Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DShield Alias Blacklist / High update frequency missing #1703

Closed
ghost opened this issue Jul 6, 2017 · 5 comments
Closed

DShield Alias Blacklist / High update frequency missing #1703

ghost opened this issue Jul 6, 2017 · 5 comments
Assignees
@AdSchellevis
Labels
cleanup Low impact changes feature Adding new functionality

Comments

@ghost
Copy link

ghost commented Jul 6, 2017
edited by ghost
Loading

Hey Guys :) ,

i am about to include some blacklists into my firewall ruleset which are working fine combined with the "alias" feature aslong as the update frequency is low.
As for "DROP/EDROP" and "Blocklist.de" 1 day update frequencies are perfectly fine.
DShield for example needs an update frequency of 10 to 15 minutes in order to reduce false positive blockings.
The alias settings are only allowing per day updates and i dont think 0,00694444 days are working as expected for a time span of 10 minutes. :)

Another thing which i and others are running into is the following:
It seems like that OPNsense is not checking the option "Firewall Maximum Table Entries" before applying new URL IP Tables. Huge lists in combination with suricata and so on will then kill/slow down the firewall because of to many entries when applied to the system without warning the user.
Since i manually increased the max table entries option before applying the URL Table entries i gladly didn't run into that problem but others did:
https://forum.opnsense.org/index.php?topic=5365.0

Take care. :)
@AdSchellevis
Copy link
Member

Hi @PitchBendStretch the question was already on the issue list #1603, I will close the other one because this one has more context.

With the current method of alias loading, we shouldn't increase the frequency, it's won't be very stable (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc#L211-L212).

Eventually the alias loading process should be detached from the filter load (load new file, diff with current alias content and update in a separate process) and then it would be possible. Too much work for now, but certainly a good idea for a later moment in time.

@AdSchellevis AdSchellevis mentioned this issue Jul 6, 2017
Closed
@ghost
Copy link
Author

ghost commented Jul 6, 2017
edited by ghost
Loading

Hey @AdSchellevis :)
Yes, updating should be separate since the updating process may or may not change the complete list over and over again, which is probably heavily cpu wasting if it's done more than once per hour.
I would really love to see this feature on the roadmap. ;)

@AdSchellevis AdSchellevis mentioned this issue Jul 10, 2017
Closed
@AdSchellevis AdSchellevis self-assigned this Jul 10, 2017
@AdSchellevis AdSchellevis added cleanup Low impact changes feature Adding new functionality labels Jul 10, 2017
@mimugmail
Copy link
Member

@AdSchellevis Isn't this possible with a cron and "Update and reload firewall aliases"?

@AdSchellevis
Copy link
Member

@mimugmail it would be possible to force the load using a crontab, but it would likely stress the box too much. better not to offer the feature as long as the loading isn't solid (I don't want to increase the issue, you can easily create a shell script with configd command to do it for you with the known disadvantages).

@fichtner
Copy link
Member

@AdSchellevis is working on this via #1971

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
cleanup Low impact changes feature Adding new functionality
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fichtner @AdSchellevis @mimugmail