[Firehol-support] FireHOL 2.0.1 and adblock.

Tommi Lundell tommi.lundell at kapsi.fi
Tue Mar 17 22:29:32 GMT 2015 

Hello

I tested FireHOL adblock support but initializing takes for ever (2s per 
ip) and consumes almost 100% of CPU.
Any idea why it is so slow to initialize this functionality?

Details:


I reduce adblock-ips to:
ion firehol # cat adblock-ips
ADSERVERS_IPS="0.0.0.0 10.71.22.0 103.245.223.129 103.245.223.131 
103.245.223.192 103.245.223.194 "

Starting FireHOL
ion firehol # time /etc/init.d/firehol restart
  * Stopping FireHOL ... [ ok ]
  * Starting FireHOL ...

--------------------------------------------------------------------------------
WARNING
WHAT   : Initializing
WHY    : Running version 5 config. Update configuration to version 6 for 
IPv6 support. See http://firehol.org/upgrade/#config-version-6
COMMAND: version 5
MODE   : ipv4
SOURCE : line 13 of /etc/firehol/firehol.conf
[ ok ]

real    0m10.241s
user    0m6.113s
sys     0m4.204s


ion firehol # cat firehol.conf
#
# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#
# This configuration file will allow all requests originating from the
# local machine to be send through all network interfaces.
#
# No requests are allowed to come from the network. The host will be
# completely stealthed! It will not respond to anything, and it will
# not be pingable, although it will be able to originate anything
# (even pings to other hosts).
#

version 5

source /etc/firehol/adblock-ips

mark            10      OUTPUT user "rsyncrypto"
transparent_proxy 80    8087 "polipo privoxy root" inface eth1 src 
10.10.10.0/24


interface "eth0" world
         policy  reject
         protection              strong  10/sec  10
         server  ident           reject  with tcp-reset
         server  http            accept
         server  https           accept
#       server  ssh             accept
         server  icmp            accept
         server  dns             accept
         server  samba           drop
         server  multicast       drop
         client http accept dst not "${ADSERVERS_IPS}"
         client  all             accept


interface "eth1" internal
         policy  accept
#        protection              strong  10/sec  10
         server  ident           reject  with tcp-reset

         client  all             accept


router tun_nat  inface "eth0" outface "eth1"
         route   ident           reject with tcp-reset
         server  ident           reject with tcp-reset
         masquerade              reverse
         client  all             accept


Tommi

More information about the Firehol-support mailing list