1
24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?
« on: Today at 03:50:45 pm »
Hi Franco,
The patch seems to work from my end.
Thanks a lot.
The patch seems to work from my end.
Thanks a lot.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Zenarmor (Sensei) / Re: 1.18 Wireguard is disconnected
« on: October 25, 2024, 02:51:51 pm »
Just to verify. Zenarmor is checking the wireguard interface?
3
Zenarmor (Sensei) / Re: 1.18 Wireguard is disconnected
« on: October 25, 2024, 09:01:49 am »
I see similar behavior. I disabled WG for now.
4
Zenarmor (Sensei) / Re: Certain SunnyValley packages not updating after upgrade to 24.7
« on: July 27, 2024, 09:33:27 am »
I did a 'pkg upgrade' on the command line and that seemed to fix it.
Sent from my iPhone using Tapatalk
Sent from my iPhone using Tapatalk
5
24.1 Legacy Series / CPU usage /usr/local/opnsense/scripts/filter/update_tables.py
« on: June 25, 2024, 11:47:40 pm »
Hi all,
When an alias is changed via Firewall -> Aliases -> Apply, the script /usr/local/opnsense/scripts/filter/update_tables.py is run from the cron every minute to make sure that pf actually picks up the change, as I understand it.
However, running this script takes about 10 to 20 seconds during which the CPU gets stressed quite severly. This behavior is seen for quite some years now and I have not been able to fix this.
I did a python trace on the update_tables.py script and it is executing the /usr/local/opnsense/scripts/filter/lib/alias/pf.py file for example about 13 million times. That surely explains the CPU load, I guess. I do have some aliases (of 'URL Table (IPs)' type) some of which are quite big (more than 200,000 IP addresses). Am I doing something wrong with my firewall alias settings? I have seen some other mentions by people seeing similar behavior with the update_tables.py script, but unfortunately not with a fix.
Hopefully someone can help me with odd behavior. If I need to provide more information, please let me know. Thank you very much.
When an alias is changed via Firewall -> Aliases -> Apply, the script /usr/local/opnsense/scripts/filter/update_tables.py is run from the cron every minute to make sure that pf actually picks up the change, as I understand it.
However, running this script takes about 10 to 20 seconds during which the CPU gets stressed quite severly. This behavior is seen for quite some years now and I have not been able to fix this.
I did a python trace on the update_tables.py script and it is executing the /usr/local/opnsense/scripts/filter/lib/alias/pf.py file for example about 13 million times. That surely explains the CPU load, I guess. I do have some aliases (of 'URL Table (IPs)' type) some of which are quite big (more than 200,000 IP addresses). Am I doing something wrong with my firewall alias settings? I have seen some other mentions by people seeing similar behavior with the update_tables.py script, but unfortunately not with a fix.
Hopefully someone can help me with odd behavior. If I need to provide more information, please let me know. Thank you very much.
6
23.1 Legacy Series / Re: IPv6 PD not work after update OPNSense from 22.7.11->23.1_6
« on: March 20, 2023, 03:20:32 pm »
@gpb, if this happens again, could you execute this:
/usr/local/etc/rc.configure_interface wan
Maybe that will restore things?
/usr/local/etc/rc.configure_interface wan
Maybe that will restore things?
7
22.7 Legacy Series / Re: Constant CPU Spikes
« on: January 02, 2023, 01:55:39 pm »
Hi,
I see them too. Maybe they are caused by this cron job:
* * * * * (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null
This job runs every minute and causes my CPU (same as yours) to spike for about 10 seconds.
I see them too. Maybe they are caused by this cron job:
* * * * * (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null
This job runs every minute and causes my CPU (same as yours) to spike for about 10 seconds.
8
22.7 Legacy Series / Re: Lower cpu load during idle in 22.7.5 when using suricata
« on: October 07, 2022, 11:06:10 am »
Hi,
I noticed a drop in CPU load as well. I have proof in a Zabbix graph, which I'm unable to upload I'm afraid.
Franco,
No negativity from my end. You guys are doing an excellent job. Better support than many enterprises deliver these days. So keep up the fantastic work and many thanks from a former pfSense user.
I noticed a drop in CPU load as well. I have proof in a Zabbix graph, which I'm unable to upload I'm afraid.
Franco,
No negativity from my end. You guys are doing an excellent job. Better support than many enterprises deliver these days. So keep up the fantastic work and many thanks from a former pfSense user.
9
22.1 Legacy Series / Re: ZPOOL Features - any recommendations ?
« on: March 17, 2022, 03:03:19 pm »
Hi Patrick,
I'm in the same boat as devhunter55, where zroot requires a zfs upgrade. However, I don't want to render my firewall unbootable after running the 'zpool upgrade zroot' command. Would it be a risk or inadvisable not to upgrade the pool?
Kind regards
Jan-Willem
I'm in the same boat as devhunter55, where zroot requires a zfs upgrade. However, I don't want to render my firewall unbootable after running the 'zpool upgrade zroot' command. Would it be a risk or inadvisable not to upgrade the pool?
Kind regards
Jan-Willem
10
Intrusion Detection and Prevention / Re: Apply policy from the commandline
« on: November 14, 2021, 05:18:12 pm »
Hi Fright,
Thanks for this and replying so quickly.
The commands ran without an issue, so that seems solved.
No irregular activity can be found in the Diagnostics are there.
I guess case closed.
Thanks again.
Thanks for this and replying so quickly.
The commands ran without an issue, so that seems solved.
No irregular activity can be found in the Diagnostics are there.
I guess case closed.
Thanks again.
11
Intrusion Detection and Prevention / Apply policy from the commandline
« on: November 14, 2021, 02:44:18 pm »
Hi,
I try to apply a suricata policy from the GUI but keep getting errors. It seems like a timeout of some sorts. The configd.log says the following:
unable to sendback response [OK ] for [ids][install][['rules']] {6fc08c2d-8d49-491a-8cdf-ac51ec4a6fc2}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe
Is there a way to apply a policy using the console, by using configctl?
Thanks.
I try to apply a suricata policy from the GUI but keep getting errors. It seems like a timeout of some sorts. The configd.log says the following:
unable to sendback response [OK ] for [ids][install][['rules']] {6fc08c2d-8d49-491a-8cdf-ac51ec4a6fc2}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe
Is there a way to apply a policy using the console, by using configctl?
Thanks.
Pages: [1]