OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: yeraycito on June 08, 2020, 06:46:36 pm
-
A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls.
Info: https://iplists.firehol.org/
Example of characteristics: Source File Date: Mon Jun 8 07:21:55 UTC 2020: 2575 subnets, 619564767 unique IPs
Installation in Opnsense:
1 - Firewall-Aliases-New:
2 - Name: FireHOL
Type: URL Table (IPs)
Expiration Days: 1
Content: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
Description: FireHOL
3 - Save
4 - System-Settings-Cron-New:
Create a job with the command Update and reload firewall aliases
5 - Create firewall rules in Wan and Lan
-
I always advise level3 since level1 also includes private networks which would break setups if you have DMZ or similar.
-
5 - Create firewall rules in Wan and Lan
Do you mind to provide a dumb-proof guide on this?
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
No, Alias module will take care of it.
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
No, Alias module will take care of it.
Right, so it's yes: I said you don't need a cron job as Alias will do the update...
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)
That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?
Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
No, Alias module will take care of it.
I'm confused about this. Is that really how it works? For example: https://forum.opnsense.org/index.php?topic=15483.0
In this post they do say that you have to create a job. And if you don't have to create it to exist in System - Settings - Cron a call section Update and reload aliases?
-
FireHol Level2 List ( other than the one mentioned above: Level1 ):
An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)
Info: https://iplists.firehol.org/?ipset=firehol_level2
Installation in Opnsense:
1 - Firewall-Aliases-New:
2 - Name: FireHOL2
Type: URL Table (IPs)
Expiration Days: 1
Content: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset
Description: FireHOL2
3 - Save
4 - System-Settings-Cron-New:
Create a job with the command Update and reload firewall aliases
5 - Create firewall rules in Wan and Lan
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
No, Alias module will take care of it.
I'm confused about this. Is that really how it works? For example: https://forum.opnsense.org/index.php?topic=15483.0
In this post they do say that you have to create a job. And if you don't have to create it to exist in System - Settings - Cron a call section Update and reload aliases?
For me it sounds the guy wants to refresh the alias for other reason, if you want to use url table there's no cron required.
-
FireHol Level3 List ( other than the one mentioned above: Level1, Level2 ):
An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)
Info: https://iplists.firehol.org/?ipset=firehol_level3
Installation in Opnsense:
1 - Firewall-Aliases-New:
2 - Name: FireHOL3
Type: URL Table (IPs)
Expiration Days: 1
Content: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level3.netset
Description: FireHOL3
3 - Save
4 - System-Settings-Cron-New:
Create a job with the command Update and reload firewall aliases
5 - Create firewall rules in Wan and Lan
-
thanks @yeraycito, that's very handy...
Are the IPs in the level2 and level3 lists already included in the Level1 list ?
-
thanks @yeraycito, that's very handy...
Are the IPs in the level2 and level3 lists already included in the Level1 list ?
They seem to include some common components but not all.
-
More information and many more lists ( use carefully ) here:
https://github.com/firehol/blocklist-ipsets
-
And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4
And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset
-
And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4
And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset
The list is very good but they warn that it has a good amount of false positives. You have to be careful.
-
FireHol Web Server List:
A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)
Info: https://iplists.firehol.org/?ipset=firehol_webserver
Installation in Opnsense:
1 - Firewall-Aliases-New:
2 - Name: FireHOLserver
Type: URL Table (IPs)
Expiration Days: 1
Content: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
Description: FireHOLserver
3 - Save
4 - System-Settings-Cron-New:
Create a job with the command Update and reload firewall aliases
5 - Create firewall rules in Wan and Lan
-
Completely random thought: checking the list against existing ET Open rules, pruning duplicates.
Another thought: integration with Suricata to not only block on those IPs, but also alert.
-
Completely random thought: checking the list against existing ET Open rules, pruning duplicates.
Another thought: integration with Suricata to not only block on those IPs, but also alert.
These are ips to block with the input-output firewall. Suricata blocks behavior.
Example: https://docs.opnsense.org/manual/how-tos/edrop.html
-
Expiration Days: 1 --> with this you shouldn't need a cron job, is that right ?
On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)
That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?
Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.
Can someone please clarify the following points:
1) Better to use 'block' or 'reject' ? - 'drop' is not an option
2) As I said in my previous post, for the LAN rule, do I have to chose 'LAN' (actually it's called LAN net) in the interface section only or for both interface and source ?
3) As for 'direction', is it IN or OUT ?
I've still a lot to learn and any advice is much appreciated !
-
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..
-
Could someone point me to where - a log file? - I can check if those alias lists are actually updated ?
Tia.
-
system.log or configd.log
-
Many thanks, found it in System --> Log Files --> General
I've attached a screenshot: does fetch mean it's been updated ?
-
Yep 8)
-
Many thanks, found it in System --> Log Files --> General
I've attached a screenshot: does fetch mean it's been updated ?
They're up to date. Look at the number of lines between updates:
/updates_tables.py..........www.spamhaus.org.......lines:791
When you update, the number of lines changes.
-
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..
I have another question: if I use float rules, I can select both my two LAN interfaces rather than duplicate rules from LAN to LAN2 :o but in 'Source' I can't select bot 'LAN net' and LAN2 net', only one, so should I select 'any' or 'This Firewall' ?
Thanks.
-
2 rules source any, destination firehol and vice versa. No Interface selected
-
2 rules source any, destination firehol and vice versa. No Interface selected
Do you mean I delete the rules in 'LAN' and 'LAN2' and I consolidate them into 1 in 'Floating' but without selecting the two LAN interfaces ?? Sorry, I'm confused :o Can you be more specific ? :-\
-
I've the WAN rules (attached) which I reckon I don't have to change/amend and I have rules (the same) for LAN and LAN2 (also attached).
If I want to consolidate the LAN and LAN2 rules by creating just one set of rules in 'Floating', can I do so by seelcting in 'Interface' both LAN and LAN2 and in Source 'any' ?
-
Screenshots look goot
-
New to opnsense, but I assume these FireHOL rules need to be moved to the top of the lists for both LAN and WAN?
Currently I have my GeoIP rules at the top, any concern there?
TIA
-
New to opnsense, but I assume these FireHOL rules need to be moved to the top of the lists for both LAN and WAN?
Currently I have my GeoIP rules at the top, any concern there?
TIA
Effectively, that's right.
-
I've found out that I have an issue with the update of Spamhaus EDROP: I've set up two aliases (see picture) DROP and EDROP which are identical apart from the link (of course), and when I check the log (also attached) I can see that while DROP is updated once a day, EDROP is not and I can't figure out what I'm doing wrong for the life of me...
Tia.
-
Those lists don't seem to be updated every day. You can see it by accessing from the browser (modification dates - expiration dates):
- https://www.spamhaus.org/drop/edrop.txt
; Spamhaus EDROP List 2020/08/04 - (c) 2020 The Spamhaus Project
; https://www.spamhaus.org/drop/edrop.txt
; Last-Modified: Sat, 04 Jul 2020 01:32:55 GMT
; Expires: Wed, 05 Aug 2020 02:00:44 GMT
- https://www.spamhaus.org/drop/drop.txt
; Spamhaus DROP List 2020/08/04 - (c) 2020 The Spamhaus Project
; https://www.spamhaus.org/drop/drop.txt
; Last-Modified: Sat, 25 Jul 2020 08:39:55 GMT
; Expires: Tue, 04 Aug 2020 15:18:34 GMT
-
Indeed, they are not updated on a daily basis, BUT my issue is that my OPNsense seems to update the DROP list and seems to ignore the EDROP list, why is that ??
-
I have also been scratching my head over this. The system - general log show that DROP .txt file has been fetched, but not the EDROP file. If I on the other hand check under diagnostics and pfTables, both DROP/EDROP are there. The content of the two .txt files that is. Go figure.
miroco
-
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..
Why is it always IN? I thought you would put OUT here to block the outgoing LAN connections to these IPs!?
-
But the Firewall see the packet first at LAN inbound direction
-
But the Firewall see the packet first at LAN inbound direction
thanks, that makes sense.
Here are the rules:
On LAN:
Action: Block
Interface LAN
Direction: in
Protocol: any
Source LAN net
Destination: My Firewall Alias
On WAN:
Action: Block
Interface: WAN
Direction: in
Protocol: Any
Source: My Firewall Alias
Destination: Any
-
Perfect
-
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
if you use it you may run into problems.
i am using just level 3 and it been working fine for long.
-
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
you can always use "Network group" alias type combining FireHOL list and subnet exclusions ;)
-
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
if you use it you may run into problems.
i am using just level 3 and it been working fine for long.
Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:
BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"
-
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
Neither Level 2 nor level 3 contain bogons, it's Level 1
-
Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:
BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"
Do you mind to explain how you do that ?
I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.
-
Do you mind to explain how you do that ?
I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.
Unfortunately you can't insert the regex in opnsense. I use a bash script to merge several ipset lists on another server. in opnsense I only set the http address to the processed and clean list.
with this example you can remove the bogons from a larger list:
#!/bin/bash
BLOCKLIST="/tmp/ipsets.txt"
BLOCKLIST_TMP="/tmp/ipsets_tmp.txt"
BOGONS="/tmp/bogons.txt"
BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
# Firehol
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset >"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset >>"$BLOCKLIST"
# Spamhaus
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset >>"$BLOCKLIST"
# ...
# Remove BOGON IPs
cat "$BLOCKLIST" | sort | uniq > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX" | sort | uniq > "$BOGONS"
cat "$BOGONS"
comm -23 "$BLOCKLIST" "$BOGONS" > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"
-
sorry if i missed some but why not to use nesting with exclusions?
https://docs.opnsense.org/manual/aliases.html?highlight=aliases#nesting
-
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
Neither Level 2 nor level 3 contain bogons, it's Level 1
Are you suggesting to use only level 1?
I also see some class C network on level 1
-
Are you suggesting to use only level 1?
I also see some class C network on level 1
All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)
-
Are you suggesting to use only level 1?
I also see some class C network on level 1
All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)
i remember me having issues with Level 1 and 2. i am using only Level 3 now with Dshield
-
Are there also filehol ipv6 lists? or how to configure those?
-
not yet imho
https://github.com/firehol/iprange/issues/14
-
This set blocked twitch from working =(
FireHol Web Server List:
A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)
Info: https://iplists.firehol.org/?ipset=firehol_webserver
Installation in Opnsense:
1 - Firewall-Aliases-New:
2 - Name: FireHOLserver
Type: URL Table (IPs)
Expiration Days: 1
Content: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
Description: FireHOLserver
3 - Save
4 - System-Settings-Cron-New:
Create a job with the command Update and reload firewall aliases
5 - Create firewall rules in Wan and Lan