Find number of rules in a firewall.

frodet

How do I find out how many firewall rules I have in the firewall? I need to know this to set "Firewall Maximum Table Entries" to the correct limit.

johnpoz

@frodet why would you think there is some correlation to number of rules to max table size?

https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-table-entries

This value defines the maximum number of entries that can exist inside of address tables used by the firewall for collections of addresses such as aliases, ssh/GUI lockout records, hosts blocked by snort alerts, and so on. By default this is 400,000 entries. If the firewall has features enabled which can load large blocks of address space into aliases such as URL Table aliases or the pfBlockerNG package, then increase this value to comfortably include at least double the total amount of entries contained in all aliases combined.

You could have one guy with 10 rules, and need millions of table entries, and then you could have another guy with 10k rules and only need a 100k of table entries.

edit: The output of this might be more helpful

pfctl -vvsTables | grep Addresses:

You add these up and you get an idea of how many records your currently using - and then go from there depending on what you might be adding, etc

example

[24.11-RELEASE][admin@sg4860.home.arpa]/root: pfctl -vvsTables | grep Addresses:
        Addresses:   18
        Addresses:   5
        Addresses:   2
        Addresses:   1
        Addresses:   2
        Addresses:   1
        Addresses:   1
        Addresses:   1
        Addresses:   1
        Addresses:   1
        Addresses:   1
        Addresses:   1
        Addresses:   2
        Addresses:   2
        Addresses:   5
        Addresses:   2820
        Addresses:   150808
        Addresses:   3
        Addresses:   201
        Addresses:   9
        Addresses:   190014
        Addresses:   824
        Addresses:   145
        Addresses:   216143
        Addresses:   184877
        Addresses:   216143
        Addresses:   21693
        Addresses:   20618
        Addresses:   226
        Addresses:   24530
        Addresses:   138
        Addresses:   38
        Addresses:   2
        Addresses:   4
        Addresses:   3
        Addresses:   0
        Addresses:   0
        Addresses:   13
        Addresses:   0
        Addresses:   2
[24.11-RELEASE][admin@sg4860.home.arpa]/root:

Using tables like all V4 and V6 in north america for say pfblocker is going to use up some records for sure.. You can also go to diag, tables and get details of each table.. For example my bogon v6 table currently has a lot of records

Table last updated on Tue Apr 1 00:55:01 2025 GMT. 150,808 records

frodet

@johnpoz Thank you for your answer.

First of all I saw that documentation page. It says "A safe assumption is approximately 1K of memory per entry to be conservative." so I assumed that I could use that number.

I love pfsense (I have four Netgate devices), but there are some issues with it, and this is one of them. It would have been nice to have this information in the GUI, or perhaps auto-adjusted limits.

Adding 200 000 more to the limit fixed my problem.