Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 02:25:21 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Firewall can't handle large IP lists?
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Firewall can't handle large IP lists?  (Read 15356 times)
mini4mw
Jr. Member
*
Offline Offline

Posts: 2


« on: Saturday 21 January 2017, 08:55:26 am »

I'm testing out a few configurations of the community firewall and one such test is only allowing US IPs to specific port forwarding statements.   If I add the full list of networks to the allowed networks of a port forward (portforward1) from ipdeny:
http-ipdeny-com-ipblocks-data-aggregate-us-aggregated.zone
and save the rule I can no longer hit the web site.  If I take it out and add only a few /8's, including mine, it works fine.  In addition, when the full IIP list is in portforward1,  other port forwards I have no longer work that do not have any inbound restrictions.   It almost seems the firewall can't handle that many networks.  In the firewall logs I don't see any deny entries.   I take the list back out or trim it down to a handful and everything works as expected.  Anyone else seen/heard of this type of behavior before?
Logged
mini4mw
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Saturday 28 January 2017, 04:14:10 am »

This is an issue with the GUI.  It only accepts roughly 130,000 characters so you can't put all the networks in there.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #2 on: Tuesday 21 February 2017, 03:20:07 am »

I think neither Endian nor iptables support that much amount of IP ranges. In fact on older versions if you add a lot of rules on Endian the IPtables crashed, and you got unexpected behaviour
And it will be slow. The best option for large IP ranges are ipsets.

http://www.dghost.com/techno/internet/banning-an-entire-country-with-iptablesipset

IPsets are faster than simple iptables rules for that amount of IPs.

Endian do have support for ipsets, but unfortunately it isn't on the GUI, or easily usable.
I've used IPsets succesfully to block whole countries (several of them) on webservers.

Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com