next »

[kilthro]

The first try is always to increase max_table_entries on system advanced.

Most of Cannot allocate memory from  /tmp/rules.debug are related to this.

Ok I will try that and see if that helps. I didnt want to touch anything until i asked. Its just strange, that its been fine for a couple of months with the same tables ect. Then just started happening. Then if i delete the list/table and rebuilt it was fine for a little while. I appreciate the feedback. This evening I will increase it and see if that removes the problem.

[marcelloc]

This evening I will increase it and see if that removes the problem.

It does not affect firewall function at all, you can apply it any time.

[kilthro]

This evening I will increase it and see if that removes the problem.

It does not affect firewall function at all, you can apply it any time.

Good to know, Thanks. I will not be back at that location until this evening. I just get email notifications when something is working right. :-)

[kilthro]

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

[tommyboy180]

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

Any packages recently installed? What about any system restarts?

[kilthro]

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

Any packages recently installed? What about any system restarts?

Nope nothing installed. Snort is blinking in the package widget as there is an update for that but I haven't done it yet since I typically have to reset all of the stuff back up in it when it updates.. It runs flawlessly but when I upgrade it, it always seems to flaky so I have put that off for now lol..  The system has been up for 50 days+ straight with no restarts. Honestly I have configured it, and for the most part forget about it unless I get an email stating something errors out ect.. Every now and then I may log into it to check for updates and status on things but that's not regular.

When i was increasing the amount I did tried 400k and 600k with the same error. 900k was the first where it didn't error out so that what I stuck with. This morning when everything updated I didn't get an error so it seems like that amount is ok for now.

[Amarth]

This has probably been covered but I could not find any info on it. There seems to be a formatting issue on the pfBlocker Dashboard Widget.

Line: 69

Code:

print "<pre>";

Causes the column labels to offset to the right. ie: Alias ends up over the CIDR count.  I saw no closing so commented it out and the formatting now works.

[marcelloc]

It's a missing debug cmd prior to var_dump.

If It's on 1.0.1 package version, I'll remove on next release.

[vlurk]

It looks like I am having the "cannot allocate memory" issue as well, running a 2.0.1 (i386) release, nanobsd 2G and pfBlocker 1.0.1. I increased the max table size, read page 21 as well but it just wouldn't cut it with my small platform.

Since I REALLY wanted to get the Bluetack's level1 blocklist, I needed to try something else and eventually found another solution...

What I did is write a simple perl script with that will read the list, and output a new CIDR list splitted into many files, actually 100,000 entries per file.

I then created a small cron job to download the list and execute the script on a linux server running Apache.  Finally, I configured three different blocklists (aliases) under pfblocker (not just a big one with three URLs...).  And it works!  Maybe having such a mechanism (splitting big files) built into pfblocker could be useful for some.

In case someone is interested by the perl script, it looks like this:

Code:

#!/usr/bin/perl
use Net::CIDR::Lite;

my $filenum = "0" x 4; # if you ++ a string, it keeps the padding

sub new_file {
        $filenum ++;
        my $name = "splat_$filenum.lis";
        open OUT, ">$name" or die "canne open $name cap'n:$!\n";
        warn "writing to:$name\n";
}


my $cidr = Net::CIDR::Lite->new;
open (MYFILE, $ARGV[0]);
while (<MYFILE>) {
  chomp;
  $_ =~ /[^:]+:(.*)/;
  my $range = $1; #extracted IP Range, verify it is IPv4
  if ( $range =~ m/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\-\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/i ) {
        $cidr->add_range($range);
  }
}
close (MYFILE);
my $index = 0;
my @cidr_list = $cidr->list;
foreach my $block ( @cidr_list ) {
        if ( $index % 100000 == 0 ) {
                new_file;
        }
        print OUT $block,"\n";
        $index++;
}
close (OUT);

It receives the unzipped list in input, and will output the files in the CWD. Simple as that.

Have a nice day.

[marcelloc]

Good contributon. Thank you.

[marcelloc]

Just updated pfBlocker to 1.0.2 with:

• Fix on array check error at line 368 when there is no alias defined on pfSense
• reduce duplicate cases on automatic rules when using multiple interfaces as inbound and/or outbound
• Increase php memory limit to 250Mb when x64 pfSense is detected(DO AT YOUR OWN RISK PATCH applied to code )
• Updated country ip lists

[tommyboy180]

Awesome!

[taryezveb]

Awesome!

+1, Thanks

[vlurk]

Thanks for the update: I am gonna give it a shot like right after I post this.

 I noticed that my script would fail when some blocklist would include multiple colons on one line. Here is my updated script, which now accept a number of lines as the second argument.

Code:

#!/usr/bin/perl
use Net::CIDR::Lite;

my $filenum = "0" x 4; # if you ++ a string, it keeps the padding
my $limit = 100000; # default max number of lines

sub new_file {
$filenum ++;
my $name = "splat_$filenum.lis";
open OUT, ">$name" or die "canne open $name cap'n:$!\n";
        warn "writing to:$name\n";
}


my $cidr = Net::CIDR::Lite->new;
open (MYFILE, $ARGV[0]);
if ( defined($ARGV[1])) {
if ( $ARGV[1] =~  m/^\d{2,6}$/ ) {
$limit = int($ARGV[1]);
}
}

while (<MYFILE>) {
  chomp;
  my @line = split(/:+/);
  my $range = $line[-1]; #get IP Range, verify it is IPv4
  if ( $range =~ m/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\-\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/ ) {
$cidr->add_range($range);
  }
}
close (MYFILE);
my $index = 0;
my @cidr_list = $cidr->list;
foreach my $block ( @cidr_list ) {
if ( $index % $limit == 0 ) {
close (OUT);
new_file;
}
print OUT $block,"\n";
$index++;
}
close (OUT);

Since my platform is not x64, and only have 256MB of RAM, I am not sure the new patch will fix the memory allocation issue for me... I am running with 60% memory used on average. Right now I am using a 60,000 lines as my maximum. 100,000 would seem to fail on some occasions.

[marcelloc]

Vlurk,

The memory patch is only for am64.
As we try to avoid file hacks, I've applied a value that is defined on config.inc but not reflected on gui.
As you have few memory available, the best option is the way you are doing or of course a hardware upgrade.

Thank's for the script update.