Floating Alias IP Blocklist Not Working

Started by spidysense, January 26, 2025, 04:21:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 26, 2025, 04:21:16 PM Last Edit: January 26, 2025, 07:57:26 PM by spidysense
UPDATED THIS POST TO SHOW THE CORRECT ANSWER
OPNsense 24.7.12_2-amd64

Set up an alias: Firewall-> Alias
Named it: blocklist
** Type: Host(s)
Content: 34.107.243.93 (single IP example)

Created Firewall Floating Rule: Firewall-> Rules-> Floating
Action: Block
Apply the action immediatly on match: checked
Interface: LAN & WAN
Direction: any
TCP/IP Version: IPv4
Protocol: any
Source: any
Destination: (alias) blocklist

PLACES TO CHECK

If not blocking, Try: Firewall-> Diagnostic-> States-> Actions-> Reset state table

Firewall-> Diagnostics-> Aliases-> (alias name) blocklist
Should show the IP address to be blocked

** ALIAS TYPES

Host(s): This type allows you to define individual IP addresses or subnets (CIDR blocks).
Usage: It's useful when you want to create an alias that contains a list of specific IP addresses
Example: 192.168.1.100, 10.0.0.0/24, 203.0.113.0/32.

URL (IPs): This type allows you to specify a URL that contains a list of IP addresses (the URL will return a plain list of IPs, typically in a text format).
Usage: It's useful for dynamically pulling a list of IP addresses from a URL (such as a publicly available threat intelligence feed).
Example: You could enter a URL that points to an IP blocklist file, and OPNsense will download and parse that list to use it in the alias.
Example URL: https://lists.blocklist.de/lists/all.txt

URL Table (IPs): This type allows you to define an alias based on a list of IP addresses that is fetched from a URL, similar to the URL (IPs) type. However, in this case, OPNsense treats the list as a "table" and will update the list periodically (according to the refresh interval you specify) and maintain it in memory for use in firewall rules.


January 26, 2025, 05:53:33 PM #1
If you want to block pinging that IP address, it would need to be the *destination* for your rule, not the source. With it as the source, you should be blocking ping *coming from* that address.
January 26, 2025, 06:36:24 PM #2 Last Edit: January 26, 2025, 06:50:11 PM by spidysense
So the Floating rule should be:

Source: Any
Destination: (alias) Blocklist

This would be any (source) network on my LAN blocking traffic to that IP address. I thought by selecting interface LAN/WAN would block this IP going in and out with any protocol.

I just want to make sure no traffic in or out is going to or coming from the IP in the alias. Is there more I need to add to this rule for that?
January 26, 2025, 09:13:43 PM #3
source and destination in rules refer to the addresses (and, optionally (where applicable), ports) of the "connection". If a PC on your LAN is pinging a host on the internet, the destination is the host on the internet, regardless of which interface the traffic is being inspected at. If you want block an IP address as either the source or the destination for connections, you would need two rules. Note that (by default) no traffic is allowed inbound from WAN interfaces unless you explicitly add rules to allow it.
Print
Go Up Pages1
User actions