• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFBlockerNG 2.1.1_2 Memory Errors

pfBlockerNG
17
61
65.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    RonpfS
    last edited by Aug 13, 2016, 5:13 PM

    @JohnH:

    Thanks Ron…a little M goes a long way to making the system work. 2048 instead of 2048M.

    And where did you made the modifications ? 2048M in config.inc might break something else somewhere.

    2.4.5-RELEASE-p1 (amd64)
    Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
    Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

    1 Reply Last reply Reply Quote 0
    • J
      JohnH
      last edited by Aug 13, 2016, 5:19 PM

      // Set memory limit to 512M on amd64.
      if ($ARCH == "amd64") {
      ini_set("memory_limit", "512M");
      } else {
      ini_set("memory_limit", "128M");
      }

      changed to

      // Set memory limit to 512M on amd64.
      if ($ARCH == "amd64") {
      ini_set("memory_limit", "2048M");
      } else {
      ini_set("memory_limit", "128M");
      }

      reverting to default shouldn't hurt as pfBlocker is uninstalled until a real fix is in place.

      Mainboard: ASRock Q1900M CPU: Intel J1900 Quad-Core Celeron 1.99GHz Memory: 2x4GB GSkill RipJaws PC3-10666 Storage: WD Green 1TB 5400RPM 32MB Internet: Cable 25M/2M & Wireless 8M/2M Interface1: Intel EXPI9402PTBLK 10/100/1000 Dual Port Interface2: Intel EXPI9301CTBLK 10/100/1000 Case: Athena Power RM-3UD370S40 OS: pfSense 2.3.2 (amd64)

      1 Reply Last reply Reply Quote 0
      • R
        RonpfS
        last edited by Aug 13, 2016, 5:23 PM

        I would put it back to 512MB.
        Modify the pfblockerng.inc instead, this will only affect the pfblocker pkg.
        However, the php.ini limit is 512M, so if you need more than 512M, you will need both fixes, the one for php and the on for pfblockerng.inc.

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • J
          JohnH
          last edited by Aug 13, 2016, 5:52 PM

          Will do, thanks.

          Mainboard: ASRock Q1900M CPU: Intel J1900 Quad-Core Celeron 1.99GHz Memory: 2x4GB GSkill RipJaws PC3-10666 Storage: WD Green 1TB 5400RPM 32MB Internet: Cable 25M/2M & Wireless 8M/2M Interface1: Intel EXPI9402PTBLK 10/100/1000 Dual Port Interface2: Intel EXPI9301CTBLK 10/100/1000 Case: Athena Power RM-3UD370S40 OS: pfSense 2.3.2 (amd64)

          1 Reply Last reply Reply Quote 0
          • P
            ProxyMoron
            last edited by Aug 14, 2016, 8:50 AM Aug 13, 2016, 11:11 PM

            Hi All,
              I think i have a better solution to this although feel free to shoot it down if i've messed up.

            Basically, say you only want the UK to be permitted, but not the ROTW…

            If you deny everything then it takes a a shed load of memory and causes the problems above. However my solution is to only PERMIT what you want and then DENY everything that isnt permitted. You dont need the entire Maxmind database, only the IP's of what you want to permit.

            To do this, go into PfblockerNG, GeoIP, Top20 and select only UK (or your country /countries) and then in List action select Permit Inbound.

            This will create a floating rule in Firewall tab that is called pfB_Top_v4 that contains all the IP's of the countries you select to be permitted from that tab.

            Now create another rule that is EXACTLY the same as the above one in floating rules, except tick the "Invert Match" box and change the rule to a block or reject rule then add it before the auto generated pfB_Top_v4 rule and name it !pfB_Top_v4 or something similar.

            Now all IP's that aren't UK based (in my example) will be denied and whenever you update the pfB_Top_v4 alias, it will also update your deny rule automatically too.

            You may need to duplicate multiple rules if your permits appear in other Geo Locations like Africa or Antartica for example as this will create additional Floating rules.

            This also has the massive benefit of having an order of magnitude less rules in your Firewall table as you only checking a specific permitted countries IP range as opposed to the ROTW's IP ranges.

            1 Reply Last reply Reply Quote 0
            • R
              RonpfS
              last edited by Aug 14, 2016, 2:26 AM Aug 14, 2016, 1:55 AM

              To install or re-install pfBlockerNG 2.1.1_2

              https://forum.pfsense.org/index.php?topic=102470.msg647400#msg647400

              2.4.5-RELEASE-p1 (amd64)
              Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
              Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

              1 Reply Last reply Reply Quote 0
              • R
                RonpfS
                last edited by Aug 14, 2016, 6:02 AM Aug 14, 2016, 2:58 AM

                @JorgeOliveira:

                I've submitted a PR to pfSense's GitHub repo:
                https://github.com/pfsense/pfsense/pull/3101

                After that, the following changes suggested by @Perforado on the package could be implemented and should work.
                @Perforado:

                Temporary Fix for

                php /usr/local/www/pfblockerng/pfblockerng.php update. 
                Failing with memory exhaustion:

                edit /usr/local/pkg/pfblockerng/pfblockerng.inc as discussed above:
                …
                pfb_global();
                ini_set('memory_limit', '640M');
                ...

                After some testing, I finally consider that modifying the /etc/inc/config.inc is the better solution.

                However regarding the PR, 192M isn't enough for the MaxMind database creation, 256M was fine on my system, I didn't test 224M.

                After fixing /etc/inc/config.inc, the installation of pfBlockerNG was successful. :D

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                1 Reply Last reply Reply Quote 0
                • J
                  JohnH
                  last edited by Aug 14, 2016, 10:36 AM

                  @ProxyMoron:

                  Hi All,
                    I think i have a better solution to this although feel free to shoot it down if i've messed up.

                  Basically, say you only want the UK to be permitted, but not the ROTW…

                  If you deny everything then it takes a a shed load of memory and causes the problems above. However my solution is to only PERMIT what you want and then DENY everything that isnt permitted. You dont need the entire Maxmind database, only the IP's of what you want to permit.

                  To do this, go into PfblockerNG, GeoIP, Top20 and select only UK (or your country /countries) and then in List action select Permit Inbound.

                  This will create a floating rule in Firewall tab that is called pfB_Top_v4 that contains all the IP's of the countries you select to be permitted from that tab.

                  Now create another rule that is EXACTLY the same as the above one in floating rules, except tick the "Invert Match" box and change the rule to a block or reject rule then add it before the auto generated pfB_Top_v4 rule and name it !pfB_Top_v4 or something similar.

                  Now all IP's that aren't UK based (in my example) will be denied and whenever you update the pfB_Top_v4 alias, it will also update your deny rule automatically too.

                  You may need to duplicate multiple rules if your permits appear in other Geo Locations like Africa or Antartica for example as this will create additional Floating rules.

                  This also has the massive benefit of having an order of magnitude less rules in your Firewall table as you only checking a specific permitted countries IP range as opposed to the ROTW's IP ranges.

                  Absolutely correct, per the instructions in the GeoIP pag:

                  It's also not recommended to block the 'world', instead consider rules to 'Permit' traffic from selected Countries only.
                  Also consider protecting just the specific open WAN ports and it's just as important to protect the outbound LAN traffic.

                  Mainboard: ASRock Q1900M CPU: Intel J1900 Quad-Core Celeron 1.99GHz Memory: 2x4GB GSkill RipJaws PC3-10666 Storage: WD Green 1TB 5400RPM 32MB Internet: Cable 25M/2M & Wireless 8M/2M Interface1: Intel EXPI9402PTBLK 10/100/1000 Dual Port Interface2: Intel EXPI9301CTBLK 10/100/1000 Case: Athena Power RM-3UD370S40 OS: pfSense 2.3.2 (amd64)

                  1 Reply Last reply Reply Quote 0
                  • P
                    ProxyMoron
                    last edited by Aug 14, 2016, 10:51 AM

                    @JohnH:

                    @ProxyMoron:

                    Hi All,
                      I think i have a better solution to this although feel free to shoot it down if i've messed up.

                    Basically, say you only want the UK to be permitted, but not the ROTW…

                    If you deny everything then it takes a a shed load of memory and causes the problems above. However my solution is to only PERMIT what you want and then DENY everything that isnt permitted. You dont need the entire Maxmind database, only the IP's of what you want to permit.

                    To do this, go into PfblockerNG, GeoIP, Top20 and select only UK (or your country /countries) and then in List action select Permit Inbound.

                    This will create a floating rule in Firewall tab that is called pfB_Top_v4 that contains all the IP's of the countries you select to be permitted from that tab.

                    Now create another rule that is EXACTLY the same as the above one in floating rules, except tick the "Invert Match" box and change the rule to a block or reject rule then add it before the auto generated pfB_Top_v4 rule and name it !pfB_Top_v4 or something similar.

                    Now all IP's that aren't UK based (in my example) will be denied and whenever you update the pfB_Top_v4 alias, it will also update your deny rule automatically too.

                    You may need to duplicate multiple rules if your permits appear in other Geo Locations like Africa or Antartica for example as this will create additional Floating rules.

                    This also has the massive benefit of having an order of magnitude less rules in your Firewall table as you only checking a specific permitted countries IP range as opposed to the ROTW's IP ranges.

                    Absolutely correct, per the instructions in the GeoIP pag:

                    It's also not recommended to block the 'world', instead consider rules to 'Permit' traffic from selected Countries only.
                    Also consider protecting just the specific open WAN ports and it's just as important to protect the outbound LAN traffic.

                    The problem is that those instructions mention nothing about needing to create a deny rule. Your essentially permitting a set of counties but blocking nothing unless you create that additional rule, I'd like to see that done automatically to be honest.

                    1 Reply Last reply Reply Quote 0
                    • R
                      RonpfS
                      last edited by Aug 16, 2016, 7:02 AM

                      To resolve the issue :

                      https://forum.pfsense.org/index.php?topic=102470.msg647719#msg647719

                      2.4.5-RELEASE-p1 (amd64)
                      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                      1 Reply Last reply Reply Quote 0
                      61 out of 61
                      • First post
                        61/61
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.