[Firehol-support] FireHOL 2.0.1 and adblock.
Tsaousis, Costa
costa at tsaousis.gr
Wed Mar 18 16:10:27 GMT 2015
I see... 28830 iptables rules...
(by the way... it seems FAST_ACTIVATION is not enabled on your setup,
but anyway it will only make activation faster - firehol will still
need some time to generate 28830 rules - it's a bash script
itself...).
You should put the adblock IPs into an ipset:
1. download the 3.x version of firehol
2. read the ipset info here: http://firehol.org/guides/ipset/ and
here: http://firehol.org/firehol-manual/firehol-ipset/
3. if you update the adblock IPs regularly, consider using this:
https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh
(check near its bottom for configuration examples - if you get the
adblock IPs from a public internet source, I can add it to this script
- just tell me where you get it from)
4. rephrase the client statement you have as (assuming the ipset will
be named adblock): client http accept dst not ipset:adblock
If you do the above, it will be a lot faster (as if no adblock is
there) and you should be able to update the adblock IPs without
restarting the firewall.
Costa
On Wed, Mar 18, 2015 at 5:57 PM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Here is results:
> (Btw. if FAST_ACTIVATION is on kernel config then it's not enabled in
> .config file)
>
> ion firehol # time firehol restart
> real 0m9.158s
> user 0m5.649s
> sys 0m3.511s
>
> Cutted list:
> ion firehol # time firehol debug
> FireHOL: Activating new firewall (252 rules): OK
> real 0m6.403s
> user 0m4.686s
> sys 0m1.794s
>
>
>
> With a full list:
> ion firehol # time firehol restart
> More than 10min (i pressed ctrl-c)
>
>
>
> ion firehol # time firehol debug
> FireHOL: Activating new firewall (28830 rules):
> real 0m57.861s
> user 0m49.411s
> sys 0m5.410s
>
>
>
> On 18.3.2015 1:07, Tsaousis, Costa wrote:
>>
>> Hi Tommi,
>>
>> something else is happening.
>>
>> Could you please do this:
>>
>> time firehol debug
>>
>> how much time it says?
>> After the time reported by 'debug', the time needed is only for
>> iptables (or iptables-restore if FAST_ACTIVATION is enabled).
>>
>> Costa
>>
>>
>> On Wed, Mar 18, 2015 at 12:29 AM, Tommi Lundell <tommi.lundell at kapsi.fi>
>> wrote:
>>>
>>> Hello
>>>
>>> I tested FireHOL adblock support but initializing takes for ever (2s per
>>> ip)
>>> and consumes almost 100% of CPU.
>>> Any idea why it is so slow to initialize this functionality?
>>>
>>> Details:
>>>
>>>
>>> I reduce adblock-ips to:
>>> ion firehol # cat adblock-ips
>>> ADSERVERS_IPS="0.0.0.0 10.71.22.0 103.245.223.129 103.245.223.131
>>> 103.245.223.192 103.245.223.194 "
>>>
>>> Starting FireHOL
>>> ion firehol # time /etc/init.d/firehol restart
>>> * Stopping FireHOL ... [ ok ]
>>> * Starting FireHOL ...
>>>
>>>
>>> --------------------------------------------------------------------------------
>>> WARNING
>>> WHAT : Initializing
>>> WHY : Running version 5 config. Update configuration to version 6 for
>>> IPv6 support. See http://firehol.org/upgrade/#config-version-6
>>> COMMAND: version 5
>>> MODE : ipv4
>>> SOURCE : line 13 of /etc/firehol/firehol.conf
>>> [ ok ]
>>>
>>> real 0m10.241s
>>> user 0m6.113s
>>> sys 0m4.204s
>>>
>>>
>>> ion firehol # cat firehol.conf
>>> #
>>> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
>>> #
>>> # This configuration file will allow all requests originating from the
>>> # local machine to be send through all network interfaces.
>>> #
>>> # No requests are allowed to come from the network. The host will be
>>> # completely stealthed! It will not respond to anything, and it will
>>> # not be pingable, although it will be able to originate anything
>>> # (even pings to other hosts).
>>> #
>>>
>>> version 5
>>>
>>> source /etc/firehol/adblock-ips
>>>
>>> mark 10 OUTPUT user "rsyncrypto"
>>> transparent_proxy 80 8087 "polipo privoxy root" inface eth1 src
>>> 10.10.10.0/24
>>>
>>>
>>> interface "eth0" world
>>> policy reject
>>> protection strong 10/sec 10
>>> server ident reject with tcp-reset
>>> server http accept
>>> server https accept
>>> # server ssh accept
>>> server icmp accept
>>> server dns accept
>>> server samba drop
>>> server multicast drop
>>> client http accept dst not "${ADSERVERS_IPS}"
>>> client all accept
>>>
>>>
>>> interface "eth1" internal
>>> policy accept
>>> # protection strong 10/sec 10
>>> server ident reject with tcp-reset
>>>
>>> client all accept
>>>
>>>
>>> router tun_nat inface "eth0" outface "eth1"
>>> route ident reject with tcp-reset
>>> server ident reject with tcp-reset
>>> masquerade reverse
>>> client all accept
>>>
>>>
>>> Tommi
>>>
>>>
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>
More information about the Firehol-support
mailing list