Max firewall rules allowed
-
Hello,
I am curious to know if there is a hard limit on how many firewall rules are allowed to be created? I am also needing to know if there is a limit on aliases and how many host/ip address/port can be nested with a single alias? If I need to expand my question further please let me know. I am wanting to build block rules for large lists of subnets and ports. We started using pfblocker to accomplish this same task but I am having issues with it blocking all traffic after a reboot.
Thanks,
Kud -
@kud My guess, the hard limit for firewall rules is likely somewhere in the 2^64 (or 1.8447×10^19) ballpark (assuming you are running on 64bit hardware). Do not think there is a consumer device today that exists which can hold enough RAM to allow this hard limit to be reached. So likely the answer to your question is, "it depends on how much RAM you have". Or if you have more RAM than disk space, then the disk space may be the limiting factor.
I would guess it is similar for an alias.
if your alias will have pools of IPs then it would be better to list these IPs consecutively where possible. For instance, if you wanted to block LAN traffic to 192.168.x.x network the alias would contain 192.168.0.0/16. This would block everything from 192.168.0.0 - 192.168.255.255.
If the aliases are done correctly, then a side effect would be a lower number of individual firewall rules.
I do not know what the end goal is. But if more things are being blocked/rejected instead of passed. Then it make more sense to block everything and then put the pass rules above the block everything rule.
-
Thank you very much for that detailed response. This helps greatly. For the most part, our pfsense box is in a allow all mode but we restrict access by IP address at the OS level. Obviously, this is an issue for users that do not have static IP addresses but we want to restrict access at the pfsense level. So our thought is to create aliases and with monitoring and scripting, add block rules dynamically for IP addresses that are from specific countries as well as brute force attempts. I am sure pfblocker is probably a better route but I am just not familiar enough with it to know if it is working or not. Plus I had an issue where all traffic was blocked after a reboot and had to disable it. Anyway, thanks again for taking the time to answer my question. Our hardware is an old dell R710 dual cpu server with I think 128gb of ram.
Take care!
Kud