[Firehol-support] Issue with Huge IP blocklist ?

Carlos Rodrigues cefrodrigues at gmail.com
Fri Jun 19 10:36:32 BST 2009


In this case it doesn't really matter because of the "-I 1" parameter
(add the rule as the first rule in the table). Just make sure to
confirm the results by looking at the generated rules ("iptables -L
-n").

On Fri, Jun 19, 2009 at 10:19 AM, shi ryu<shiryu38 at gmail.com> wrote:
> Thanks Carlos, I'll try it out.
> If I'm not mistaken though, any iptables command added to the firehol.conf
> should be placed before any firehol processing rules in order to prevent
> "interferences" right ?
>
> Rgds,
>
> 2009/6/17 Carlos Rodrigues <cefrodrigues at gmail.com>
>>
>> On Wed, Jun 17, 2009 at 9:26 PM, Carlos Rodrigues<cefrodrigues at gmail.com>
>> wrote:
>> > Well,
>> >
>> > You are effectively creating a single command with the total length of
>> > those 300.000 lines. The runtime errors are probably just bash hitting
>> > it's limits, and not exactly a problem with FireHOL itself.
>> >
>> > You can try putting something like the following inside your interface
>> > statement:
>> >
>> >  cat BADNETS | while IP; do
>> >      server all reject src $IP
>> >  done
>> >
>> > Although I'm not sure exactly how the rules generated by that would
>> > compare with the ones generated from the interface statement itself.
>> >
>> > You can also try mixing in some iptables commands. For example, by
>> > putting something like this in your firehol.conf:
>> >
>> > iptables -N my_blocklist
>> > cat BADNETS | while IP; do
>> >    iptables -A -s $IP -j DROP
>>
>> That's "iptables -A my_blocklist -s $IP -j DROP", sorry.
>>
>> > done
>> >
>> > iptables -I 1 INPUT -i eth0 -j my_blocklist
>> >
>> >
>> > Regards,
>> >
>> >
>> > On Thu, Jun 11, 2009 at 8:01 AM, shi ryu<shiryu38 at gmail.com> wrote:
>> >> Hi guys,
>> >>
>> >> I'm trying to use firehol to process some bluetack IP blocklist and I
>> >> fear
>> >> that firehol cannot handle the size of the list.
>> >> Here is how I proceed :
>> >>
>> >> 1) I've put in CIDR format all the subnets I'd like to filter on (1 per
>> >> line) in the BADNETS file.
>> >> 2) I've modified the firehol.conf following line from
>> >>
>> >> interface eth0 internet src not "${UNROUTABLE_IPS}"
>> >>
>> >> to
>> >>
>> >> interface eth0 internet src not "${UNROUTABLE_IPS} `cat
>> >> /etc/firehol/BADNETS`"
>> >>
>> >> What happens :
>> >>
>> >> It seems that as long as my BADNETS file keeps a reasonable size,
>> >> firehol is
>> >> able to process it (see the attached BADNETS.light file with its 17925
>> >> lines)....indeed with BADNETS.light file no problem, firehol starts
>> >> without
>> >> errors.
>> >> But when I load the BADNETS.full file (see the attached
>> >> BADNETS.full.zip
>> >> file with its 344396 lines) , then I get many runtime errors.
>> >>
>> >> I've attached the error.log.zip file which is an extract of the bunch
>> >> of
>> >> errors I get + the std output.
>> >>
>> >> Any help appreciated.
>> >>
>> >> Best Regards,
>> >> Shiryu
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Crystal Reports - New Free Runtime and 30 Day Trial
>> >> Check out the new simplified licensing option that enables unlimited
>> >> royalty-free distribution of the report engine for externally facing
>> >> server and web deployment.
>> >> http://p.sf.net/sfu/businessobjects
>> >> _______________________________________________
>> >> Firehol-support mailing list
>> >> Firehol-support at lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/firehol-support
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Carlos Rodrigues
>> >
>>
>>
>>
>> --
>> Carlos Rodrigues
>
>



-- 
Carlos Rodrigues




More information about the Firehol-support mailing list