[Firehol-support] Issue with Huge IP blocklist ?

Carlos Rodrigues cefrodrigues at gmail.com
Wed Jun 17 21:26:14 BST 2009 

Well,

You are effectively creating a single command with the total length of
those 300.000 lines. The runtime errors are probably just bash hitting
it's limits, and not exactly a problem with FireHOL itself.

You can try putting something like the following inside your interface
statement:

  cat BADNETS | while IP; do
      server all reject src $IP
  done

Although I'm not sure exactly how the rules generated by that would
compare with the ones generated from the interface statement itself.

You can also try mixing in some iptables commands. For example, by
putting something like this in your firehol.conf:

iptables -N my_blocklist
cat BADNETS | while IP; do
    iptables -A -s $IP -j DROP
done

iptables -I 1 INPUT -i eth0 -j my_blocklist


Regards,


On Thu, Jun 11, 2009 at 8:01 AM, shi ryu<shiryu38 at gmail.com> wrote:
> Hi guys,
>
> I'm trying to use firehol to process some bluetack IP blocklist and I fear
> that firehol cannot handle the size of the list.
> Here is how I proceed :
>
> 1) I've put in CIDR format all the subnets I'd like to filter on (1 per
> line) in the BADNETS file.
> 2) I've modified the firehol.conf following line from
>
> interface eth0 internet src not "${UNROUTABLE_IPS}"
>
> to
>
> interface eth0 internet src not "${UNROUTABLE_IPS} `cat
> /etc/firehol/BADNETS`"
>
> What happens :
>
> It seems that as long as my BADNETS file keeps a reasonable size, firehol is
> able to process it (see the attached BADNETS.light file with its 17925
> lines)....indeed with BADNETS.light file no problem, firehol starts without
> errors.
> But when I load the BADNETS.full file (see the attached BADNETS.full.zip
> file with its 344396 lines) , then I get many runtime errors.
>
> I've attached the error.log.zip file which is an extract of the bunch of
> errors I get + the std output.
>
> Any help appreciated.
>
> Best Regards,
> Shiryu
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
>



-- 
Carlos Rodrigues

More information about the Firehol-support mailing list