Windows Firewall - blocking IP address ranges en masse - performance considerations?

We did this with a game server. We eventually changed it for a plugin on pfsense, but we didn't notice any performance degradation with a few thousand ip blocks in the windows firewall. Blocking based upon ip is one of the most rudimentary tasks a firewall can do. Besides the management overhead (you already have a script for that), I wouldn't see any reason why there would be a problem. FWIW, I looked at using route53 from amazon for this, but it didn't serve our purpose at the time. It would alow you to resolve a bogus ip in those countries.


Even if our scenarios are different, I would like to share: I have a small VPS (1 CPU, 256MB RAM) running a few services on Linux, and the firewall have thousands of rules denying whole blocks of adresses, spanning whole countries, and I haven't seen any slowdown.

I think it's less demanding on the server to simply drop lots of packets than letting them go to the application and be processed, just to send back and error message. Dropping them takes a lot less power.