Firewall rules with ~1100 entrys?

maboo · May 30, 2008, 8:41 PM

I am the admin of several forums on the internet, and I am getting tired of the chinese spammers. So I created a rule list that blocks the ips associated with china (http://www.apnic.net/apnic-bin/ipv4-by-country.pl?country=cn).

There is a total of ~1100 lines, is this too big for pfSense, or should I cut it down?

I am using pfSense 1.3 on an Alix2c3.

TIA.

dotdash · Jul 1, 2008, 1:48 PM

pfSense uses pf, not ipf. Otherwise it would be ipfSense.
Anyway, I think you would be better off using an Alias with only the subnets in it and applying a block rule with the source as the Alias. You'd have to hack it into the xml and reload to avoid manual entry.
The problem is that Alias' are currently limited to 98 entries. This increases in 1.2.1, but only to 298.
Perhaps you could use multiple Alias' or consolidate some blocks…

maboo · May 31, 2008, 12:41 AM

Here is the firewall as XML, all ready to paste into the xml configuration.

filewall.txt

flachance · Jul 1, 2008, 6:00 AM

I would like to apply those rules too, but I'm not sure what XML file you are referring to. I did a search of my hard drive but couldn't figure out which XML file would contain this list.

Thanks!

dotdash · Jul 1, 2008, 1:47 PM

You would have to save your current config, open the file in an XML editor and paste the lines in under the 'filter' section.

flachance · Jul 1, 2008, 3:54 PM

Thanks for your help maboo. Unfortunately, I need more specific instructions. What do you mean by

You would have to save your current config

Do you mean manually copying an XML file or using the Backup/Restore function off the Diagnostic menu?

open the file in an XML editor

WHICH file are you referring to (that is the question I originally asked in my previous post)? Please provide the file name and full path.

Thank you for your patience in this.

;D

dotdash · Jul 1, 2008, 4:41 PM

Go to diagnostics, backup/restore in pfSense.
Click 'download configuration' (all) and save the XML file.
You should have your config file- named something like config-pfsense.local-2008070112345.xml
Edit the xml file you have downloaded. For a cut-up job like this, I would use TedPad http://jsimlo.sk/notepad/download.php Paste the text in after <filter>5) Save the modified file.
Go back to the backup/restore screen and restore, using the modified file.
Cross your fingers while it reboots and hope it doesn't blow up.
8 ) Go back into the webgui and enjoy the fact that it now takes five minutes to load the rules.
I am still of the opinion that this would be better done using alias' and less rules.</filter>

maboo · Jul 31, 2008, 8:31 PM

thanks for your help dotdash. I am looking up on how to convert this to an alias, and will perform some quick benchmarking, and will report back here.

I am currently using this (as described here) for my firewall, and all seems to work without complaints. However if it would work better another way, I am all for it!

-Maboo