Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Replacing a firewall w/pfsense - Many blocked IPs question.

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 6 Posters 535 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DennisT
      last edited by

      Our old firewall has years of IPs added to a block list.  They're virus/malware sites.  If I got multiples for a network I often went with a /24 block.

      I started setting up the pfsense firewall (SG-4860) and quickly ended up with a hung session as it choked on a large alias.  I thought about breaking it into smaller chunks with multiple aliases but thought it best to ask here first.  Is there a preferred way to manage a large IP blacklist?

      1 Reply Last reply Reply Quote 0
      • V
        Velcro
        last edited by

        I've never managed a large list of malware/virus sites….sounds like a wack-a-mole nightmare!

        Maybe look at pfBlockerNG as an alternative? You can add tons of lists maintained by others...I also think you can add your own lists there as well.

        Good luck, hope that helps get you in the right direction....

        V

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Maybe just forward DNS to 9.9.9.9 and let someone else hassle it.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • D
            DennisT
            last edited by

            Thanks.  I'm looking at pfBlockerNG or possibly just using a block list as discussed here: https://www.linuxincluded.com/using-firewall-block-lists/

            We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't).

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Bad sites come & go all the time.  I can't imagine an ancient list from yesteryear would be useful today.  Now might be the time to scrap it and start over with current data.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                "We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't)."

                Huh??  You mean if your client gets infected and your wanting block it from talking to CC IP?  At a loss to as stated such a wack a mole policy would do other than waste the person trying to maintain such a lists time.

                If you want to block inbound traffic to ports you have open.. Then block them with something like pfblocker - where you can block whole regions like bad actor countries, etc.  Both inbound or outbound, etc.

                If your worried about clients going to bad sites - then you really should look into some sort of commercial product that maintains bad urls be it fqdn or IPs like websense or zscaler..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan
                  last edited by

                  @DennisT:

                  We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't).

                  Thanks !!! Just fine like that.
                  This one goes to my ;D list …

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.