FireHOL Block List ( Botnets, Attacks, Malware....)

[hushcoden]

Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.

Neither Level 2 nor level 3 contain bogons, it's Level 1

[hushcoden]

Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:

Code: [Select]

BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"


Do you mind to explain how you do that ?

I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.

[br0ken.pipe]

Do you mind to explain how you do that ?

I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.

Unfortunately you can't insert the regex in opnsense. I use a bash script to merge several ipset lists on another server. in opnsense I only set the http address to the processed and clean list.

with this example you can remove the bogons from a larger list:

Code: [Select]

#!/bin/bash

BLOCKLIST="/tmp/ipsets.txt"
BLOCKLIST_TMP="/tmp/ipsets_tmp.txt"
BOGONS="/tmp/bogons.txt"

BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"


# Firehol
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset >"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset >>"$BLOCKLIST"

# Spamhaus
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset >>"$BLOCKLIST"

# ...


# Remove BOGON IPs
cat "$BLOCKLIST" | sort | uniq > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX" | sort | uniq > "$BOGONS"
cat "$BOGONS"
comm -23 "$BLOCKLIST" "$BOGONS" > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"

[Fright]

sorry if i missed some but why not to use nesting with exclusions?
https://docs.opnsense.org/manual/aliases.html?highlight=aliases#nesting

[Julien]

Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.

Neither Level 2 nor level 3 contain bogons, it's Level 1

Are you suggesting to use only level 1?
I also see some class C network on level 1

[hushcoden]

Are you suggesting to use only level 1?
I also see some class C network on level 1

All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)

[Julien]

Are you suggesting to use only level 1?
I also see some class C network on level 1

All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)

i remember me having  issues with Level 1 and 2. i am using only Level 3 now with Dshield

[RamSense]

Are there also filehol ipv6 lists? or how to configure those?

[Fright]

not yet imho
https://github.com/firehol/iprange/issues/14

[bbchucks]

This set blocked twitch from working =(

FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

[Perun]

But the Firewall see the packet first at LAN inbound direction

thanks, that makes sense.

Here are the rules:

On LAN:
Action: Block
Interface LAN
Direction: in
Protocol: any
Source LAN net
Destination: My Firewall Alias


On WAN:
Action: Block
Interface: WAN
Direction: in
Protocol: Any
Source: My Firewall Alias
Destination: Any

it is ok to make "floating rules" for multiple interfaces?
something like this:

Action: Block
Interface LAN1, LAN2, LAN3, VPN1, VPN2
Direction: in
Protocol: any
Source any
Destination: My Firewall Alias exclude LAN1, LAN2, LAN3, VPN1, VPN2

[mimugmail]

Direction in, interface LAN and destination LAN doesnt makes sense, source should be LAN