Besides IPS, having a quick and very current block list of current events like Firehol is great.
But, I was testing a setup I did a long time ago and noticed the Networks in Firehol (1,2,3) do not seem to get applied in the ruleset.
For example I take any of the single IP's in the current Firehol2 and see it is blocked while monitoring the rules for my label.
When I take a IP from a subnet in the list (x.x.x.x/24) It does not block it. It seems that anything with network notation is not loaded.
I tried both URL IP(s) and URL Table IP(s).
I turned on statistics and went into the alias table. I see the networks listed i.e. x.x.x.x/24, but even though I curl, http, ping an IP in that network range the counts do not increase. But for any single IP in the list without a / mask works fine and the counters increase.
Can't recommend firehol - it often blocs GitHub addresses (false positives).