Max number of IPs for each firewall rule

Posted April 26, 2020 1.8k views
FirewallDigitalOcean Cloud FirewallsDigitalOcean Accounts

In the DO firewall documentation I read that firewalls are limited to 50 rules.

However, how many IPs (or IP ranges) I can insert in a firewall rule?

For example, if I want to block a list of hundreds/thousands of IPs (blacklist), can I do that?

Probably you should also clarify that in the official docs if a limit exists.

edited by bboucheron

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Hi Marco. Thanks for the question. I’ve consulted with one of the engineers on our Cloud Firewalls team:

  • Unfortunately, you can’t really do an IP blocklist at all, because the firewall product blocks everything by default, and requires you to specify allow rules only. There is no syntax for a negative set (“allow anything NOT in this list of IPs”).
  • There is a size limit for firewall rules, but it’s not easy to specify the limit as an exact number of IPs, as it is affected by the particulars of your setup. With a very simple rule set, this engineer found the limit was around 20k IPs.
  • A large rule set like this can negatively impact your network performance, even if it does avoid the size limit.