[Firehol-support] FireHOL 2.0.1 and adblock.

Tommi Lundell tommi.lundell at kapsi.fi
Wed Mar 18 15:57:07 GMT 2015


Here is results:
(Btw. if FAST_ACTIVATION is on kernel config then it's not enabled in 
.config file)

ion firehol # time firehol restart
real    0m9.158s
user    0m5.649s
sys     0m3.511s

Cutted list:
ion firehol # time firehol debug
FireHOL: Activating new firewall (252 rules): OK
real    0m6.403s
user    0m4.686s
sys     0m1.794s



With a full list:
ion firehol # time firehol restart
More than 10min (i pressed ctrl-c)



ion firehol # time firehol debug
FireHOL: Activating new firewall (28830 rules):
real    0m57.861s
user    0m49.411s
sys     0m5.410s


On 18.3.2015 1:07, Tsaousis, Costa wrote:
> Hi Tommi,
>
> something else is happening.
>
> Could you please do this:
>
> time firehol debug
>
> how much time it says?
> After the time reported by 'debug', the time needed is only for
> iptables (or iptables-restore if FAST_ACTIVATION is enabled).
>
> Costa
>
>
> On Wed, Mar 18, 2015 at 12:29 AM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
>> Hello
>>
>> I tested FireHOL adblock support but initializing takes for ever (2s per ip)
>> and consumes almost 100% of CPU.
>> Any idea why it is so slow to initialize this functionality?
>>
>> Details:
>>
>>
>> I reduce adblock-ips to:
>> ion firehol # cat adblock-ips
>> ADSERVERS_IPS="0.0.0.0 10.71.22.0 103.245.223.129 103.245.223.131
>> 103.245.223.192 103.245.223.194 "
>>
>> Starting FireHOL
>> ion firehol # time /etc/init.d/firehol restart
>>   * Stopping FireHOL ... [ ok ]
>>   * Starting FireHOL ...
>>
>> --------------------------------------------------------------------------------
>> WARNING
>> WHAT   : Initializing
>> WHY    : Running version 5 config. Update configuration to version 6 for
>> IPv6 support. See http://firehol.org/upgrade/#config-version-6
>> COMMAND: version 5
>> MODE   : ipv4
>> SOURCE : line 13 of /etc/firehol/firehol.conf
>> [ ok ]
>>
>> real    0m10.241s
>> user    0m6.113s
>> sys     0m4.204s
>>
>>
>> ion firehol # cat firehol.conf
>> #
>> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
>> #
>> # This configuration file will allow all requests originating from the
>> # local machine to be send through all network interfaces.
>> #
>> # No requests are allowed to come from the network. The host will be
>> # completely stealthed! It will not respond to anything, and it will
>> # not be pingable, although it will be able to originate anything
>> # (even pings to other hosts).
>> #
>>
>> version 5
>>
>> source /etc/firehol/adblock-ips
>>
>> mark            10      OUTPUT user "rsyncrypto"
>> transparent_proxy 80    8087 "polipo privoxy root" inface eth1 src
>> 10.10.10.0/24
>>
>>
>> interface "eth0" world
>>          policy  reject
>>          protection              strong  10/sec  10
>>          server  ident           reject  with tcp-reset
>>          server  http            accept
>>          server  https           accept
>> #       server  ssh             accept
>>          server  icmp            accept
>>          server  dns             accept
>>          server  samba           drop
>>          server  multicast       drop
>>          client http accept dst not "${ADSERVERS_IPS}"
>>          client  all             accept
>>
>>
>> interface "eth1" internal
>>          policy  accept
>> #        protection              strong  10/sec  10
>>          server  ident           reject  with tcp-reset
>>
>>          client  all             accept
>>
>>
>> router tun_nat  inface "eth0" outface "eth1"
>>          route   ident           reject with tcp-reset
>>          server  ident           reject with tcp-reset
>>          masquerade              reverse
>>          client  all             accept
>>
>>
>> Tommi
>>
>>
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support




More information about the Firehol-support mailing list