Firewall: Aliases edit from console
-
Hi
Is there any way to manually edit firewall:aliases file. We need to add a range of IP Subnets that will be blocked, so that we don't need to enter them from GUI, just copy/paste to conf file? Can this be done and how?
Regards,Miha -
You can manually edit the config with "viconfig" (or download a backup of the config, edit it locally on a PC, then restore the backup)
Just be extremely careful of the formatting.
-
Thanks!
-
Is there a known limit to the number of IPs you can have in an alias? We have about 205 in there now…the firewall takes forever to boot and the processor is pegged at 100%. No packages are installed. We're using the the Aliases to create an Allowed Internet users ACL with another alias for allowed ports. Also, the filter reload is hung on HTTPS.
-
As long as it's just IPs, you should be able to get away with somewhere around ~3000 I thought.
The filter reload status screen doesn't automatically refresh properly on 1.2.3, you have to reload the page manually.
Aliases shouldn't impact the load time unless you're using hostnames in them instead of IPs, but other things like having several VLANs can slow it down on 1.2.3
On 2.0 it's not an issue.
-
Hmmm.. any idea why the processor would be pegged at 100%?
-
Do you have polling enabled?
-
"Use Device Polling" is not enabled.
-
From the console, look at the output of:
top -SH -
-
Do you have Captive Portal enabled? And a bunch of connected CP clients?
Or do you have one of the "country block" or "ip block" packages installed? One of those (ab)used ipfw to load a bunch of IPs and it would do something like that.
-
Captive Portal is not enabled. No packages are installed. Fresh install as of last night.
-
ipfw wouldn't be running unless something loaded it. It doesn't load by default on a stock install.
-
What about restoring the configuration from a backup (without any packages)?
DHCP Server and IPSec are enabled, but no 3rd party packages are installed.
-
I think scheduled rules will also hit ipfw. Got any of those?
-
No. But Firewall > Schedule had an Always rule? I deleted it, but it didn't help.
Plus, Filter Reload is still saying "Creating rule HTTPS".
-
After you deleted the schedules, you may have to reboot
-
Looks like that did it. Back to 0% usage. Thanks for your help.
