[Firehol-support] FireHOL 2.0.1 and adblock.

Tsaousis, Costa costa at tsaousis.gr
Wed Mar 18 16:10:27 GMT 2015


I see... 28830 iptables rules...
(by the way... it seems FAST_ACTIVATION is not enabled on your setup,
but anyway it will only make activation faster - firehol will still
need some time to generate 28830 rules - it's a bash script
itself...).

You should put the adblock IPs into an ipset:

1. download the 3.x version of firehol
2. read the ipset info here: http://firehol.org/guides/ipset/ and
here: http://firehol.org/firehol-manual/firehol-ipset/
3. if you update the adblock IPs regularly, consider using this:
https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh
(check near its bottom for configuration examples - if you get the
adblock IPs from a public internet source, I can add it to this script
- just tell me where you get it from)
4. rephrase the client statement you have as (assuming the ipset will
be named adblock): client http accept dst not ipset:adblock

If you do the above, it will be a lot faster (as if no adblock is
there) and you should be able to update the adblock IPs without
restarting the firewall.

Costa


On Wed, Mar 18, 2015 at 5:57 PM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Here is results:
> (Btw. if FAST_ACTIVATION is on kernel config then it's not enabled in
> .config file)
>
> ion firehol # time firehol restart
> real    0m9.158s
> user    0m5.649s
> sys     0m3.511s
>
> Cutted list:
> ion firehol # time firehol debug
> FireHOL: Activating new firewall (252 rules): OK
> real    0m6.403s
> user    0m4.686s
> sys     0m1.794s
>
>
>
> With a full list:
> ion firehol # time firehol restart
> More than 10min (i pressed ctrl-c)
>
>
>
> ion firehol # time firehol debug
> FireHOL: Activating new firewall (28830 rules):
> real    0m57.861s
> user    0m49.411s
> sys     0m5.410s
>
>
>
> On 18.3.2015 1:07, Tsaousis, Costa wrote:
>>
>> Hi Tommi,
>>
>> something else is happening.
>>
>> Could you please do this:
>>
>> time firehol debug
>>
>> how much time it says?
>> After the time reported by 'debug', the time needed is only for
>> iptables (or iptables-restore if FAST_ACTIVATION is enabled).
>>
>> Costa
>>
>>
>> On Wed, Mar 18, 2015 at 12:29 AM, Tommi Lundell <tommi.lundell at kapsi.fi>
>> wrote:
>>>
>>> Hello
>>>
>>> I tested FireHOL adblock support but initializing takes for ever (2s per
>>> ip)
>>> and consumes almost 100% of CPU.
>>> Any idea why it is so slow to initialize this functionality?
>>>
>>> Details:
>>>
>>>
>>> I reduce adblock-ips to:
>>> ion firehol # cat adblock-ips
>>> ADSERVERS_IPS="0.0.0.0 10.71.22.0 103.245.223.129 103.245.223.131
>>> 103.245.223.192 103.245.223.194 "
>>>
>>> Starting FireHOL
>>> ion firehol # time /etc/init.d/firehol restart
>>>   * Stopping FireHOL ... [ ok ]
>>>   * Starting FireHOL ...
>>>
>>>
>>> --------------------------------------------------------------------------------
>>> WARNING
>>> WHAT   : Initializing
>>> WHY    : Running version 5 config. Update configuration to version 6 for
>>> IPv6 support. See http://firehol.org/upgrade/#config-version-6
>>> COMMAND: version 5
>>> MODE   : ipv4
>>> SOURCE : line 13 of /etc/firehol/firehol.conf
>>> [ ok ]
>>>
>>> real    0m10.241s
>>> user    0m6.113s
>>> sys     0m4.204s
>>>
>>>
>>> ion firehol # cat firehol.conf
>>> #
>>> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
>>> #
>>> # This configuration file will allow all requests originating from the
>>> # local machine to be send through all network interfaces.
>>> #
>>> # No requests are allowed to come from the network. The host will be
>>> # completely stealthed! It will not respond to anything, and it will
>>> # not be pingable, although it will be able to originate anything
>>> # (even pings to other hosts).
>>> #
>>>
>>> version 5
>>>
>>> source /etc/firehol/adblock-ips
>>>
>>> mark            10      OUTPUT user "rsyncrypto"
>>> transparent_proxy 80    8087 "polipo privoxy root" inface eth1 src
>>> 10.10.10.0/24
>>>
>>>
>>> interface "eth0" world
>>>          policy  reject
>>>          protection              strong  10/sec  10
>>>          server  ident           reject  with tcp-reset
>>>          server  http            accept
>>>          server  https           accept
>>> #       server  ssh             accept
>>>          server  icmp            accept
>>>          server  dns             accept
>>>          server  samba           drop
>>>          server  multicast       drop
>>>          client http accept dst not "${ADSERVERS_IPS}"
>>>          client  all             accept
>>>
>>>
>>> interface "eth1" internal
>>>          policy  accept
>>> #        protection              strong  10/sec  10
>>>          server  ident           reject  with tcp-reset
>>>
>>>          client  all             accept
>>>
>>>
>>> router tun_nat  inface "eth0" outface "eth1"
>>>          route   ident           reject with tcp-reset
>>>          server  ident           reject with tcp-reset
>>>          masquerade              reverse
>>>          client  all             accept
>>>
>>>
>>> Tommi
>>>
>>>
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>



More information about the Firehol-support mailing list