Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Blocking large numbers of networks

    Firewalling
    3
    3
    457
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shmuel.levine last edited by

      Hi,
      I'm looking for some advice regarding the best way to set up firewall rules to block unwanted networks.

      Simply put, I'm using fail2ban on one of my outward-facing machines, and using some scripts, I periodically check for networks which have a fairly large number of bans and add those networks to a pfsense rule to block any packets originating from said networks.

      For now, I've been putting /16 into a single alias entry containing those networks which I want to block using firewall rules.  This alias is, of course, referenced as the source IP/Network in a block rule on my WAN interface.

      Although I haven't noticed a performance impact from doing this, I have a suspicion that it's probably not the most ideal way to handle this and was wondering if the community could provide some guidance as to the best way to handle large lists of blocked networks.  For example, I suspect that it might be better to limit the number of networks in a given alias and separate into multiple firewall rules.

      At what point should I start being concerned about the number of networks in a single alias?
      Are there any other ways to do this?
      Any other questions or thoughts that I haven't mentioned above?

      Thanks in advance for your help and input.

      Regards,
      Shmuel

      1 Reply Last reply Reply Quote 0
      • I
        isolatedvirus last edited by

        you shouldnt be concerned when youre blocking /16's. chances are your hardware can handle the list, and if youre curious about other ways you can install pfblocker and start using that.

        I once did a test on an old dell server running pfsense and found the magic number of IP's required to knock the performance slightly. It was insanely huge so chances are youre safe.

        on a related note, IP tables handled changes the the same alias and matching just fine, and this was an older version of pfsense so its probably not a problem.

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          Look at the options under Firewall > Aliases, URLs. Options exist there for aliases numbering into the tens of thousands.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense Plus
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy