Gazillion rules created, not sure which package is to blame



  • Some months ago, I ran into a problem where the web GUI was really slow and usually just timed out.  Netgate support (help much appreciated) discovered that my config file had 6,600 rules in it. I didn't have suitable backups at the time (sigh) so just blew the entire drive away, installed latest version of pfsense and manually created all the rules I needed (essentially about 20 or so).

    All was fine until I decided to add in the PFBlocker and SNORT packages (which were both installed when I was having the problem). Immediately after doing these installs, the webGUI started to fail just like last time. However, this time, I had taken a backup just before installing those packages and I was able to revert back to just before those installs.

    So my question is, does anyone know which of those two packages is to blame for this problem and how I could continue to use them without running into the problem again?

    Many thanks,

    D



  • @dhjdhj:

    Some months ago, I ran into a problem where the web GUI was really slow and usually just timed out.  Netgate support (help much appreciated) discovered that my config file had 6,600 rules in it. I didn't have suitable backups at the time (sigh) so just blew the entire drive away, installed latest version of pfsense and manually created all the rules I needed (essentially about 20 or so).

    All was fine until I decided to add in the PFBlocker and SNORT packages (which were both installed when I was having the problem). Immediately after doing these installs, the webGUI started to fail just like last time. However, this time, I had taken a backup just before installing those packages and I was able to revert back to just before those installs.

    So my question is, does anyone know which of those two packages is to blame for this problem and how I could continue to use them without running into the problem again?

    Many thanks,

    D

    Your problem is not Snort.  It never creates any firewall rules.  It simply adds IP addresses to a pre-existing pf table called snort2c.  There is a single built-in rule that references that table for blocks.  So there is no way Snort can cause your problem as it does not create any rules of its own.

    pfBlocker does create firewall rules, though.  So it is possible it is the culprit.

    Bill



  • @bmeeks:

    pfBlocker does create firewall rules, though.  So it is possible it is the culprit.

    If pfBlocker is the reason for the rules, there might be a misconfiguration, since normally it only adds up to ~10 rules for every inbound nic and one rule for every blocklist-alias for every outbound nic.

    what is your pfB-configuration?


Log in to reply