Large table issue

Jason Hellenthal jhell at DataIX.net
Wed May 18 20:13:32 UTC 2011 

quentin.narvor,

On Wed, May 18, 2011 at 03:00:57PM +0200, quentin.narvor wrote:
>  On Wed, 18 May 2011 15:34:49 +0300, Richard Brendörfer wrote:
> > Hi,
> > try with _set limit table-entries number_ in pf.vonf or split you
> > table in 2 or 3 tables.
> >
>  Hi,
> 
>  I forgot to say that I have already set this option to 3000000 in my 
>  pf.conf.
>  I have tried to split the table in smaller pieces (~450000 entries in 
>  each table) but the command "pfctl -f /etc/pf.conf" gives me the same 
>  memory issue when loading the third table.
>  I don't know the precise number but it seems that there is a limit near 
>  1000000 entries for the sum of all tables, even with the limit 
>  table-entries set to 3000000.
> 
> > On Wed, May 18, 2011 at 2:03 PM, quentin.narvor  wrote:
> >
> >> I am trying to detect problems on hosts in my network : I want to
> >> detect when a communication occurs with a compromised host.
> >> I have built a blacklist which holds near 2 millions ip (spam,
> >> malware.... hosts).
> >>
> >> But I can't load it into pf, I get this when I try :
> >>
> >>     /etc/pf.conf:6: cannot define table bl: Cannot allocate
> >> memory
> >>     pfctl: Syntax error in config file: pf rules not loaded
> >>
> >> I suspect there is a memory limitation somewhere (in the kernel ??)
> >> which prevent me from loading the table but I am not very
> >> comfortable with kernel variables.
> >> I have already try modifying kern.maxssiz and kern.dflsiz without
> >> success.
> >>
> >> Any idea?

If you are going to be dealing with tables this size it might be wise to
write a filter to run your table file through and output the end result
of multiple CIDR ranges that are going to take up a considerable less
amount of space than what you have there.

And if you hit a range where you dont want certain ip's blocked you can
also use a !127.0.0.1/29 to cover a specfic range for example.

Ive seen someone on the lists once post something about a script but
don't remember off hand what that was so youll have to do some
searching.


Have fun!

-- 

 Regards, (jhell)
 Jason Hellenthal

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20110518/2b34f20e/attachment.pgp

More information about the freebsd-pf mailing list