FireHOL Block List ( Botnets, Attacks, Malware....)

[yeraycito]

A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls.

Info:     https://iplists.firehol.org/

Example of characteristics:  Source File Date: Mon Jun  8 07:21:55 UTC 2020:      2575 subnets, 619564767 unique IPs

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOL
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
     Description: FireHOL

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

[mimugmail]

I always advise level3 since level1 also includes private networks which would break setups if you have DMZ or similar.

[hushcoden]

5 - Create firewall rules in Wan and Lan

Do you mind to provide a dumb-proof guide on this?

[hushcoden]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

[mimugmail]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

[mimugmail]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)

[hushcoden]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

Right, so it's yes: I said you don't need a cron job as Alias will do the update...

[hushcoden]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)

That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?

Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.

[yeraycito]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

I'm confused about this. Is that really how it works? For example: https://forum.opnsense.org/index.php?topic=15483.0
In this post they do say that you have to create a job. And if you don't have to create it to exist in System - Settings - Cron a call section Update and reload aliases?

[yeraycito]

FireHol Level2 List ( other than the one mentioned above: Level1 ):

An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)

Info: https://iplists.firehol.org/?ipset=firehol_level2

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOL2
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset
     Description: FireHOL2

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

[mimugmail]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

No, Alias module will take care of it.

I'm confused about this. Is that really how it works? For example: https://forum.opnsense.org/index.php?topic=15483.0
In this post they do say that you have to create a job. And if you don't have to create it to exist in System - Settings - Cron a call section Update and reload aliases?

For me it sounds the guy wants to refresh the alias for other reason, if you want to use url table there's no cron required.

[yeraycito]

FireHol Level3 List ( other than the one mentioned above: Level1, Level2 ):

An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)

Info: https://iplists.firehol.org/?ipset=firehol_level3

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOL3
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level3.netset
     Description: FireHOL3

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

[hushcoden]

thanks @yeraycito, that's very handy...

Are the IPs in the level2 and level3 lists already included in the Level1 list ?

[yeraycito]

thanks @yeraycito, that's very handy...

Are the IPs in the level2 and level3 lists already included in the Level1 list ?

They seem to include some common components but not all.

[yeraycito]

More information and many more lists ( use carefully ) here:

https://github.com/firehol/blocklist-ipsets