Technically feasible to create massive alias block lists?

Luca1

Hi guys,

This is a technical question only. I'm trying to determine if pfsense and my hardware (Netgate XG-7100 running latest OS) is capable of doing this without overwhelming the little router.

I'm creating massive block lists that cover several countries that we do not do any business with but which are constantly attacking our resources.

The block lists (created via Firewall => Alias => Import) is done with about 122,000 blocks of IPs (ex: /12, /22, etc) covering approximately 655 million IPs from the CN/RU and Asian regions.

I understand I can accomplish this with pfblocker and other modules but I would like to know if its technically feasible and OK (from a technical standpoint) to block this many IPs or if it will stress the router due to the amount of checks it will have to perform when filtering traffic.

Thank you,
Luc

SteveITS

It should be fine. Our office router with a bunch of GeoIP lists and Suricata is using about 730 MB RAM.

pfBlocker recommends changing the System/Advanced/Firewall & NAT/Firewall Maximum Table Entries entry to a minimum of 2 million. You can see how big a table is in Diagnostics/Tables. (the US IPv4 list is 105800 entries)

Depending on the setup/usage, it may be more efficient to allow desired IPs, than to "block the world."

Luca1

Great suggestion!

Thank you. Ticket resolved.