Large table issue
Jason Hellenthal
jhell at DataIX.net
Wed May 18 20:13:32 UTC 2011
quentin.narvor,
On Wed, May 18, 2011 at 03:00:57PM +0200, quentin.narvor wrote:
> On Wed, 18 May 2011 15:34:49 +0300, Richard Brendörfer wrote:
> > Hi,
> > try with _set limit table-entries number_ in pf.vonf or split you
> > table in 2 or 3 tables.
> >
> Hi,
>
> I forgot to say that I have already set this option to 3000000 in my
> pf.conf.
> I have tried to split the table in smaller pieces (~450000 entries in
> each table) but the command "pfctl -f /etc/pf.conf" gives me the same
> memory issue when loading the third table.
> I don't know the precise number but it seems that there is a limit near
> 1000000 entries for the sum of all tables, even with the limit
> table-entries set to 3000000.
>
> > On Wed, May 18, 2011 at 2:03 PM, quentin.narvor wrote:
> >
> >> I am trying to detect problems on hosts in my network : I want to
> >> detect when a communication occurs with a compromised host.
> >> I have built a blacklist which holds near 2 millions ip (spam,
> >> malware.... hosts).
> >>
> >> But I can't load it into pf, I get this when I try :
> >>
> >> /etc/pf.conf:6: cannot define table bl: Cannot allocate
> >> memory
> >> pfctl: Syntax error in config file: pf rules not loaded
> >>
> >> I suspect there is a memory limitation somewhere (in the kernel ??)
> >> which prevent me from loading the table but I am not very
> >> comfortable with kernel variables.
> >> I have already try modifying kern.maxssiz and kern.dflsiz without
> >> success.
> >>
> >> Any idea?
If you are going to be dealing with tables this size it might be wise to
write a filter to run your table file through and output the end result
of multiple CIDR ranges that are going to take up a considerable less
amount of space than what you have there.
And if you hit a range where you dont want certain ip's blocked you can
also use a !127.0.0.1/29 to cover a specfic range for example.
Ive seen someone on the lists once post something about a script but
don't remember off hand what that was so youll have to do some
searching.
Have fun!
--
Regards, (jhell)
Jason Hellenthal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20110518/2b34f20e/attachment.pgp
More information about the freebsd-pf
mailing list