Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Technically feasible to create massive alias block lists?

    Firewalling
    2
    3
    118
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Luca1 last edited by

      Hi guys,

      This is a technical question only. I'm trying to determine if pfsense and my hardware (Netgate XG-7100 running latest OS) is capable of doing this without overwhelming the little router.

      I'm creating massive block lists that cover several countries that we do not do any business with but which are constantly attacking our resources.

      The block lists (created via Firewall => Alias => Import) is done with about 122,000 blocks of IPs (ex: /12, /22, etc) covering approximately 655 million IPs from the CN/RU and Asian regions.

      I understand I can accomplish this with pfblocker and other modules but I would like to know if its technically feasible and OK (from a technical standpoint) to block this many IPs or if it will stress the router due to the amount of checks it will have to perform when filtering traffic.

      Thank you,
      Luc

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS @Luca1 last edited by

        It should be fine. Our office router with a bunch of GeoIP lists and Suricata is using about 730 MB RAM.

        pfBlocker recommends changing the System/Advanced/Firewall & NAT/Firewall Maximum Table Entries entry to a minimum of 2 million. You can see how big a table is in Diagnostics/Tables. (the US IPv4 list is 105800 entries)

        Depending on the setup/usage, it may be more efficient to allow desired IPs, than to "block the world."

        Steve

        Only install packages for your version of pfSense, to avoid breaking it. If yours is not the latest, select your version as "Previous stable version (x.x.x DEPRECATED)" in System > Update > Update Settings.

        1 Reply Last reply Reply Quote 1
        • L
          Luca1 last edited by

          Great suggestion!

          Thank you. Ticket resolved.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy