OPNsense Forum

A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls.

Info:     https://iplists.firehol.org/

Example of characteristics:  Source File Date: Mon Jun  8 07:21:55 UTC 2020:      2575 subnets, 619564767 unique IPs

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOL
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
     Description: FireHOL

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

I always advise level3 since level1 also includes private networks which would break setups if you have DMZ or similar.

Quote from: yeraycito on June 08, 2020, 06:46:36 PM
5 - Create firewall rules in Wan and Lan

Do you mind to provide a dumb-proof guide on this?

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)

Quote from: mimugmail on June 09, 2020, 07:25:00 AM

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

Right, so it's yes: I said you don't need a cron job as Alias will do the update...

Quote from: mimugmail on June 09, 2020, 07:26:25 AM

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)

That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?

Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.

Quote from: mimugmail on June 09, 2020, 07:25:00 AM

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

I'm confused about this. Is that really how it works? For example: https://forum.opnsense.org/index.php?topic=15483.0
In this post they do say that you have to create a job. And if you don't have to create it to exist in System - Settings - Cron a call section Update and reload aliases?

FireHol Level2 List ( other than the one mentioned above: Level1 ):

An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)

Info: https://iplists.firehol.org/?ipset=firehol_level2

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOL2
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset
     Description: FireHOL2

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

Quote from: yeraycito on June 09, 2020, 03:30:24 PM

Quote from: mimugmail on June 09, 2020, 07:25:00 AM

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

I'm confused about this. Is that really how it works? For example: https://forum.opnsense.org/index.php?topic=15483.0
In this post they do say that you have to create a job. And if you don't have to create it to exist in System - Settings - Cron a call section Update and reload aliases?

For me it sounds the guy wants to refresh the alias for other reason, if you want to use url table there's no cron required.

FireHol Level3 List ( other than the one mentioned above: Level1, Level2 ):

An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)

Info: https://iplists.firehol.org/?ipset=firehol_level3

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOL3
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level3.netset
     Description: FireHOL3

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

thanks @yeraycito, that's very handy...

Are the IPs in the level2 and level3 lists already included in the Level1 list ?

Quote from: hushcoden on June 09, 2020, 05:33:29 PM
thanks @yeraycito, that's very handy...

Are the IPs in the level2 and level3 lists already included in the Level1 list ?

They seem to include some common components but not all.

More information and many more lists ( use carefully ) here:

https://github.com/firehol/blocklist-ipsets

And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4

And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset

Quote from: hushcoden on June 09, 2020, 05:53:12 PM
And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4

And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset

The list is very good but they warn that it has a good amount of false positives. You have to be careful.

FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.

Quote from: lattera on June 10, 2020, 01:19:41 AM
Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.

These are ips to block with the input-output firewall. Suricata blocks behavior.

Example: https://docs.opnsense.org/manual/how-tos/edrop.html

Quote from: hushcoden on June 09, 2020, 10:39:45 AM

Quote from: mimugmail on June 09, 2020, 07:26:25 AM

Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)

That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?

Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.

Can someone please clarify the following points:

1) Better to use 'block' or 'reject' ? - 'drop' is not an option

2) As I said in my previous post, for the LAN rule, do I have to chose 'LAN' (actually it's called LAN net) in the interface section only or for both interface and source ?

3) As for 'direction', is it IN or OUT ?

I've still a lot to learn and any advice is much appreciated !

1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..

Could someone point me to where - a log file? - I can check if those alias lists are actually updated ?

Tia.

system.log or configd.log

Many thanks, found it in System --> Log Files --> General

I've attached a screenshot: does fetch mean it's been updated ?

Yep  8)

Quote from: hushcoden on June 28, 2020, 02:55:21 PM
Many thanks, found it in System --> Log Files --> General

I've attached a screenshot: does fetch mean it's been updated ?

They're up to date. Look at the number of lines between updates:

/updates_tables.py..........www.spamhaus.org.......lines:791

When you update, the number of lines changes.

Quote from: mimugmail on June 10, 2020, 02:01:21 PM
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..

I have another question: if I use float rules, I can select both my two LAN interfaces rather than duplicate rules from LAN to LAN2  :o but in 'Source' I can't select bot 'LAN net' and LAN2 net', only one, so should I select 'any' or 'This Firewall' ?

Thanks.

2 rules source any, destination firehol and vice versa. No Interface selected

Quote from: mimugmail on July 26, 2020, 04:01:43 PM
2 rules source any, destination firehol and vice versa. No Interface selected

Do you mean I delete the rules in 'LAN' and 'LAN2' and I consolidate them into 1 in 'Floating' but without selecting the two LAN interfaces ?? Sorry, I'm confused  :o Can you be more specific ?  :-\

I've the WAN rules (attached) which I reckon I don't have to change/amend and I have rules (the same) for LAN and LAN2 (also attached).

If I want to consolidate the LAN and LAN2 rules by creating just one set of rules in 'Floating', can I do so by seelcting in 'Interface' both LAN and LAN2 and in Source 'any' ?

Screenshots look goot

New to opnsense, but I assume these FireHOL rules need to be moved to the top of the lists for both LAN and WAN?

Currently I have my GeoIP rules at the top, any concern there?

TIA

Quote from: guyp2k on August 01, 2020, 04:31:42 AM
New to opnsense, but I assume these FireHOL rules need to be moved to the top of the lists for both LAN and WAN?

Currently I have my GeoIP rules at the top, any concern there?

TIA

Effectively, that's right.

I've found out that I have an issue with the update of Spamhaus EDROP: I've set up two aliases (see picture) DROP and EDROP which are identical apart from the link (of course), and when I check the log (also attached) I can see that while DROP is updated once a day, EDROP is not and I can't figure out what I'm doing wrong for the life of me...

Tia.

Those lists don't seem to be updated every day. You can see it by accessing from the browser (modification dates - expiration dates):

-    https://www.spamhaus.org/drop/edrop.txt

       ; Spamhaus EDROP List 2020/08/04 - (c) 2020 The Spamhaus Project
       ; https://www.spamhaus.org/drop/edrop.txt
       ; Last-Modified: Sat, 04 Jul 2020 01:32:55 GMT
       ; Expires: Wed, 05 Aug 2020 02:00:44 GMT

-   https://www.spamhaus.org/drop/drop.txt

       ; Spamhaus DROP List 2020/08/04 - (c) 2020 The Spamhaus Project
       ; https://www.spamhaus.org/drop/drop.txt
       ; Last-Modified: Sat, 25 Jul 2020 08:39:55 GMT
       ; Expires: Tue, 04 Aug 2020 15:18:34 GMT

Indeed, they are not updated on a daily basis, BUT my issue is that my OPNsense seems to update the DROP list and seems to ignore the EDROP list, why is that ??

I have also been scratching my head over this. The system - general log show that DROP .txt file has been fetched, but not the EDROP file. If I on the other hand check under diagnostics and pfTables, both DROP/EDROP are there. The content of the two .txt files that is. Go figure.

miroco

Quote from: mimugmail on June 10, 2020, 02:01:21 PM
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..

Why is it always IN? I thought you would put OUT here to block the outgoing LAN connections to these IPs!?

But the Firewall see the packet first at LAN inbound direction

Quote from: mimugmail on November 01, 2021, 10:26:33 AM
But the Firewall see the packet first at LAN inbound direction

thanks, that makes sense.

Here are the rules:

On LAN:
Action: Block
Interface LAN
Direction: in
Protocol: any
Source LAN net
Destination: My Firewall Alias


On WAN:
Action: Block
Interface: WAN
Direction: in
Protocol: Any
Source: My Firewall Alias
Destination: Any

Perfect

Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
if you use it you may run into problems.
i am using just level 3 and it been working fine for long.

QuoteLevel 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.

you can always use "Network group" alias type combining FireHOL list and subnet exclusions  ;)

Quote from: Julien on November 20, 2021, 11:29:59 PM
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
if you use it you may run into problems.
i am using just level 3 and it been working fine for long.

Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:

BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"


Quote from: Julien on November 20, 2021, 11:29:59 PM
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.

Neither Level 2 nor level 3 contain bogons, it's Level 1

Quote from: br0ken.pipe on November 21, 2021, 11:27:50 AM
Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:

Code Select Expand

BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"


Do you mind to explain how you do that ?

I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.

Quote from: hushcoden on November 21, 2021, 05:57:31 PM

Do you mind to explain how you do that ?

I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.

Unfortunately you can't insert the regex in opnsense. I use a bash script to merge several ipset lists on another server. in opnsense I only set the http address to the processed and clean list.

with this example you can remove the bogons from a larger list:

#!/bin/bash

BLOCKLIST="/tmp/ipsets.txt"
BLOCKLIST_TMP="/tmp/ipsets_tmp.txt"
BOGONS="/tmp/bogons.txt"

BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"


# Firehol
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset >"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset >>"$BLOCKLIST"

# Spamhaus
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset >>"$BLOCKLIST"

# ...


# Remove BOGON IPs
cat "$BLOCKLIST" | sort | uniq > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX" | sort | uniq > "$BOGONS"
cat "$BOGONS"
comm -23 "$BLOCKLIST" "$BOGONS" > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"

sorry if i missed some but why not to use nesting with exclusions?
https://docs.opnsense.org/manual/aliases.html?highlight=aliases#nesting

Quote from: hushcoden on November 21, 2021, 05:54:07 PM

Quote from: Julien on November 20, 2021, 11:29:59 PM
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.

Neither Level 2 nor level 3 contain bogons, it's Level 1

Are you suggesting to use only level 1?
I also see some class C network on level 1

Quote from: Julien on November 21, 2021, 08:32:20 PM
Are you suggesting to use only level 1?
I also see some class C network on level 1

All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)

Quote from: hushcoden on November 22, 2021, 10:36:39 AM

Quote from: Julien on November 21, 2021, 08:32:20 PM
Are you suggesting to use only level 1?
I also see some class C network on level 1

All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)

i remember me having  issues with Level 1 and 2. i am using only Level 3 now with Dshield

Are there also filehol ipv6 lists? or how to configure those?

not yet imho
https://github.com/firehol/iprange/issues/14

This set blocked twitch from working =(

Quote from: yeraycito on June 10, 2020, 12:53:35 AM
FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

Quote from: br0ken.pipe on November 01, 2021, 12:01:43 PM

Quote from: mimugmail on November 01, 2021, 10:26:33 AM
But the Firewall see the packet first at LAN inbound direction

thanks, that makes sense.

Here are the rules:

On LAN:
Action: Block
Interface LAN
Direction: in
Protocol: any
Source LAN net
Destination: My Firewall Alias


On WAN:
Action: Block
Interface: WAN
Direction: in
Protocol: Any
Source: My Firewall Alias
Destination: Any

it is ok to make "floating rules" for multiple interfaces?
something like this:

Action: Block
Interface LAN1, LAN2, LAN3, VPN1, VPN2
Direction: in
Protocol: any
Source any
Destination: My Firewall Alias exclude LAN1, LAN2, LAN3, VPN1, VPN2

Direction in, interface LAN and destination LAN doesnt makes sense, source should be LAN