View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions FreeBSD pf questions...
Log in to Ask a Question

FreeBSD pf questions...

firewall freebsd firewalls

I know there's a limited audience for these questions but I'm at my wit's end… First, some background… I've been porting stuff to FreeBSD using an unsupported Linode running FreeBSD 12.1-RELEASE. It has a custom kernel that I built to leave out the gazillion drivers and subsystems that are not needed for a Linode VM (I can share the kernel configuration file if you want…but Linode has it). I have several large tables that I'm trying to install into my pf firewall. This morning, they clocked in at

   45992 bl-nets4.conf
   19595 bl-nets6.conf
  150684 bl-nodes4.conf
       7 bl-nodes6.conf
  216278 total

I'm having problems installing them (memory allocation issues…in pf the memory for these comes from kernel memory and I'm doing all this on a 1Gb nanode). It's been many years since I've worked on FreeBSD so pardon me if my questions are memory failures…

  • What is the tunable net.pf.source_nodes_hashsize? I can't find any documentation on it anywhere? I only found some anecdotal evidence that increasing it from 8K makes things better (things remains undefined at the moment). Is this the max hash size for pf tables?

  • Using ipset on Linux, the hash size for a particular table are computed from the set type (hash:net or hash:ip) and the maxelem value. I can't find any documented way to set/change either the hash size or the maximum number of elements on a pf table. I might note that these tables are persistent from files so I know, a priori, the size and type. The pf anchor that generates the table/rule definitions comes from a script that I wrote. Does anyone know if the hash size and max # of elements can be set when the table is defined?

I appreciate your help…

No flames about Linux-is-better-than-FreeBSD please…I'll stack ZFS up against ext4/lvm any day!

-- sw

9 Replies

Can you please share the configuration file? If it makes it easier a pastebin or a gist would be nice :)

Linode Staff

Hey there -

I've done some research on what you're asking, and I'm afraid that I haven't been able to find definitive documentation that answers your questions. I think it's time to call in the experts.

I've added some tags to this post to give it more visibility to members of the Linode Community that are also using FreeBSD - and we've sent out this question via Twitter to try and get it some additional traction:

https://twitter.com/linode/status/1266041043746787329

I hope that helps you out. If you have any new information to add here, please do so!

@larsoncarter --

You write:

Can you please share the configuration file? If it makes it easier a pastebin or a gist would be nice :)

Which configuration file do you want:

  • the boot time configuration (/boot/loader.conf.local -- where the sysctls are set) and/or
  • the anchor definition that holds the blacklist definition.

Both are fairly short. The rest of pf.conf is inconsequential to my problem/question.

FWIW, I've sort of come to the conclusion by experimentation that changing net.pf.source_nodes_hashsize doesn't seem to have any effect.

Thanks in advance…

-- sw

man pf should have the answers to both questions:

net.pf.states_hashsize Size of hash tables that store states. Should be power of 2. Default value is 131072.

net.pf.source_nodes_hashsize Size of hash table that store source nodes. Should be power of 2. Default value is 32768.

@jlduran --

You write:

man pf should have the answers to both questions:

Doh! Of course it does… Linux brain rot ;-)

All --

I solved my problem… I was setting

set limit { table-entries 800000 }

in the anchor definition and not in the main part of the configuration for pf. The sum of all entries in all tables in all anchors must be less than or equal to table-entries…it's a hard limit. I don't know why I thought the limit was anchor-local and not pf-global. Anyway, moving it to the right place in the pf configuration solved my problem and my blacklists are loading without issue on my 1Gb nanode.

FWIW, the sysctl net.pf.request_maxcount is a hard limit on the value of table-entries.

Thanks, everyone, for all your kind responses.

-- sw

@sw can you contact me? I'd like to discuss FreeBSD, pf, and while I am running it on a Linode I do have some questions one of them is in regards pf the other is in regards IPv6 if your running that.

@stevewi Apologies if this comes through twice. Can you contact me privately? I'd like to discuss FreeBSD, pf, and while I am running it on a Linode I do have some questions one of them is in regards pf the other is in regards IPv6 if your running that.

@tech43 --

Go to https://niteflyte.net. You'll get a 403 Forbidden error but there will be an email address on the tombstone. You can email me there. I'll leave that page up until I hear from you or until 6/7/2020 @ 12n PDT.

-- sw

@tech43 --

Go to https://niteflyte.net. You'll get a 403 Forbidden error but there will be an email address on the tombstone. You can email me there. I'll leave that page up until I hear from you or until 6/8/2020 @ 8am PDT.

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct