Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Unbound BlockList vs Firewall Alias+Rule
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound BlockList vs Firewall Alias+Rule (Read 2749 times)
Inxsible
Full Member
Posts: 143
Karma: 6
Unbound BlockList vs Firewall Alias+Rule
«
on:
March 03, 2021, 07:00:40 am »
Recent migrant from Pfsense. I was using pfBlockerNG-devel on pfSense.
Since I have been using Opnsense (2 days now) -- I see a lot more ads being loaded on various websites. So I was searching the web and these forums on how to set up alternatives to pfBlockerNG since no plugin is available on Opnsense. I found a bunch of different ways -- Adguard Home, Unbound DNSBL, a separate PiHole server and
https://docs.opnsense.org/manual/how-tos/edrop.html
Unbound DNSBL seems simple enough where you add a block list under Services-->Unbound-->Blocklist and click Apply
But the link for the Spamhaus gave me reason to look at the Firewall Aliases and I found that you can create many different types of aliases in Opnsense (not sure if this was possible in pfSense too -- if it was, it wasn't as obvious)
If I create an alias of type URL Table(IP), it also asks for a Refresh Frequency which I assume creates a cron job to auto renew the lists. I also assume that I can create N number of aliases for all the different block lists that I want and simply add a firewall rule to block access to any url in those aliases.
So the question is :
Which of the method is better?
From first glance it seems, Unbound blocklist is easier -- but then you would have to separately create cron jobs for each list to be updated
The firewall alias+ rules seem to create the auto-renewal of the lists, but you would need an alias and a rule
Am I missing other advantages/disadvantages of either method?
I also noted that Firewall-->Aliases allows creating Aliases based on GeoIP -- Would these aliases + the appropriate rules be similar to the pfBlockerNG Geo IP blocking?
Thanks,
«
Last Edit: March 03, 2021, 07:07:47 am by Inxsible
»
Logged
hushcoden
Hero Member
Posts: 543
Karma: 23
Re: Unbound BlockList vs Firewall Alias+Rule
«
Reply #1 on:
March 03, 2021, 08:49:58 pm »
I use both, and they complement each other pretty well.
I have 7 Aliases for 'dangerous' IPs + firewall rules as well as using the blacklist feature of Unbound: they are not too many, but you can add additional URLs when you select advanced mode.
Logged
Inxsible
Full Member
Posts: 143
Karma: 6
Re: Unbound BlockList vs Firewall Alias+Rule
«
Reply #2 on:
March 03, 2021, 09:28:00 pm »
Thanks.
Yeah I selected all the DNSBL lists under Unbound except the WindowsSpyBlocker ones and it still loads a few ads on certain websites. It also unfortunately blocked access to NordVPN which is my vpn provider, so I had to whitelist nordvpn.com
So trying to make the DNSBL more restrictive is what led me to research and I found the Firewall alias creation option for URL Table(IPs). So I guess there are multiple ways to skin the cat.
Another thing I noticed is if I add Blocklist URLs and click Apply, it has no effect on the ads -- maybe it's a combination of cached page or what.. but I also tried a new profile in Chromium and Firefox. However when I did a
Code:
[Select]
pluginctl -s unbound restart && pluginctl -s dhcpd restart
in the opnsense-shell, I could immediately see the difference in the ads that were loaded or not loaded depending on whether I had removed or added new URLs in Blocklist.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Unbound BlockList vs Firewall Alias+Rule