Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Concatenate Rulesets

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 614 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      average-joe
      last edited by

      Hey, here's my problem. I have a blacklist and a whitelist. My whitelist can have thousands of hosts, subnets in any two-five tuple combination. What's the best way to make efficient rules from it?  As an example, suppose I have the following:

      Allow the following separate rules:

      • Pass {src_network: 1.2.3.4/24, src_port: 80, dst_ip: 3.4.5.6/32, dst_port: ANY, proto: tcp}
      • Pass {src_network: 2.3.4.5/16, src_port: ANY, dst_network: 7.8.9.4/24, dst_port: 53, proto: udp}
      • Pass {src_ip: 1.2.3.9/32, src_port: 22, dst_network: 5.3.2.1/8, dst_port: ANY, proto: tcp}
      • Pass {src_network: 7.3.2.7/24, src_port: *, dst_network: 5.9.3.8/24, dst_port: *, proto: ANY}

      Instead of needing to make 4 different rules, is it possible to concatenate these rules into a singular rule to improve performance?  I could end up having a couple thousand of these individual rules.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        Such a large set of rules in a single location seems like a recipe for disaster. Complexity is the enemy of security. There's got to be a better way. I have a feeling there's is a better point of responsibility.

        In general, a firewall rule should be a general rule(applies to entire subnets) or an exception rule(one offs). Exceptional rules are exceptions to the general rules. Human error increases relative to the number of rules, even more so to the exceptions. The cost of micromanagement is more mistakes.

        Hope someone can help you.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          You can use URL table aliases to reduce the rule set.  Once you have the aliases defined, you only need a handful of rules to handle all cases.

          https://doc.pfsense.org/index.php/Aliases#URL_Table_Aliases

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.