OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: gauthig on March 03, 2022, 05:00:21 pm

Title: External Block Lists - Firehol
Post by: gauthig on March 03, 2022, 05:00:21 pm

Besides IPS, having a quick and very current block list of current events like Firehol is great.   

But, I was testing a setup I did a long time ago and noticed the Networks in Firehol (1,2,3) do not seem to get applied in the ruleset.
   

For example I take any of the single IP's in the current Firehol2 and see it is blocked while monitoring the rules for my label.

When I take a IP from a subnet in the list (x.x.x.x/24) It does not block it.   It seems that anything with network notation is not loaded.

I tried both URL IP(s) and URL Table IP(s).

I turned on statistics and went into the alias table.   I see the networks listed i.e. x.x.x.x/24, but even though I curl, http, ping an IP in that network range the counts do not increase.  But for any single IP in the list without a / mask works fine and the counters increase. 

Title: Re: External Block Lists - Firehol
Post by: abulafia on April 28, 2022, 06:53:41 pm

Can't recommend firehol - it often blocs GitHub addresses (false positives).