PFBlockerNG 2.1.1_2 Memory Errors
-
So what modification did you do.
On i386, only the pfblockerng.inc fix is normally required.The config.inc was just stated for referenced.If you modified it, maybe you forgot to put the "M" in 256M? (262144 bytes exhausted)The /etc/rc.php_ini_setup & /usr/local/etc/php.ini fix is for amd64 that need more than 512MB.
-
Thanks Ron…a little M goes a long way to making the system work. 2048 instead of 2048M.
-
Thanks Ron…a little M goes a long way to making the system work. 2048 instead of 2048M.
And where did you made the modifications ? 2048M in config.inc might break something else somewhere.
-
// Set memory limit to 512M on amd64.
if ($ARCH == "amd64") {
ini_set("memory_limit", "512M");
} else {
ini_set("memory_limit", "128M");
}changed to
// Set memory limit to 512M on amd64.
if ($ARCH == "amd64") {
ini_set("memory_limit", "2048M");
} else {
ini_set("memory_limit", "128M");
}reverting to default shouldn't hurt as pfBlocker is uninstalled until a real fix is in place.
-
I would put it back to 512MB.
Modify the pfblockerng.inc instead, this will only affect the pfblocker pkg.
However, the php.ini limit is 512M, so if you need more than 512M, you will need both fixes, the one for php and the on for pfblockerng.inc. -
Will do, thanks.
-
Hi All,
I think i have a better solution to this although feel free to shoot it down if i've messed up.Basically, say you only want the UK to be permitted, but not the ROTW…
If you deny everything then it takes a a shed load of memory and causes the problems above. However my solution is to only PERMIT what you want and then DENY everything that isnt permitted. You dont need the entire Maxmind database, only the IP's of what you want to permit.
To do this, go into PfblockerNG, GeoIP, Top20 and select only UK (or your country /countries) and then in List action select Permit Inbound.
This will create a floating rule in Firewall tab that is called pfB_Top_v4 that contains all the IP's of the countries you select to be permitted from that tab.
Now create another rule that is EXACTLY the same as the above one in floating rules, except tick the "Invert Match" box and change the rule to a block or reject rule then add it before the auto generated pfB_Top_v4 rule and name it !pfB_Top_v4 or something similar.
Now all IP's that aren't UK based (in my example) will be denied and whenever you update the pfB_Top_v4 alias, it will also update your deny rule automatically too.
You may need to duplicate multiple rules if your permits appear in other Geo Locations like Africa or Antartica for example as this will create additional Floating rules.
This also has the massive benefit of having an order of magnitude less rules in your Firewall table as you only checking a specific permitted countries IP range as opposed to the ROTW's IP ranges.
-
To install or re-install pfBlockerNG 2.1.1_2
https://forum.pfsense.org/index.php?topic=102470.msg647400#msg647400
-
I've submitted a PR to pfSense's GitHub repo:
https://github.com/pfsense/pfsense/pull/3101After that, the following changes suggested by @Perforado on the package could be implemented and should work.
@Perforado:Temporary Fix for
php /usr/local/www/pfblockerng/pfblockerng.php update.
Failing with memory exhaustion:edit /usr/local/pkg/pfblockerng/pfblockerng.inc as discussed above:
…
pfb_global();
ini_set('memory_limit', '640M');
...After some testing, I finally consider that modifying the /etc/inc/config.inc is the better solution.
However regarding the PR, 192M isn't enough for the MaxMind database creation, 256M was fine on my system, I didn't test 224M.
After fixing /etc/inc/config.inc, the installation of pfBlockerNG was successful. :D
-
Hi All,
I think i have a better solution to this although feel free to shoot it down if i've messed up.Basically, say you only want the UK to be permitted, but not the ROTW…
If you deny everything then it takes a a shed load of memory and causes the problems above. However my solution is to only PERMIT what you want and then DENY everything that isnt permitted. You dont need the entire Maxmind database, only the IP's of what you want to permit.
To do this, go into PfblockerNG, GeoIP, Top20 and select only UK (or your country /countries) and then in List action select Permit Inbound.
This will create a floating rule in Firewall tab that is called pfB_Top_v4 that contains all the IP's of the countries you select to be permitted from that tab.
Now create another rule that is EXACTLY the same as the above one in floating rules, except tick the "Invert Match" box and change the rule to a block or reject rule then add it before the auto generated pfB_Top_v4 rule and name it !pfB_Top_v4 or something similar.
Now all IP's that aren't UK based (in my example) will be denied and whenever you update the pfB_Top_v4 alias, it will also update your deny rule automatically too.
You may need to duplicate multiple rules if your permits appear in other Geo Locations like Africa or Antartica for example as this will create additional Floating rules.
This also has the massive benefit of having an order of magnitude less rules in your Firewall table as you only checking a specific permitted countries IP range as opposed to the ROTW's IP ranges.
Absolutely correct, per the instructions in the GeoIP pag:
It's also not recommended to block the 'world', instead consider rules to 'Permit' traffic from selected Countries only.
Also consider protecting just the specific open WAN ports and it's just as important to protect the outbound LAN traffic. -
Hi All,
I think i have a better solution to this although feel free to shoot it down if i've messed up.Basically, say you only want the UK to be permitted, but not the ROTW…
If you deny everything then it takes a a shed load of memory and causes the problems above. However my solution is to only PERMIT what you want and then DENY everything that isnt permitted. You dont need the entire Maxmind database, only the IP's of what you want to permit.
To do this, go into PfblockerNG, GeoIP, Top20 and select only UK (or your country /countries) and then in List action select Permit Inbound.
This will create a floating rule in Firewall tab that is called pfB_Top_v4 that contains all the IP's of the countries you select to be permitted from that tab.
Now create another rule that is EXACTLY the same as the above one in floating rules, except tick the "Invert Match" box and change the rule to a block or reject rule then add it before the auto generated pfB_Top_v4 rule and name it !pfB_Top_v4 or something similar.
Now all IP's that aren't UK based (in my example) will be denied and whenever you update the pfB_Top_v4 alias, it will also update your deny rule automatically too.
You may need to duplicate multiple rules if your permits appear in other Geo Locations like Africa or Antartica for example as this will create additional Floating rules.
This also has the massive benefit of having an order of magnitude less rules in your Firewall table as you only checking a specific permitted countries IP range as opposed to the ROTW's IP ranges.
Absolutely correct, per the instructions in the GeoIP pag:
It's also not recommended to block the 'world', instead consider rules to 'Permit' traffic from selected Countries only.
Also consider protecting just the specific open WAN ports and it's just as important to protect the outbound LAN traffic.The problem is that those instructions mention nothing about needing to create a deny rule. Your essentially permitting a set of counties but blocking nothing unless you create that additional rule, I'd like to see that done automatically to be honest.
-
To resolve the issue :
https://forum.pfsense.org/index.php?topic=102470.msg647719#msg647719