making changes to rules applied only after reboot

oren1031

yes im using them to block incoming via geolocation.
and i started getting some error that i was unable to fix about memory so i kept adding more to
Firewall Maximum States
and to Firewall Maximum Table Entries

johnpoz

@oren1031 said in making changes to rules applied only after reboot:

error that i was unable to fix

What was the specific error - yeah if you had issues with the memory and tables - that for sure could of caused issues with load of rules..

Not talking about geoip, I use those in pfblocker - more talking about letting pfblocker auto create rules.. Which I don't use.. I just use it to create native aliases that I put in the rules.

oren1031

Cannot allocate memory - The line in question reads [48]: table <pfB_NAmerica_v6> persist file "/var/db/aliastables/pfB_NAmerica_v6.txt"

johnpoz

yeah that list is going to be freaking HUGE ;) NA v6...

You need to up the table size.. if your going to use such a list. What do you have yours set to?

oren1031

now i took it up to 2400000 for now im getting no error.

oren1031

but look like pfblocker is doing its job...

johnpoz

Wouldn't it just be easier to allow what you want ;) Out of the box all is blocked anyway. Just use geoip list of what you want to allow to hit your port forward/exposed ports..

oren1031

that is what i did. blocked all but what i want to be enabled.

johnpoz

Why are you loading the NA list then? Just for your picture of where IPs are from?

oren1031

im blocking all inbounds. from everywhere but my country.
isnt that the way to go? if i have a service i want to be accessed only from my country to minimize exposer?

johnpoz

Again just allow your country on your rule/port forward. All is blocked by default.. There is little reason to load up some table of all NA v6, when ALL is blocked by default. And your allow is only your country list of IP ranges.

oren1031

so when allowing only 1 country all others will be blocked by pfblocker?
is that what you mean?
no need for block rules because all that is not allowed is blocked?

oren1031

what is the downside? of using it the way i do?
keeping in mind i have i3 with 8 gig ram. so its not really
working that hard.. its a home environment.

johnpoz

What trying to load every known IP on the planet to put in a list so you can block it? When ALL ips are blocked by default anyway ;)

oren1031

ill try what you offer it is more logic. i was not aware that it block by default.
also i like the picture :)