Firewall/NAT

Ok all,
     I have a config file full of blocked IP's that I would like all my clients to stay away from.  I have validated my XML config and I know it's in "good form", but Monowall has no response when I spend 10 minutes trying to upload the thing.  My browser does not appear to time out and spends a good 10 minutes uploading the config file.  Monowall does not reboot after upload completes.

I have manually rebooted after uploads, but nothing seems to take.  Did I reach a maximum limit to the .xml file.  Is there a better way then uploading this thing through the web interface?

Please let me know your thoughts!
Erik

is your .xml config file 85mb in size? on what box are you running m0n0wall? who much mem does it has?

is your .xml config file 85mb in size? on what box are you running m0n0wall? who much mem does it has?

Yes, the config file is a 85 mb in size and is a monster.  My monowall config is setup on a Pentium 3 500mhz PC with 64 mb of ram.  I didn't realize it at the time I posted this, I thought she had at least 256mb of memory.

What is the minimal amount of "free" memory one should have after uploading their config file to allow monowall room to breath?  Thank You!

TA101

hmmm not sure but with only 64mb a config file of 85mb will not really fit. m0n0wall needs a min of 64mb. so try to find some more mem like 256mb and try it again. you can also start m0n0wall with no config other then the default one and check on the system page who much memory is left. then you know.

I have my doubts if m0n0wall would work right with an 85 MB config regardless, but it definitely won't work with only 64 MB RAM.

There has to be a better way to accomplish what you're after than loading up so many rules your config is 85 MB. Forcing all outbound traffic to a proxy server is one thing that comes to mind.

Well I have a blocklist manager for certin IP's that I wish to block.  If monwall is able to accept a range of address (somehow), I feel my config file would shed a few megs.  I have written a script that takes a range of address that I wish to block.  (Mostly to block specific outgoing lan requests). 

for example:  I have a range of addresses...  XXX.YYY.15.1 - XXX.YYY.20.50

The closest option for blocking this address is to simply knock off the host octect by blocking a network of XXX.YYY.20.0 .  The only problem with this is that I could be blocking XXX.YYY.20.220 which is not a site I necessarly wish to block.

So my only other option was to programmatically break out my ranges into specific addresses.  This is why the config file grows so large so quickly.

I do agree that a proxy server may increase performance if my config file is so large, but I need to get my config into the firewall first.  I am also open to suggestions if someone has a way to get address ranges into monowall.

Thanks all!

By the way, I have sence setup my firewall in a 2.0 ghz AMD with 1 gig ram, so requirements should no longer be an issue.  Would you agree?

Erik