[Firehol-support] FireHOL 2.0.1 and adblock.

Tsaousis, Costa costa at tsaousis.gr
Tue Mar 17 23:07:43 GMT 2015 

Hi Tommi,

something else is happening.

Could you please do this:

time firehol debug

how much time it says?
After the time reported by 'debug', the time needed is only for
iptables (or iptables-restore if FAST_ACTIVATION is enabled).

Costa


On Wed, Mar 18, 2015 at 12:29 AM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Hello
>
> I tested FireHOL adblock support but initializing takes for ever (2s per ip)
> and consumes almost 100% of CPU.
> Any idea why it is so slow to initialize this functionality?
>
> Details:
>
>
> I reduce adblock-ips to:
> ion firehol # cat adblock-ips
> ADSERVERS_IPS="0.0.0.0 10.71.22.0 103.245.223.129 103.245.223.131
> 103.245.223.192 103.245.223.194 "
>
> Starting FireHOL
> ion firehol # time /etc/init.d/firehol restart
>  * Stopping FireHOL ... [ ok ]
>  * Starting FireHOL ...
>
> --------------------------------------------------------------------------------
> WARNING
> WHAT   : Initializing
> WHY    : Running version 5 config. Update configuration to version 6 for
> IPv6 support. See http://firehol.org/upgrade/#config-version-6
> COMMAND: version 5
> MODE   : ipv4
> SOURCE : line 13 of /etc/firehol/firehol.conf
> [ ok ]
>
> real    0m10.241s
> user    0m6.113s
> sys     0m4.204s
>
>
> ion firehol # cat firehol.conf
> #
> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
> #
> # This configuration file will allow all requests originating from the
> # local machine to be send through all network interfaces.
> #
> # No requests are allowed to come from the network. The host will be
> # completely stealthed! It will not respond to anything, and it will
> # not be pingable, although it will be able to originate anything
> # (even pings to other hosts).
> #
>
> version 5
>
> source /etc/firehol/adblock-ips
>
> mark            10      OUTPUT user "rsyncrypto"
> transparent_proxy 80    8087 "polipo privoxy root" inface eth1 src
> 10.10.10.0/24
>
>
> interface "eth0" world
>         policy  reject
>         protection              strong  10/sec  10
>         server  ident           reject  with tcp-reset
>         server  http            accept
>         server  https           accept
> #       server  ssh             accept
>         server  icmp            accept
>         server  dns             accept
>         server  samba           drop
>         server  multicast       drop
>         client http accept dst not "${ADSERVERS_IPS}"
>         client  all             accept
>
>
> interface "eth1" internal
>         policy  accept
> #        protection              strong  10/sec  10
>         server  ident           reject  with tcp-reset
>
>         client  all             accept
>
>
> router tun_nat  inface "eth0" outface "eth1"
>         route   ident           reject with tcp-reset
>         server  ident           reject with tcp-reset
>         masquerade              reverse
>         client  all             accept
>
>
> Tommi
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list