FreeBSD 6.0RC1 - pf and big tables, pfspamd
Kai Gallasch
gallasch at free.de
Mon Oct 24 09:34:07 PDT 2005
Hi list.
Following setup:
- FreeBSD 6.0RC1 + pf
- /usr/ports/mail/spamd + recommended pf.conf for spamd
- several huge rbl zonefiles in rbldnsd format
- pf.conf
table <spamd> persist
no rdr on { lo0, lo1 } from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 192.168.0.100
port 8025
When I startup my spamd installation I am loading the zonefiles into
the <spamd> table
through method "file" from disk
It all works as expected, but when I load some of my bigger rbl
zonefiles through
command "spamd-setup" the application uses up huge amounts of memory
and finally stops with
error "malloc failed" - too bad. (and this after about an hour
runtime, cough!)
Probably spamd never was planned to get along with millions of
entries in a <spamd> table..
If I try to squeeze in the IPs manually through pfctl I get the error
shorty# pfctl -t spamd -Tr -f spammers.txt
pfctl: Cannot allocate memory.
spammers.txt is about 30M in size and contains about 2 million entries
Has someone found a workaround for using (and handling) up to 10
million IPs inside a pf table? :-) without
using high end hardware (I currently use for testing pentium3, 1Ghz,
512M main memmory)
pf:
Is there a possibility to abuse pf in the following fashion?
rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org
== 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025
For example /usr/ports/dns/rbldnsd can handle such huge amounts of
rbl data and even reloads take only a few seconds (with > 100M
rbl files!!) If a firewall rule would be possible to do local RBL
queries one could have the best of both worlds - use - as in my
case rblndsd for keeping the rbldata and the pf for a flexible
response to incoming spam..
Any idea?
--
"Whenever bicycles are broken,
or menaced by international communism,
Bicycle Repair Man is ready!"
More information about the freebsd-pf
mailing list