How many rules is too many?



  • I have pfsense 1.2.3-Release running on a Supermicro D525 Atom box with 4G of ram and a 1TB Enterprise class hard drive. It is the SYS-5015A-EHF-D525 with built in dual Intel Gigabit NICs and an add on PCI-e GB NIC for management from a backend IP. This box has served perfect for the last couple of years handling a gigabit WAN connection from our ISP and feeding a dozen servers (everything has public IP addresses (no NAT, DHCP, or traffic shaping). The actual traffic is around 50M outbound and 10M inbound. Its primary purpose is to block ports and block IP ranges of hackers.

    We currently have around 400 block rules on the WAN side. We want to start adding rules to more aggressively block traffic from places like china, russia, and brazil where we do not do business and do not want traffic from. This would entail us adding hundreds and hundreds more block rules.

    Is there a limit to the number of block rules that can be added without causing a problem or impacting performance?

    I have read about the Country Block package but it is not showing up in our package list for some reason.



  • The package is now called pfBlocker, so try that. I think there was some issue with the bundled country lists becoming proprietary (= for sale, not free any more) so I think that if you want up-to-date country lists you need to subscribe somewhere or get them from somewhere. But pfBlocker works and you can use whatever lists you can find/make. Look in the Packages part of the forum.
    By putting IPs in lists there won't be many rules, and lists can have loads of entries without taxing a system like yours. Even if you did make a few hundred rules, it would be more of a hassle for humans to manage in the GUI than for pf to process.
    I would suggest upgrading to latest pfSense 2.1.5. I have upgraded 1.2.3 systems before and it went fine. It should upgrade everything you have directly without problem. Then you get the benefit of many fixes (security and plain old bugs).



  • I do not see a package called pfBlocker. Does that require me to upgrade to the newer version? We are reluctant to upgrade as this setup has been 100% rock solid with 0 downtime since deployment (It has only been turned off once to be moved to a new co-lo site).

    I see an upgrade option in the GUI. Is that the best way to do the upgrade?



  • Yes, pfBlocker is only for pfSense 2.0 or higher (https://forum.pfsense.org/index.php?topic=42543.msg219632#msg219632)



  • When you have rules you don't need, its too many. 
    Otherwise, I'm aware of no limit.



  • First, you should upgrade immediately. You're absurdly far behind at this point.

    @kejianshi:

    When you have rules you don't need, its too many.

    Exactly.

    You'll impact performance at some level, but it's way beyond what most any reasonable system will use, well into the hundreds of thousands of rules to make a minuscule difference. If you're running in a high traffic datacenter scenario, that's potentially different. For most office and all home use scenarios, no consideration.