Firewall ruleset length - rule-import problem + how does alias work

  • Hello Together,

    I have two Questions for you regarding my Firewall ruleset or more specific the length of it.

    I am currently testing the pfSense and I have trouble to import a large Ruleset. I tried it with easyrule on CLI but it gets really slow after 2 000 entries. So i tried to generate the config.xml file to import a large Ruleset. It works fine with 2 000 rulese, but with 20 000 the pfSense doesn't take the xml-file. I can select and upload it at the Restore-Section in the webgui, but when i click Restore Configuration i get a php-gateway timeout. After 2 or 3 minutes i can access the webgui again, and 20 minutes later the website isn't available anymore (timeout). after this 20 minutes i can connect via putty->ssh and login, but i can not access the shell.

    My hardware has 2 Cores @ 3,3GHz and 4GB of RAM and i am running pfSense version 2.3.2 x64.

    The second question i have for you is: Do you know how alias works? It's just if i pull 140 'source'-hosts and 140 'destination'-hosts in 2 different aliases and connect them via one firewallrule, does the pfSense internaly extract this to 140*140 (~20 000) rules for each source-to-destination connection or how does it work?

    So maybe you can tell me how i am able to pull this amount of rules into a pfSense Firewall

    Thank you very much and have a nice Weekend

  • LAYER 8 Netgate

    I can see how 20000 rules would make the GUI have trouble. Same sort of thing happens with lots and lots and lots of interfaces.

    20,000 rules? Maybe if you describe what you're trying to do someone might see a better way to accomplish the task.

    Regarding aliases, each alias is a table and the rule will have a table of source addresses and a table of destination addresses. If a match is found in both and all other conditions are met, the rule will match. Alias tables can have tens of thousands of entries. You would typically load them from a URL (Firewall > Aliases, URLs

  • I have the following task. A script on a mail server analyzes spam messages and generates a list of IP addresses that send most spam emails. After a few days, an address is removed from the list. But if it sends spam again, it is added again, and so on. So I have a list that is constantly updated (once a day).
    I need pfSense to block IP connections from the IP addresses from this list. I would like it automatically take this file daily, but I don’t know how to do it easily.

    Currently, I’m transferring this list daily to pfSense the following way. I have created a Firewall IP Alias pfSense via the Firewall -> Aliases -> Import. Then I have specified this alias in the Firewall Rules. But the problem is that updating this list each day involves lot of manual labor: I have to create an alias with new name (since it doesn’t accept updating existing aliases when importing from a text file), then I change Firewall Rules to use the new name, then I delete an old alias. How can I automate this?

  • LAYER 8 Netgate

    Put the list somewhere pfSense can grab it such as on a web server, etc, and update it there.

    Create a URL Table type alias. The value after the / is the update frequency in days (from 1 to 128).

  • LAYER 8 Global Moderator

    "A script on a mail server analyzes spam messages and generates a list of IP addresses that send most spam emails."

    Derelict has given you the answer already, but I am curious by what you mean by most?  So if an IP sends you 1 verified spam, are they put on the list.. Or do multiple emails have to come in that meet what exactly for spam criteria?  So what triggers an IP to get put on the list exactly..

    I know this is above any beyond what you asked for - but very curious since back in the day, I fought the good fight of blocking spam ;) So curious what your doing with some details.  If you don't mind - TIA!

Log in to reply