How many firewall rules are too many?

ahuman · June 6, 2025, 7:33pm

I have effectively no knowledge of how OpenWrt's firewall works internally. I have to assume that there is a performance impact for larger rulesets but I have no idea how severe it might be, or how one would accurately benchmark it.

Is this impact significant in practice? How many "traffic rules" might start to be too many? Should I be more concerned with keeping the number absolutely minimized, even if that means being less specific, or can I be comfortably detailed with my rules and not really worry about it?

slh · June 6, 2025, 8:32pm

Trial and error?

Too many variables to compute. What is complex, what is many, what's the host performance - what kills the wrt-54gl wouldn't even register on a gl-mt6000.

brada4 · June 6, 2025, 9:11pm

initial packet filter can pass enormous amount of rules. Something like 100-10000 iifname or 50-5000 dscp set will make a measurable millisecond. Other expressions are by magnitude faster
more important is main flow "established accept" that should not do unnecessary inspections in other hooks. eg snat dnat not guarded by eg ct status dnat,assured return
Example

"Visual" trace

one bad pattern comes off miniupnpd

inverting slh-s claim - you need a very weak router cpu to measure, like ath79 or mt7628 7620

_bernd · June 6, 2025, 9:41pm

Yes netfilter shows afaik no difference with 100 or 10k rules.
Some handlers are more expensive then others but presentations at the net plumber conference showed no major impacts. Iirc you can even handle upto 100k of Rules and with proper hardware you can even offload most of rules...

With x86 you can easily handle 10, 40 or even 100gbit/s with like mellanox connect x.
And with OpenWrt Linux Kernel and beefy hardware and can easily handle moderate small to mid size business Datacenter need if you really want to.

greybeard · June 7, 2025, 12:17am

Or, to approach it from another angle, what is the purpose of a firewall? To keep stuff in or keep stuff out? If it's to keep stuff out then why would you need vast numbers of firewall rules? Rework your network design.
If it's an industrial/commercial large scale network and uses professional equipment then all bets are off.

ahuman · June 7, 2025, 2:07am

That approach misses the point of the question, I think, which boils down to "what is the definition of a vast number" with respect to firewall rules in OpenWrt.

I didn't know if I should expect a problematic number to be on the order of 20 or 200 or 2000.

But based on the answers from @brada4 and @_bernd, it seems safe to say that hundreds of rules are likely fine even on a low-end device, and thousands+ for more performant hardware.

That's far enough above my needs to be classified as "not significant".

brada4 · June 7, 2025, 5:52am

No idea what approach you aretalking about. Default ruleset has measurably heavy per-packet rule?

lantis1008 · June 7, 2025, 6:12am

This article covers benchmarks against number of rules.
Practically speaking you won’t hit these numbers (in my opinion).

These benchmarks were likely performed on faster hardware than most routers (barring x86).

I’m sure there are combinations of rules that break this pattern, but this gives you the general gist.

ahuman · June 7, 2025, 6:05pm

I was referring to @greybeard's post that I replied to. Your post earlier was exactly the kind of answer I was looking for.

brada4 · June 7, 2025, 7:13pm

You tapped on mine, no worries.

_bernd · June 7, 2025, 11:01pm

You can answer on a post OR the whole thread.

With default forum settings a user gets notified on a direct reply or if the users name is mentioned in the post.

Like @brada4 is now

ahuman · June 8, 2025, 3:21am

I'm quoting all three of the most helpful answers to mark as the solution for this thread. Thanks to everyone who got involved, I appreciate the insights.