[Firewall] Big list in block-file -> crash server

Michel van Dop mvandop at xs4all.nl
Tue May 28 09:20:26 CEST 2013


 

Hello,

I start the firewall automatic and afther this messages
"Applying external (INET) policy to interface eth0 (whhout a eciffied)
I
get this:
Bug: soft lockup - CPU#0 Stuck for 67s! [iptables 30743]

My
blocklist is 161000 rules.

I update the hardware and have now2 CPU and
2 Gb mem.... When i remove the blocklist everything is working fine no
bugs.

Best regards,
Michel 

Arno van Amersfoort schreef op 2013-05-01
08:50: 

> The script itself will handle that just fine: it just feeds
the commands to iptables which in turn feeds them to your kernel. If it
really has to do with the amount of subnets, it's a kernel issue and
there isn't much my script can do about that...
> 
> a.
> 
> On 27/04/13
11:25, Michel van Dop wrote: 
> 
>> I am not 100% sure, i have running
the same systems many times no problem like this.
>> 
>> This systems
runs 2 weeks, icecast and your firewall scripts and no have problem.
>>

>> Afther 2 weeks i load the block list and the server are in direct in
production the are max connectings of 500 clients and ithe problems
starts.
>> 
>> Do you think 165176 subnets are no problem for your
script and for CentOS 6.4 64bit (1 CPU 3 ghz, 1 Gb mem) ? 
>> 
>> I use
cacti and see no high load or cpu of mem. Only when i load the firewall,
he look like response slow..
>> 
>> Michel 
>> 
>> Arno van Amersfoort
schreef op 2013-04-26 11:48: 
>> 
>>> I suspect changing
nf_conntrack_max isn't going to help. Unless all 
>>> those blocked
hosts connect at the same time ofc ;-)
>>> 
>>> Are you sure the size of
the blocked hosts list is causing this?
>>> 
>>> a.
>>> 
>>> On
4/25/2013 12:05, Michel van Dop wrote:
>>> 
>>>> Hi Arno, The machine
gave no reaction (no sreen error), only what i can do is reset the
vmware client. Afther the reset i can not find any errors in the
/var/log/messages about the freezing. Now i try to block only Germany
and United States (61000) (lines). And i try to change this: sysctl -w
net.netfilter.nf_conntrack_max=65536 More tips are welcome! :-) Michel
Arno van Amersfoort schreef op 2013-04-25 11:27: 
>>>> 
>>>>> What do
you mean *exactly* by "crash". Kernel OOM error, freezing, .... ? a. On
4/25/2013 9:43, Michel van Dop wrote: 
>>>>> 
>>>>>> Hi, Since i have
use 165176 host / subnets (lines) in my block list my new server CentOS
6.4 crash 2 times in 3 days. Any one idee what i need to change in my
network setting? 1/2 blocklist? Best regards, Michel
_______________________________________________ Firewall mailing list
Firewall at rocky.eld.leidenuniv.nl
<mailto:Firewall at rocky.eld.leidenuniv.nl>
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall [1] Arno's
(Linux IPTABLES Firewall) Homepage: http://rocky.eld.leidenuniv.nl
[2]
>>>> -- _______________________________________________ Firewall
mailing list Firewall at rocky.eld.leidenuniv.nl
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall [1] Arno's
(Linux IPTABLES Firewall) Homepage: http://rocky.eld.leidenuniv.nl
[2]
>> 
>> -- 
>> 
>> _______________________________________________
>>
Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>>
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall [1]
>> Arno's
(Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
[2]
> 
> _______________________________________________
> Firewall
mailing list
> Firewall at rocky.eld.leidenuniv.nl
>
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall [1]
> Arno's
(Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
[2]

-- 

 

Links:
------
[1]
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
[2]
http://rocky.eld.leidenuniv.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130528/e0654667/attachment.html>


More information about the Firewall mailing list