Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about blocking traffic, large aliases, packages

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 713 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonjonr6
      last edited by

      I've been doing some looking for definitive answers, but I can't seem to find what I'm looking for.

      My setup:
      release: 2.2.6 nano
      hardware: Lenovo D20, ESXi 6, pci passthrough WAN NIC, 1gb RAM, 8 virtual cores 2.26ghz
      configuration: one LAN interface, one openVPN interface, IPv4 and v6(rd), 3 floating rules for blocking 3 alias lists (quick enabled)

      I'm trying to understand how to (more) reliably block large domains using rules and aliases.
      I have 3 separate blocklists; one with maybe 20 entries, one with about 500 entries, and one with 60k entries.
      Originally I split the large one into twenty 3k-entry lists.
      The order of the lists started with the smaller ones first.

      I observed that the rules successfully blocked connections to entries in the small aliases as long as they were named so they would load before the larger aliases.
      Rules for the larger aliases would only successfully block connections to entries in the first large list.
      Changing the order of the rules themselves did not matter.
      I removed the large aliases and created one bigger alias.
      At this point, the rules sometimes block the connections but often just allow.
      It seems pfSense cannot handle a large list at all.
      Can anyone confirm this? I already adjusted the Firewall maximum tables entries value. Perhaps there's another setting I need to adjust?

      Also, if I understand how pfSense works, when it loads the alias list, it will perform a DNS query and translate the domain entry into the returned IP.
      When pining some of the domains, I see that some of them respond from different IPs.
      If the domain is using a hosted service with load balancing, then blocking a single IP or a domain as a firewall rule might be inadequate.
      Is there a way to address this?

      I've thought about running some of the packages, but I'm assuming those only block http(s) requests, which is good but not great.

      My last thought is, why have large rules and aliases if you never have traffic going to most of those domains.
      So, I looked at getting a SIEM, like Alienvault. But I wasn't successful at setting it up to receive the syslogs from the firewall. It also seems a bit much for a home.
      A package that could handle a large list of domains and just monitor the syslog for matching IPs and give an alert (or maybe even automatically make a rule) would be awesome.

      I'd really like a definitive answer about the large alias issue I'm describing, if one exists.
      Suggestions for packages to achieve my desired results are appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Just curious why are you running nano on a VM install??

        Why would you be limited to space for install?  That you would need/want to use nano??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.