There is no software-defined limit to the number of rules that may be created. A safe upper limit, due to potential hardware constraints, would be 25,000 lines.

AES-128 was used for testing encrypted throughput on Accelerated LTE routers, yielding the following results:

Default settings allow 8,192 concurrent sessions though this value can be adjusted via custom configuration.

The maximum is 65,536 -- though this assumes sessions are short lived and/ or low-bandwidth -- a good upper limit is 10,000.

No limit exists in the software, though a safe upper limit would be 150 sessions.

Wildcard IPs are supported via custom firewall rules (iptables), which leverage CIDR networking to set up a range of IPs (e.g. 192.168.0.1/24).

FQDN is supported via custom firewall rules (iptables).

However, the FQDN is resolved at the time of process/applying the firewall rule, not with each packet inspected. Meaning, if the IP of a domain changes, the firewall rule will not apply to the new IP address. You would have to reload the firewall for the device to resolve the domain to the new IP. It is better to stick with IP addresses in firewall rules instead of FQDNs.