[Firehol-support] Issue with Huge IP blocklist ?

shi ryu shiryu38 at gmail.com
Fri Jun 19 10:19:52 BST 2009


Thanks Carlos, I'll try it out.
If I'm not mistaken though, any iptables command added to the firehol.conf
should be placed before any firehol processing rules in order to prevent
"interferences" right ?

Rgds,

2009/6/17 Carlos Rodrigues <cefrodrigues at gmail.com>

> On Wed, Jun 17, 2009 at 9:26 PM, Carlos Rodrigues<cefrodrigues at gmail.com>
> wrote:
> > Well,
> >
> > You are effectively creating a single command with the total length of
> > those 300.000 lines. The runtime errors are probably just bash hitting
> > it's limits, and not exactly a problem with FireHOL itself.
> >
> > You can try putting something like the following inside your interface
> > statement:
> >
> >  cat BADNETS | while IP; do
> >      server all reject src $IP
> >  done
> >
> > Although I'm not sure exactly how the rules generated by that would
> > compare with the ones generated from the interface statement itself.
> >
> > You can also try mixing in some iptables commands. For example, by
> > putting something like this in your firehol.conf:
> >
> > iptables -N my_blocklist
> > cat BADNETS | while IP; do
> >    iptables -A -s $IP -j DROP
>
> That's "iptables -A my_blocklist -s $IP -j DROP", sorry.
>
> > done
> >
> > iptables -I 1 INPUT -i eth0 -j my_blocklist
> >
> >
> > Regards,
> >
> >
> > On Thu, Jun 11, 2009 at 8:01 AM, shi ryu<shiryu38 at gmail.com> wrote:
> >> Hi guys,
> >>
> >> I'm trying to use firehol to process some bluetack IP blocklist and I
> fear
> >> that firehol cannot handle the size of the list.
> >> Here is how I proceed :
> >>
> >> 1) I've put in CIDR format all the subnets I'd like to filter on (1 per
> >> line) in the BADNETS file.
> >> 2) I've modified the firehol.conf following line from
> >>
> >> interface eth0 internet src not "${UNROUTABLE_IPS}"
> >>
> >> to
> >>
> >> interface eth0 internet src not "${UNROUTABLE_IPS} `cat
> >> /etc/firehol/BADNETS`"
> >>
> >> What happens :
> >>
> >> It seems that as long as my BADNETS file keeps a reasonable size,
> firehol is
> >> able to process it (see the attached BADNETS.light file with its 17925
> >> lines)....indeed with BADNETS.light file no problem, firehol starts
> without
> >> errors.
> >> But when I load the BADNETS.full file (see the attached BADNETS.full.zip
> >> file with its 344396 lines) , then I get many runtime errors.
> >>
> >> I've attached the error.log.zip file which is an extract of the bunch of
> >> errors I get + the std output.
> >>
> >> Any help appreciated.
> >>
> >> Best Regards,
> >> Shiryu
> >>
> >>
> ------------------------------------------------------------------------------
> >> Crystal Reports - New Free Runtime and 30 Day Trial
> >> Check out the new simplified licensing option that enables unlimited
> >> royalty-free distribution of the report engine for externally facing
> >> server and web deployment.
> >> http://p.sf.net/sfu/businessobjects
> >> _______________________________________________
> >> Firehol-support mailing list
> >> Firehol-support at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/firehol-support
> >>
> >>
> >
> >
> >
> > --
> > Carlos Rodrigues
> >
>
>
>
> --
> Carlos Rodrigues
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20090619/e848bb78/attachment-0003.html>


More information about the Firehol-support mailing list