tech-net: Re: ipf - rule set size limit? (*UPDATE*)

Subject: Re: ipf - rule set size limit? (*UPDATE*)
To: None <ipfilter@coombs.anu.edu.au, richard@vdberg.org,>
From: Gene ENonymous <yancm@sdf.lonestar.org>
List: tech-net
Date: 11/09/2004 18:17:25

Just to update the fine folks who answered me on and off the lists...
[netbsd - tech-net and ipf]

I subdivided the rule sets into 256 subnets (less actually because
many were empty and hence not listed at all.) which means no packet
needs to match more than about 1000 rules to fully traverse the full
20,000+ rule ipf rule-set.

I never got a crystal clear answer to my original question about rule set
size limits, but that question is moot since the grouping approach allowed
me to load all my rules without crashing.

I got several impatient suggestions to just try stuff, but I only
have one firewall and everytime I crash it I have to explain to
my family why they can't get to Google! 8-) So I probably asked
a few too many things I could determine by trial and error...

Unless I run into more specific questions about NetBSD networking or
ipf specifics, I will continue updates on this mini-project only on
the message board at:

http://www.methlabs.org/forums/showthread.php?p=27211#post27211

I would welcome other folks to critique and test on that forum if
you are interested.

Thanks again for the help!!!
gene


>Date: Wed, 3 Nov 2004 15:09:01 GMT
>From: Gene ENonymous <yancm@sdf.lonestar.org>
>To: tech-net@NetBSD.org
>Subject: ipf - rule set size limit?

>I would like to implement the Peer Guardian block list (using ipf rules)
>for spyware/adware.

>After processing the rule set into ipf format, I end up with about
>20,000 rules (maybe 2000 are dulplcates?).

>Running NetBSD 1.6.2 on i386 (166 MHz Pentium w/56M Ram) I attempted to
>load the ruleset.

>First I tried the whole ruleset...it hung my system requiring a
>power cycle reboot. (ouch)

>Then I broke the rule set into 2 files of <= 10,000 rules each. ipf -f file1.rules
>loaded fine. But when I tried ipf -f file2.rules...it locked my system again requiring
>another power cycle reboot. 

>Having used NetBSD for several years, I have only rarely run into system lock situations...

>So, does anyone here know
>   a) if there is a hard limit to the rule set size with ipf?
>   b) if it's not a hard limit, any suggestions on why I'm locking up and how to fix it?
>   c) is there some better way block large numbers of undesirable subnets access to my box?

>Thanks in advance.
>gene