Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking large numbers of networks

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 581 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shmuel.levine
      last edited by

      Hi,
      I'm looking for some advice regarding the best way to set up firewall rules to block unwanted networks.

      Simply put, I'm using fail2ban on one of my outward-facing machines, and using some scripts, I periodically check for networks which have a fairly large number of bans and add those networks to a pfsense rule to block any packets originating from said networks.

      For now, I've been putting /16 into a single alias entry containing those networks which I want to block using firewall rules.  This alias is, of course, referenced as the source IP/Network in a block rule on my WAN interface.

      Although I haven't noticed a performance impact from doing this, I have a suspicion that it's probably not the most ideal way to handle this and was wondering if the community could provide some guidance as to the best way to handle large lists of blocked networks.  For example, I suspect that it might be better to limit the number of networks in a given alias and separate into multiple firewall rules.

      At what point should I start being concerned about the number of networks in a single alias?
      Are there any other ways to do this?
      Any other questions or thoughts that I haven't mentioned above?

      Thanks in advance for your help and input.

      Regards,
      Shmuel

      1 Reply Last reply Reply Quote 0
      • I
        isolatedvirus
        last edited by

        you shouldnt be concerned when youre blocking /16's. chances are your hardware can handle the list, and if youre curious about other ways you can install pfblocker and start using that.

        I once did a test on an old dell server running pfsense and found the magic number of IP's required to knock the performance slightly. It was insanely huge so chances are youre safe.

        on a related note, IP tables handled changes the the same alias and matching just fine, and this was an older version of pfsense so its probably not a problem.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Look at the options under Firewall > Aliases, URLs. Options exist there for aliases numbering into the tens of thousands.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.