Windows Firewall - blocking IP address ranges en masse - performance considerations?

performance firewall windows-server-2012 windows-firewall

We did this with a game server. We eventually changed it for a plugin on pfsense, but we didn't notice any performance degradation with a few thousand ip blocks in the windows firewall. Blocking based upon ip is one of the most rudimentary tasks a firewall can do. Besides the management overhead (you already have a script for that), I wouldn't see any reason why there would be a problem. FWIW, I looked at using route53 from amazon for this, but it didn't serve our purpose at the time. It would alow you to resolve a bogus ip in those countries.


Even if our scenarios are different, I would like to share: I have a small VPS (1 CPU, 256MB RAM) running a few services on Linux, and the firewall have thousands of rules denying whole blocks of adresses, spanning whole countries, and I haven't seen any slowdown.

I think it's less demanding on the server to simply drop lots of packets than letting them go to the application and be processed, just to send back and error message. Dropping them takes a lot less power.

Related

Postgresql Provided user name and authenticated user name do not match
Can browse, but can't ping
What does SBS 2011 do "under the hood" when you give a user admin access?
Source IP rate limiting in iptables: hashlimit vs recent
nginx - connect() failed upstream under load testing
Windows Server 2012: Cannot install SMTP-Server, system always requires restart
Cisco BGP Unequal Cost Load Balancing
OverlayFS: How Can I Delete Files, Not Hide Them
SELinux: How to create a new file type
Add GSSAPI to OpenLdap in supportedSASLMechanisms
Is there a way to change the java JRE a linux Jenkins server uses?
How can I determine what permissions my user is missing for receiving a ZFS dataset?