lines) , then I get many runtime errors.
>>
>> I've attached the error.log.zip file which is an extract of the bunch of
>> errors I get + the std output.
>>
>> Any help appreciated.
>>
>> Best Regards,
>> Shiryu
>>
>> ------------------------------------------------------------------------------
>> Crystal Reports - New Free Runtime and 30 Day Trial
>> Check out the new simplified licensing option that enables unlimited
>> royalty-free distribution of the report engine for externally facing
>> server and web deployment.
>> http://p.sf.net/sfu/businessobjects
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/firehol-support
>>
>>
>
>
>
> --
> Carlos Rodrigues
>
--
Carlos Rodrigues
More information about the Firehol-support
mailing list