121
General Discussion / Unbound BlockList vs Firewall Alias+Rule
« on: March 03, 2021, 07:00:40 am »
Recent migrant from Pfsense. I was using pfBlockerNG-devel on pfSense.
Since I have been using Opnsense (2 days now) -- I see a lot more ads being loaded on various websites. So I was searching the web and these forums on how to set up alternatives to pfBlockerNG since no plugin is available on Opnsense. I found a bunch of different ways -- Adguard Home, Unbound DNSBL, a separate PiHole server and https://docs.opnsense.org/manual/how-tos/edrop.html
Unbound DNSBL seems simple enough where you add a block list under Services-->Unbound-->Blocklist and click Apply
But the link for the Spamhaus gave me reason to look at the Firewall Aliases and I found that you can create many different types of aliases in Opnsense (not sure if this was possible in pfSense too -- if it was, it wasn't as obvious)
If I create an alias of type URL Table(IP), it also asks for a Refresh Frequency which I assume creates a cron job to auto renew the lists. I also assume that I can create N number of aliases for all the different block lists that I want and simply add a firewall rule to block access to any url in those aliases.
So the question is :
The firewall alias+ rules seem to create the auto-renewal of the lists, but you would need an alias and a rule
Since I have been using Opnsense (2 days now) -- I see a lot more ads being loaded on various websites. So I was searching the web and these forums on how to set up alternatives to pfBlockerNG since no plugin is available on Opnsense. I found a bunch of different ways -- Adguard Home, Unbound DNSBL, a separate PiHole server and https://docs.opnsense.org/manual/how-tos/edrop.html
Unbound DNSBL seems simple enough where you add a block list under Services-->Unbound-->Blocklist and click Apply
But the link for the Spamhaus gave me reason to look at the Firewall Aliases and I found that you can create many different types of aliases in Opnsense (not sure if this was possible in pfSense too -- if it was, it wasn't as obvious)
If I create an alias of type URL Table(IP), it also asks for a Refresh Frequency which I assume creates a cron job to auto renew the lists. I also assume that I can create N number of aliases for all the different block lists that I want and simply add a firewall rule to block access to any url in those aliases.
So the question is :
- Which of the method is better?
The firewall alias+ rules seem to create the auto-renewal of the lists, but you would need an alias and a rule
- Am I missing other advantages/disadvantages of either method?
- I also noted that Firewall-->Aliases allows creating Aliases based on GeoIP -- Would these aliases + the appropriate rules be similar to the pfBlockerNG Geo IP blocking?