Firewall: Aliases edit from console

bernikm

Hi

Is there any way to manually edit firewall:aliases file. We need to add a range of IP Subnets that will be blocked, so that we don't need to enter them from GUI, just copy/paste to conf file? Can this be done and how?
Regards,Miha

jimp

You can manually edit the config with "viconfig" (or download a backup of the config, edit it locally on a PC, then restore the backup)

Just be extremely careful of the formatting.

bernikm

Thanks!

jjj

Is there a known limit to the number of IPs you can have in an alias? We have about 205 in there now…the firewall takes forever to boot and the processor is pegged at 100%. No packages are installed. We're using the the Aliases to create an Allowed Internet users ACL with another alias for allowed ports. Also, the filter reload is hung on HTTPS.

jimp

As long as it's just IPs, you should be able to get away with somewhere around ~3000 I thought.

The filter reload status screen doesn't automatically refresh properly on 1.2.3, you have to reload the page manually.

Aliases shouldn't impact the load time unless you're using hostnames in them instead of IPs, but other things like having several VLANs can slow it down on 1.2.3

On 2.0 it's not an issue.

jjj

Hmmm.. any idea why the processor would be pegged at 100%?

jimp

Do you have polling enabled?

jjj

"Use Device Polling" is not enabled.

jimp

From the console, look at the output of:

top -SH

jjj

jimp

Do you have Captive Portal enabled? And a bunch of connected CP clients?

Or do you have one of the "country block" or "ip block" packages installed? One of those (ab)used ipfw to load a bunch of IPs and it would do something like that.

jjj

Captive Portal is not enabled. No packages are installed. Fresh install as of last night.

jimp

ipfw wouldn't be running unless something loaded it. It doesn't load by default on a stock install.

jjj

What about restoring the configuration from a backup (without any packages)?

DHCP Server and IPSec are enabled, but no 3rd party packages are installed.

jimp

I think scheduled rules will also hit ipfw. Got any of those?

jjj

No. But Firewall > Schedule had an Always rule? I deleted it, but it didn't help.

Plus, Filter Reload is still saying "Creating rule HTTPS".

jimp

After you deleted the schedules, you may have to reboot

jjj

Looks like that did it. Back to 0% usage. Thanks for your help.