The following page describes how to configure the Spamhaus blocklist:
https://docs.opnsense.org/manual/how-tos/edrop.html
The blocklist is applied to both the WAN and the LAN interface.
What is the advantage of using the blocklist on the WAN interface?
I would have expected that this isn't necessary since the WAN interface denies everything by default (default deny rule).
But when you add a port forward everything is accepted for it, so you deny the bad guys before