FireHOL Block List ( Botnets, Attacks, Malware....)

Started by yeraycito, June 08, 2020, 06:46:36 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
July 26, 2020, 05:24:04 PM #30 Last Edit: July 26, 2020, 05:34:02 PM by hushcoden
I've the WAN rules (attached) which I reckon I don't have to change/amend and I have rules (the same) for LAN and LAN2 (also attached).

If I want to consolidate the LAN and LAN2 rules by creating just one set of rules in 'Floating', can I do so by seelcting in 'Interface' both LAN and LAN2 and in Source 'any' ?
July 26, 2020, 05:50:18 PM #31
Screenshots look goot
August 01, 2020, 04:31:42 AM #32
New to opnsense, but I assume these FireHOL rules need to be moved to the top of the lists for both LAN and WAN?

Currently I have my GeoIP rules at the top, any concern there?

TIA
August 01, 2020, 12:48:46 PM #33
Quote from: guyp2k on August 01, 2020, 04:31:42 AM
New to opnsense, but I assume these FireHOL rules need to be moved to the top of the lists for both LAN and WAN?

Currently I have my GeoIP rules at the top, any concern there?

TIA


Effectively, that's right.
August 04, 2020, 12:02:39 PM #34
I've found out that I have an issue with the update of Spamhaus EDROP: I've set up two aliases (see picture) DROP and EDROP which are identical apart from the link (of course), and when I check the log (also attached) I can see that while DROP is updated once a day, EDROP is not and I can't figure out what I'm doing wrong for the life of me...

Tia.
August 04, 2020, 05:00:01 PM #35
Those lists don't seem to be updated every day. You can see it by accessing from the browser (modification dates - expiration dates):

-    https://www.spamhaus.org/drop/edrop.txt

       ; Spamhaus EDROP List 2020/08/04 - (c) 2020 The Spamhaus Project
       ; https://www.spamhaus.org/drop/edrop.txt
       ; Last-Modified: Sat, 04 Jul 2020 01:32:55 GMT
       ; Expires: Wed, 05 Aug 2020 02:00:44 GMT

-   https://www.spamhaus.org/drop/drop.txt

       ; Spamhaus DROP List 2020/08/04 - (c) 2020 The Spamhaus Project
       ; https://www.spamhaus.org/drop/drop.txt
       ; Last-Modified: Sat, 25 Jul 2020 08:39:55 GMT
       ; Expires: Tue, 04 Aug 2020 15:18:34 GMT
August 04, 2020, 05:25:17 PM #36
Indeed, they are not updated on a daily basis, BUT my issue is that my OPNsense seems to update the DROP list and seems to ignore the EDROP list, why is that ??
August 05, 2020, 12:28:11 AM #37
I have also been scratching my head over this. The system - general log show that DROP .txt file has been fetched, but not the EDROP file. If I on the other hand check under diagnostics and pfTables, both DROP/EDROP are there. The content of the two .txt files that is. Go figure.

miroco
November 01, 2021, 10:17:13 AM #38
Quote from: mimugmail on June 10, 2020, 02:01:21 PM
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..


Why is it always IN? I thought you would put OUT here to block the outgoing LAN connections to these IPs!?
November 01, 2021, 10:26:33 AM #39
But the Firewall see the packet first at LAN inbound direction
November 01, 2021, 12:01:43 PM #40
Quote from: mimugmail on November 01, 2021, 10:26:33 AM
But the Firewall see the packet first at LAN inbound direction

thanks, that makes sense.

Here are the rules:

On LAN:
Action: Block
Interface LAN
Direction: in
Protocol: any
Source LAN net
Destination: My Firewall Alias


On WAN:
Action: Block
Interface: WAN
Direction: in
Protocol: Any
Source: My Firewall Alias
Destination: Any
November 01, 2021, 12:20:43 PM #41
Perfect
November 20, 2021, 11:29:59 PM #42
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
if you use it you may run into problems.
i am using just level 3 and it been working fine for long.
DEC4240 – OPNsense Owner
November 21, 2021, 06:43:21 AM #43
QuoteLevel 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
you can always use "Network group" alias type combining FireHOL list and subnet exclusions  ;)
November 21, 2021, 11:27:50 AM #44
Quote from: Julien on November 20, 2021, 11:29:59 PM
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
if you use it you may run into problems.
i am using just level 3 and it been working fine for long.

Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:

Code Select
BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"
Print
Go Up Pages 1 2 3 4
User actions