Replacing a firewall w/pfsense - Many blocked IPs question.



  • Our old firewall has years of IPs added to a block list.  They're virus/malware sites.  If I got multiples for a network I often went with a /24 block.

    I started setting up the pfsense firewall (SG-4860) and quickly ended up with a hung session as it choked on a large alias.  I thought about breaking it into smaller chunks with multiple aliases but thought it best to ask here first.  Is there a preferred way to manage a large IP blacklist?



  • I've never managed a large list of malware/virus sites….sounds like a wack-a-mole nightmare!

    Maybe look at pfBlockerNG as an alternative? You can add tons of lists maintained by others...I also think you can add your own lists there as well.

    Good luck, hope that helps get you in the right direction....

    V


  • LAYER 8 Netgate

    Maybe just forward DNS to 9.9.9.9 and let someone else hassle it.



  • Thanks.  I'm looking at pfBlockerNG or possibly just using a block list as discussed here: https://www.linuxincluded.com/using-firewall-block-lists/

    We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't).



  • Bad sites come & go all the time.  I can't imagine an ancient list from yesteryear would be useful today.  Now might be the time to scrap it and start over with current data.


  • LAYER 8 Global Moderator

    "We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't)."

    Huh??  You mean if your client gets infected and your wanting block it from talking to CC IP?  At a loss to as stated such a wack a mole policy would do other than waste the person trying to maintain such a lists time.

    If you want to block inbound traffic to ports you have open.. Then block them with something like pfblocker - where you can block whole regions like bad actor countries, etc.  Both inbound or outbound, etc.

    If your worried about clients going to bad sites - then you really should look into some sort of commercial product that maintains bad urls be it fqdn or IPs like websense or zscaler..



  • @DennisT:

    We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't).

    Thanks !!! Just fine like that.
    This one goes to my ;D list …


Log in to reply