Blocking large numbers of networks
I'm looking for some advice regarding the best way to set up firewall rules to block unwanted networks.
Simply put, I'm using fail2ban on one of my outward-facing machines, and using some scripts, I periodically check for networks which have a fairly large number of bans and add those networks to a pfsense rule to block any packets originating from said networks.
For now, I've been putting /16 into a single alias entry containing those networks which I want to block using firewall rules. This alias is, of course, referenced as the source IP/Network in a block rule on my WAN interface.
Although I haven't noticed a performance impact from doing this, I have a suspicion that it's probably not the most ideal way to handle this and was wondering if the community could provide some guidance as to the best way to handle large lists of blocked networks. For example, I suspect that it might be better to limit the number of networks in a given alias and separate into multiple firewall rules.
At what point should I start being concerned about the number of networks in a single alias?
Are there any other ways to do this?
Any other questions or thoughts that I haven't mentioned above?
Thanks in advance for your help and input.
you shouldnt be concerned when youre blocking /16's. chances are your hardware can handle the list, and if youre curious about other ways you can install pfblocker and start using that.
I once did a test on an old dell server running pfsense and found the magic number of IP's required to knock the performance slightly. It was insanely huge so chances are youre safe.
on a related note, IP tables handled changes the the same alias and matching just fine, and this was an older version of pfsense so its probably not a problem.
Look at the options under Firewall > Aliases, URLs. Options exist there for aliases numbering into the tens of thousands.