Title: Firewall can't handle large IP lists? Post by: mini4mw on Saturday 21 January 2017, 08:55:26 am I'm testing out a few configurations of the community firewall and one such test is only allowing US IPs to specific port forwarding statements. If I add the full list of networks to the allowed networks of a port forward (portforward1) from ipdeny:
http-ipdeny-com-ipblocks-data-aggregate-us-aggregated.zone and save the rule I can no longer hit the web site. If I take it out and add only a few /8's, including mine, it works fine. In addition, when the full IIP list is in portforward1, other port forwards I have no longer work that do not have any inbound restrictions. It almost seems the firewall can't handle that many networks. In the firewall logs I don't see any deny entries. I take the list back out or trim it down to a handful and everything works as expected. Anyone else seen/heard of this type of behavior before? Title: Re: Firewall can't handle large IP lists? Post by: mini4mw on Saturday 28 January 2017, 04:14:10 am This is an issue with the GUI. It only accepts roughly 130,000 characters so you can't put all the networks in there.
Title: Re: Firewall can't handle large IP lists? Post by: mrkroket on Tuesday 21 February 2017, 03:20:07 am I think neither Endian nor iptables support that much amount of IP ranges. In fact on older versions if you add a lot of rules on Endian the IPtables crashed, and you got unexpected behaviour
And it will be slow. The best option for large IP ranges are ipsets. http://www.dghost.com/techno/internet/banning-an-entire-country-with-iptablesipset IPsets are faster than simple iptables rules for that amount of IPs. Endian do have support for ipsets, but unfortunately it isn't on the GUI, or easily usable. I've used IPsets succesfully to block whole countries (several of them) on webservers. |