Hi All, I'm a NetBSD user for several years... I posted the following to the NetBSD networking list, but then discovered this list, so I thought I'd repost and update with what I've learned since...
On Wed, Nov 03, 2004 at 03:09:01PM +0000, Gene ENonymous wrote: > I would like to implement the Peer Guardian block list (using ipf rules) > for spyware/adware. [link - http://methlabs.org/sync/] > > After processing the rule set into ipf format, I end up with about > 20,000 rules (maybe 2000 are dulplcates?). [OK, I got rid of the duplicates as a trivial exercise...] > > Running NetBSD 1.6.2 on i386 (166 MHz Pentium w/56M Ram) I attempted to > load the ruleset. > > First I tried the whole ruleset...it hung my system requiring a > power cycle reboot. (ouch) > > Then I broke the rule set into 2 files of <= 10,000 rules each. ipf -f file1.rules > loaded fine. But when I tried ipf -f file2.rules...it locked my system again > requiring > another power cycle reboot. > > Having used NetBSD for several years, I have only rarely run into system lock > situations... > > So, does anyone here know > a) if there is a hard limit to the rule set size with ipf? > b) if it's not a hard limit, any suggestions on why I'm locking up and how to fix > it? > c) is there some better way block large numbers of undesirable subnets access to > my box? After reading the various home pages and guides, I'm not sure of several things: 1) Is there any hard limit? If so, how do I increase it? 2) Will breaking up my rules into groups fix the problem? (Brendan Conoboy/Eric Fichtner's How-To seems to indicate thus... I'm considering creating 16 major group rules that match traffic in on pppoe0 to 0.0.0.0/5, 16.0.0.0/5...140.0.0.0/5, then the ruleset in each group will (if the BlockList Addresses are well distributed) be about 20000/16 rules in length. In this way, no more than 20000/16 should ever be processed. 3) Do I need to further sub-group within my groups to make the rule sets smaller yet? (once I write the perl script to parse the top level it should be trivial to further refine and subdivide if necessary... does it gain me enought to justify the effort?) 4) What are the group numbering rules? ( I assume they need to be numbers???) Can I use big numbers like 1000, 1016...1140 for group numbers? what about 10001000, 10001016, etc (if I want to sub divide)? 5) Is the order that the groups are placed on the ipf rule-list make a difference? Must I put: ....head 1000 .... group 1000 . . . .... group 1000 ....head 1016 .... group 1016 . . . .... group 1016 Or can I mix it up without loss of efficiency as long as the head and group statements are there? 6) I'm pretty sure this is a dumb/naive question... Does indentation carry any significance? (I assume not, but...never hurts to ask) That seems enough questions for now...I'm kinda obsessed writing the perl list parser... I'm anxious to get this block list implemented to see how it behaves... Thanks in advance. gene
