FireHOL Block List ( Botnets, Attacks, Malware....)

[hushcoden]

And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4

And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset

[yeraycito]

And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4

And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset

The list is very good but they warn that it has a good amount of false positives. You have to be careful.

[yeraycito]

FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

[lattera]

Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.

[yeraycito]

Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.

These are ips to block with the input-output firewall. Suricata blocks behavior.

Example: https://docs.opnsense.org/manual/how-tos/edrop.html

[hushcoden]

Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)

That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?

Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.

Can someone please clarify the following points:

1) Better to use 'block' or 'reject' ? - 'drop' is not an option

2) As I said in my previous post, for the LAN rule, do I have to chose 'LAN' (actually it's called LAN net) in the interface section only or for both interface and source ?

3) As for 'direction', is it IN or OUT ?

I've still a lot to learn and any advice is much appreciated !

[mimugmail]

1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..

[hushcoden]

Could someone point me to where - a log file? - I can check if those alias lists are actually updated ?

Tia.

[mimugmail]

system.log or configd.log

[hushcoden]

Many thanks, found it in System --> Log Files --> General

I've attached a screenshot: does fetch mean it's been updated ?

[mimugmail]

Yep 

[yeraycito]

Many thanks, found it in System --> Log Files --> General

I've attached a screenshot: does fetch mean it's been updated ?

They're up to date. Look at the number of lines between updates:

/updates_tables.py..........www.spamhaus.org.......lines:791

When you update, the number of lines changes.

[hushcoden]

1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..

I have another question: if I use float rules, I can select both my two LAN interfaces rather than duplicate rules from LAN to LAN2  but in 'Source' I can't select bot 'LAN net' and LAN2 net', only one, so should I select 'any' or 'This Firewall' ?

Thanks.

[mimugmail]

2 rules source any, destination firehol and vice versa. No Interface selected

[hushcoden]

2 rules source any, destination firehol and vice versa. No Interface selected

Do you mean I delete the rules in 'LAN' and 'LAN2' and I consolidate them into 1 in 'Floating' but without selecting the two LAN interfaces ?? Sorry, I'm confused  Can you be more specific ?