URL Table not working correctly

johns

I setup 4 URL table's (IP's)…three of them work correctly and the number of IP's it pulls from my text files corresponds and is correct.  However one of them, a large one, does not.

It has 225k entries (see screen shot).  Two strange things happen...1) when viewing in pfsense it only shows 113,890 (see screen shot).  2) When viewing the IP's it shows IP's that are NOT in my original text file/URL Table.  Seen screenshot....it's showing sequential IP's, none of which are in my text file.  What's going on?

I can understand if I'm hitting a limit with the 225k entries (can I fix this?), but why are the wrong IP's showing?  Is there a way to fix both of these issues?

Thanks in advance,

John

doktornotor

You are doing something very likely insane and will hit BSD kernel limits and issues with this.

https://redmine.pfsense.org/issues/4876
https://lists.freebsd.org/pipermail/freebsd-pf/2011-May/006139.html

(Would appreciate if someone more savvy about the FreeBSD kernel responded here or on that bug.)

firewalluser

If you have to use swap, you lose the responsiveness of PF managing the states which is perhaps why this is happening as a guess without looking at the code.

However if using a SSD drive instead of a spin disk, using swap may be less of an issue considering the speed advantages an SSD drive brings to the table over spin disks, but ultimately you have to consider the time & code involved in getting a packet down the bus into the cpu to be processed and then the state held in memory as against then having to run more OS code to handle swapping memory to disk and back again.

doktornotor

Eeeeeeeh? How on earth is swap relevant here???

firewalluser

Discs are notoriously slow, someone may have put a hard/soft limit in the code to stop too much data being loaded into memory which could then force the OS to use swap more.

Without knowing this history of the code like when it was originally written which could be a factor, the best option is to examine the code in question, something I'm not able to do at the moment as I'm in the middle of rewriting a Linux network driver as the latest version being shipped in distro's dont work and I want to know why.

But as another example, it could also be caused by using the wrong data type in code, for example someone might have used a short instead of a long  although that was more common in 16bit code and because of the way code was written back then, it wasnt common to see techniques used which made it easier to port code when wider cpu's came out, ie 8bit to 16bit, 16-32bit, 32-64bit cpu's.

https://en.wikipedia.org/wiki/C_data_types
Short signed integer type. Capable of containing at least the [−32767,+32767] range
Long signed integer type. Capable of containing at least the [−2147483647,+2147483647] range

The limit doesnt in this case appear to be tied to a data type limit as these stand out quite easily when problems occur, but without examining the code in question my previous post could only be considered as a guess at that stage, but I still suspect swap might be the reason to have a limit.

doktornotor

Dude, are you smoking something strong? Stop flooding this topic with total SHIT. Reported to mods. Get on topic or leave this alone. This is a real issue and has nothing to do with swaps and HDDs.

firewalluser

@doktornotor:

You are doing something very likely insane and will hit BSD kernel limits and issues with this.

https://redmine.pfsense.org/issues/4876
https://lists.freebsd.org/pipermail/freebsd-pf/2011-May/006139.html
(Would appreciate if someone more savvy about the FreeBSD kernel responded here or on that bug.)

You asked for some input. Make your mind up?  ::)

doktornotor

Yeah, I wanted input from people who are familiar with the FreeBSD kernel code in order to get relevant hints.

firewalluser

@doktornotor:

Yeah, I wanted input from people who are familiar with the FreeBSD kernel code in order to get relevant hints.

So you know everyone now, that must make you the NSA.  ;D

doktornotor

@firewalluser:

So you know everyone now, that must make you the NSA.  ;D

Example of relevant hint: https://lists.freebsd.org/pipermail/freebsd-pf/2011-May/006139.html

(Except that this one and others mentioned on that thread do NOT work.)

Example of totally irrelevant "hint":

• I didn't read the code
• Swap is slow
• Get an SSD
• signed long is 2^xyz

:( >:( >:(

P.S. That box has 8GiB of RAM and is NOT swapping. This is NOT related to running out of physical RAM!!!

:( >:( >:(

doktornotor

BTW, @OP:

You can see what's in the tables when you go to Diagnostics - Tables and select the one you need from the dropdown.  (The javascript fancy popup is not usable anyway for 200K+ or what entries… cannot search in that at all.)

firewalluser

@firewalluser:

Discs are notoriously slow, someone may have put a hard/soft limit in the code to stop too much data being loaded into memory which could then force the OS to use swap more.

I saw that thread and one of the thoughts that crossed my mind was the coder has come up with something/algo to limit how much can get loaded into memory to maintain performance. Bear in mind alot of old code was written before the HW developments like loads of RAM & SSD drives we have today, so designs & code compensated or restricted for poor HW performance.

Until the code is examined and the reasons for the behaviour is established as it might even be by design, everything is speculation on everyone's part here and in the freebsd thread, but they would be the areas I would look into and for some of the reasons why.

doktornotor

KOM

Heh, "right now"…

johns

I'm not having any issues with swap space, however I've also not enabled any firewall rules to use the new URL Table…I had when I first implemented this, but only for a few minutes while testing how things were working after enabling.  I didn't see any HW or OS issues....just the two anomalies I've mentioned, so rules were enabled for 5-10 mins, without performance issues.

Any help/feedback on my actual issues/original questions?

So for some background, the reason I started using this was because I was originally using a Network aliases, but when I starting adding more IP's, I received an error stating something about reaching a limit of 1000 and to change something in php.ini, I was about to do that, but that's when I learned about the URL Tables.  However in my original IP aliases list I only have about 320 IP's (not 1000).  Since I was making some changes I decided to use my large block list I've been gathering, thus the reason for the 200k entries....but originally it was only 320 or so on a Network Alias.

So if I can't have 250k entries, how do I solve this, is there a way to have large numbers of entries without breaking anything (but again, the OS and HW performance were fine for the 5-10 mins)?  Why is it showing numbers that I don't even have in my URL table?

Thanks,

doktornotor

@johns:

Any help/feedback on my actual issues/original questions?

See this: https://forum.pfsense.org/index.php?topic=98698.msg549855#msg549855

johns

That link takes me to your comment that I've pasted below…how does that help?  You want me to try Diagnostics -Tables to see if it loads?

BTW, @OP:

You can see what's in the tables when you go to Diagnostics - Tables and select the one you need from the dropdown.  (The javascript fancy popup is not usable anyway for 200K+ or what entries... cannot search in that at all.)

doktornotor

No. I want you to compare what you see there with what you SHOULD see there, i.e. whether or not it matches the file downloaded. The popup is something that just cannot be worked with on 250K IPs, I'd figure it's very obvious?

johns

@doktornotor:

No. I want you to compare what you see there with what you SHOULD see there, i.e. whether or not it matches the file downloaded. The popup is something that just cannot be worked with on 250K IPs, I'd figure it's very obvious?

It shows the same thing as in the first screen shot, IP's that are not in my text file.  I've included a screen shot of it.


doktornotor

Afraid that unless you make your blocklist available here, this won't get anywhere.

BBcan177

Why don't you try to use pfBlockerNG to load these text files… It will also have the option of de-duplicating the Lists (if there are any dups...)

A small note... from the 2nd screen shot... You don't need to :
cat filename | wc -l

You can just use:
wc -l filename

The following is actually faster if your counting ms    :)
grep -c ^ filename

johns

@doktornotor:

Afraid that unless you make your blocklist available here, this won't get anywhere.

I'm not sure the whole list is needed, but I've searched for the IP's showing up in the table in my file, but to no avail.

[root@]# grep "1\.0\.209\.0" blocklist.txt
[root@]# grep "1\.0\.155\.0" blocklist.txt
[root@]# grep "1\.0\.167\.0" blocklist.txt
[root@]# head blocklist.txt
120.203.159.14/24
118.244.254.17/24
117.26.227.207/24
27.153.210.22/24
183.232.55.193/24
211.119.86.147/24
175.44.29.77/24
125.77.142.168/24
122.96.59.106/24
190.216.229.68/24

Here's to show grep is working… (selected an IP from the head command above):

[root@]# grep "27\.153\.210\.22" blocklist.txt
27.153.210.22/24

johns

@BBcan177:

Why don't you try to use pfBlockerNG to load these text files… It will also have the option of de-duplicating the Lists (if there are any dups...)

A small note... from the 2nd screen shot... You don't need to :
cat filename | wc -l

You can just use:
wc -l filename

The following is actually faster if your counting ms    :)
grep -c ^ filename

I'm currently using pfBlockerNG (by selecting specific locations), but 1) wasn't aware I could load custom files, 2) need some automation, the URL Table's appear to offer the scheduled importing I need.

And thanks for the wc tip, I didn't know that!

BBcan177

Shouldn't the last octet be a "0" when using a /24 ?

I don't think those IPs will load into a packet fence table..

BBcan177

@johns:

I'm currently using pfBlockerNG (by selecting specific locations), but 1) wasn't aware I could load custom files, 2) need some automation, the URL Table's appear to offer the scheduled importing I need.

I am the Dev of pfBNG … So I can confirm that it can use localfiles..  :)

In the IPv4/6 Tab, enter the localfile path/filename in the URL field....

johns

@BBcan177:

Shouldn't the last octet by "0" when using a /24 ?

I don't think those IPs will load into a packet fence table..

I've used them successfully in small alias tables and URL Tables, and from testing, appear to work correctly.

johns

@BBcan177:

@johns:

I'm currently using pfBlockerNG (by selecting specific locations), but 1) wasn't aware I could load custom files, 2) need some automation, the URL Table's appear to offer the scheduled importing I need.

I am the Dev of pfBNG … So I can confirm that it can use localfiles..  :)

In the IPv4/6 Tab, enter the localfile path/filename in the URL field....

Cool!  And I see I can set the update frequency!  Will this handle the 250k+ records?  If so, is there a limit, if not was is the limit?

BBcan177

The first post that Dok posted was about some issues with the pf Tables… I don't personally have a single table over 200,000IPs, but I do have over 200,000 IPs in total table size.

I tried to add that IP and it doesn't get added to the pf table… The last octet in a /24 needs to be "0" for it to load into the table... I assume that this is the issue you are having..

I would suggest taking this list and splitting it down into two files.. I assume you are collecting these IPs from a mail server/honey pot etc... Just start with a new 3rd file to keep the size down.

grep -c '/24' filename will show how many lines are /24.

As a test : (Change the pfB_PRI1 to any existing pf Table)

pfctl -t pfB_PRI1 -T add 20.203.159.14/24
0/1 addresses added.

But if I add the IP with a "0" in the last octet

pfctl -t pfB_PRI1 -T show | grep "20.203.159."
  20.203.159.0
  20.203.159.0/24

doktornotor

Pretty much as noted above, those blocklists are just wrong. Use /32 (or just nothing) for individual IPs. Those subnets you have are not valid.

johns

@BBcan177:

I tried to add that IP and it doesn't get added to the pf table… The last octet in a /24 needs to be "0" for it to load into the table... I assume that this is the issue you are having..

I'm starting to think the same thing….however....I have a much smaller list, it's setup the exact same way...the difference is the size...this one has about 300 ip's, that's it...and it auto set the last octect to 0....

[root@]# head manualblocklist.txt
178.120.172.209/24
186.82.25.216/24
77.44.161.22/24
181.118.75.200/24
188.209.49.117/24
119.94.47.83/24
81.92.120.13/24
118.98.115.16/24
180.191.104.244/24
81.213.208.9/24


johns

I would suggest taking this list and splitting it down into two files.. I assume you are collecting these IPs from a mail server/honey pot etc… Just start with a new 3rd file to keep the size down.

I was thinking the same thing, thus my reason for asking what limits there were.  Thanks.

doktornotor

How does it set the last octet?!? The list does not match in the least what you posted in the screenshot.

1/ Stop feeding invalid crap to aliases.
2/ Load this to pfBlockerNG and use some reputation features there to make the whole thing smaller. Like this:

johns

@doktornotor:

Pretty much as noted above, those blocklists are just wrong. Use /32 (or just nothing) for individual IPs. Those subnets you have are not valid.

Ah, this may be the issue….using my smaller url table I just checked, and the /24 are imported but not the single IP's listed as /32.  So perhaps removing these from my lists will solve the issue?  I'll try it and repost.

As a side note, I tried using pfbng to import and use the list and it semi working, the file was imported and did find dups, but it's not blocking anything (nothing shown in pfbng status widget) and when I try to view the table (via diag -> tables, nothing shows)...so I assume it may be the same issue.

johns

@doktornotor:

How does it set the last octet?!? The list does not match in the least what you posted in the screenshot.

1/ Stop feeding invalid crap to aliases.
2/ Load this to pfBlockerNG and use some reputation features there to make the whole thing smaller.

That's exactly the issue…when I look at the files, it shows legit info, but that's not what's being loaded into the aliases, thus the reason I posted here.  I'm going to remove the /32's and see if that doesn't help.

doktornotor

I think you are just very confused? You have no /32 anywhere. You have /24 there.

johns

@doktornotor:

I think you are just very confused? You have no /32 anywhere. You have /24 there.

Sorry, perhaps I'm not being clear, but I do have /32's listed, just not a lot of them:

[root@]# grep '\/32' manualblocklist.txt
70.49.52.23/32
69.46.128.29/32
66.51.128.42/32
109.169.22.220/32
162.250.189.125/32
198.23.140.98/32
104.206.96.58/32

And to clarify…I've tested and the /24 are imported and auto changed to .0/24, but the /32's are not imported, so I'm wondering if they're causing issues.

johns

I take it back, they are being imported….screenshot one is my text file and screen shot two is from diag -> tables.  So I'm back to square one.  Any other ideas?


johns

I tried using pfbng to no avail…file imports correctly, but lists shows as blank and status shows no blocks:

 UPDATE PROCESS START [ 08/28/15 13:31:55 ]

[ pfB_Europe_v4 ]	 exists, Reloading File 
[ pfB_Top_v4 ]		 exists, Reloading File 
[ cbl ]			 Downloading New File ----------------------------------------------------------
Original   Masterfile Outfile     [ Post Duplication count ]   
----------------------------------------------------------
225549     213102     213102      [ Passed ]                   
----------------------------------------------------------

===[  Aliastables / Rules  ]================================

Firewall Rule Changes Found, Applying Filter Reload

===[ FINAL Processing ]=====================================

   [ Original count   ]  [ 242994 ]

   [ Processed Count  ]  [ 230547 ]

===[ Deny List IP Counts ]===========================

  230547 total
  213102 /var/db/pfblockerng/deny/cbl.txt

BBcan177

According to that screenshot, it collected 213102 IPs… The others are probably duplicates...

I think your going to have strange results until you convert the file which has /24 to its proper format. ("0" in the last octet"... Don't worry about the /32 it will work with or without the /32.

Here is a small script that will convert the /24's. (Change the /tmp/filename)

#!/bin/sh
data=$(grep '/24' /tmp/filename)

for ip in $data; do
        i="$(echo $ip | cut -d '.' -f 1-3)"
        echo $i".0/24"
done
exit

To collect all other IPs in the file and exclude the /24's
grep -v '/24' filename

If you want to sort that file…
sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n filename

johns

@BBcan177:

According to that screenshot, it collected 213102 IPs… The others are probably duplicates...

I think your going to have strange results until you convert the file which has /24 to its proper format. ("0" in the last octet"... Don't worry about the /32 it will work with or without the /32.

Here is a small script that will convert the /24's. (Change the /tmp/filename)

#!/bin/sh
data=$(grep '/24' /tmp/filename)

for ip in $data; do
        i="$(echo $ip | cut -d '.' -f 1-3)"
        echo $i".0/24"
done
exit

To collect all other IPs in the file and exclude the /24's
grep -v '/24' filename

If you want to sort that file…
sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n filename

Thanks, I'll try it.