diff --git a/Netgrimoire/Network/Security/opnsense_blocklist.md b/Netgrimoire/Network/Security/opnsense_blocklist.md
new file mode 100644
index 0000000..3b50ee4
--- /dev/null
+++ b/Netgrimoire/Network/Security/opnsense_blocklist.md
@@ -0,0 +1,239 @@
+---
+title: Opnsense
+description: Blocklists
+published: true
+date: 2026-02-23T21:46:39.562Z
+tags: 
+editor: markdown
+dateCreated: 2026-02-23T21:46:39.562Z
+---
+
+# OPNsense Additional Blocklists
+
+**Service:** Firewall Aliases — URL Table blocklists
+**Host:** OPNsense firewall
+**Applies To:** WAN and ATT interfaces
+**Update Frequency:** Daily (automatic)
+
+---
+
+## Overview
+
+Your firewall already uses Spamhaus DROP and EDROP as IP blocklists. These three additional lists fill specific gaps that Spamhaus does not cover:
+
+| List | What It Blocks | Why It's Needed |
+|---|---|---|
+| Feodo Tracker | Botnet command & control IPs | Stops malware on your network phoning home |
+| Abuse.ch SSLBL | IPs with malicious SSL certificates | Catches malware that uses HTTPS to hide C2 traffic |
+| Emerging Threats | Confirmed active attack IPs | Broad coverage of IPs currently conducting scans and exploits |
+
+These work at the **firewall alias level** — the same mechanism as your existing Spamhaus lists. Traffic from/to these IPs is blocked before it reaches any service.
+
+> ✓ These lists are also used by Suricata internally. Adding them as firewall aliases provides a second, independent enforcement point at the packet filter level — meaning blocks happen even if Suricata is restarted or temporarily inactive.
+
+---
+
+## Current Blocklist State
+
+From your configuration, these lists are already present and working:
+
+| Alias | List | Status |
+|---|---|---|
+| SpamHaus_Drop | Spamhaus DROP | ⚠ Alias active, **rule disabled** |
+| Spamhaus_edrop | Spamhaus EDROP | ⚠ Alias active, **rule disabled** |
+| crowdsec_blacklists | CrowdSec IPv4 | ✓ Active |
+| crowdsec6_blacklists | CrowdSec IPv6 | ✓ Active |
+
+> ⚠ **First priority:** Before adding new blocklists, re-enable the existing Spamhaus block rules. See the Re-enable Existing Rules section at the bottom of this document.
+
+---
+
+## Step 1 — Add Feodo Tracker Alias
+
+Navigate to **Firewall → Aliases → Add**
+
+| Field | Value |
+|---|---|
+| Name | `Feodo_Tracker` |
+| Type | `URL Table (IPs)` |
+| Description | `Abuse.ch Feodo Tracker — Botnet C2 IPs` |
+| URL | `https://feodotracker.abuse.ch/downloads/ipblocklist.txt` |
+| Refresh Frequency | `1` day |
+| Enabled | ✓ |
+
+Click **Save**, then **Apply Changes**.
+
+**Verify the list loaded:**
+Go to **Firewall → Diagnostics → Aliases**, select `Feodo_Tracker` — you should see a list of IP addresses populated.
+
+---
+
+## Step 2 — Add Abuse.ch SSLBL Alias
+
+Navigate to **Firewall → Aliases → Add**
+
+| Field | Value |
+|---|---|
+| Name | `AbuseCH_SSLBL` |
+| Type | `URL Table (IPs)` |
+| Description | `Abuse.ch SSL Blacklist — Malicious SSL certificate IPs` |
+| URL | `https://sslbl.abuse.ch/blacklist/sslipblacklist.txt` |
+| Refresh Frequency | `1` day |
+| Enabled | ✓ |
+
+Click **Save**, then **Apply Changes**.
+
+> ✓ The SSL Blacklist specifically targets IPs that have been observed using SSL/TLS certificates associated with malware botnets. It catches C2 traffic that would otherwise be hidden inside HTTPS.
+
+---
+
+## Step 3 — Add Emerging Threats Alias
+
+Navigate to **Firewall → Aliases → Add**
+
+| Field | Value |
+|---|---|
+| Name | `ET_Block_IPs` |
+| Type | `URL Table (IPs)` |
+| Description | `Emerging Threats — Active attack and scanning IPs` |
+| URL | `https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt` |
+| Refresh Frequency | `1` day |
+| Enabled | ✓ |
+
+Click **Save**, then **Apply Changes**.
+
+---
+
+## Step 4 — Create Firewall Block Rules
+
+One block rule per alias, applied to both WAN and ATT interfaces. Add these rules **above** your existing PASS rules on each interface.
+
+Navigate to **Firewall → Rules → WAN**
+
+### Rule 1 — Block Feodo Tracker (WAN)
+
+Click **Add** (add to top of ruleset):
+
+| Field | Value |
+|---|---|
+| Action | Block |
+| Interface | WAN |
+| Direction | in |
+| Protocol | any |
+| Source | `Feodo_Tracker` (single host or alias) |
+| Destination | any |
+| Description | `Block Feodo Tracker botnet C2` |
+| Log | ✓ Enable logging |
+
+Click **Save**.
+
+### Rule 2 — Block Abuse.ch SSLBL (WAN)
+
+| Field | Value |
+|---|---|
+| Action | Block |
+| Interface | WAN |
+| Direction | in |
+| Protocol | any |
+| Source | `AbuseCH_SSLBL` |
+| Destination | any |
+| Description | `Block Abuse.ch SSL Blacklist` |
+| Log | ✓ Enable logging |
+
+Click **Save**.
+
+### Rule 3 — Block Emerging Threats (WAN)
+
+| Field | Value |
+|---|---|
+| Action | Block |
+| Interface | WAN |
+| Direction | in |
+| Protocol | any |
+| Source | `ET_Block_IPs` |
+| Destination | any |
+| Description | `Block Emerging Threats IPs` |
+| Log | ✓ Enable logging |
+
+Click **Save**.
+
+Click **Apply Changes** on the WAN rules page.
+
+### Repeat for ATT Interface
+
+Navigate to **Firewall → Rules → ATT** and add the same three rules with `Interface: ATT`. This ensures blocking applies to both WANs during the transition period, and only ATT after WAN is retired.
+
+---
+
+## Step 5 — Also Block Outbound (Optional but Recommended)
+
+Adding outbound blocks catches the case where an internal device is already compromised and attempting to contact C2 infrastructure. Apply to the LAN interface, direction **out**:
+
+Navigate to **Firewall → Rules → LAN**, add rules with:
+- Direction: `out`
+- Source: `any`
+- Destination: the respective alias (`Feodo_Tracker`, `AbuseCH_SSLBL`, `ET_Block_IPs`)
+- Action: `Block`
+
+This means even if malware bypasses inbound filtering, outbound connections to known C2 IPs are still blocked.
+
+---
+
+## Re-enable Existing Spamhaus Rules
+
+While you are in the firewall rules, re-enable the three currently disabled rules:
+
+Navigate to **Firewall → Rules → WAN**
+
+Find these three rules (they appear greyed out):
+1. `Block DROP` — source: SpamHaus_Drop
+2. `Block EDROP` — source: Spamhaus_edrop
+3. GeoIP country block — source: Blocked_Countries
+
+Click the **enable toggle** (grey circle icon) on each rule to enable them. Click **Apply Changes**.
+
+> ✓ These aliases are already populated and refreshing automatically. The only reason they were not blocking is because the rules were disabled. Enabling them requires no other changes.
+
+---
+
+## Verifying Blocklists Are Working
+
+### Check Alias Contents
+
+**Firewall → Diagnostics → Aliases** — select each alias to see the current list of blocked IPs and confirm they are populated.
+
+### Check Firewall Logs
+
+**Firewall → Log Files → Live View** — filter by the rule description (e.g., `Feodo Tracker`) to see blocks in real time.
+
+### Check Update Schedule
+
+Aliases refresh on the schedule set during creation. To force an immediate refresh:
+**Firewall → Diagnostics → Aliases → select alias → Flush + Force Update**
+
+---
+
+## Complete Blocklist Summary
+
+After implementing all of the above, your firewall enforces the following IP blocklists:
+
+| Alias | List | Covers | Update |
+|---|---|---|---|
+| SpamHaus_Drop | Spamhaus DROP | Hijacked/compromised netblocks | Daily |
+| Spamhaus_edrop | Spamhaus EDROP | Extended DROP — bogon routes | Daily |
+| Feodo_Tracker | Feodo Tracker | Botnet C2 IPs | Daily |
+| AbuseCH_SSLBL | Abuse.ch SSLBL | Malicious SSL certificate IPs | Daily |
+| ET_Block_IPs | Emerging Threats | Active scanners & attack IPs | Daily |
+| crowdsec_blacklists | CrowdSec | Community-reported bad IPs (IPv4) | Real-time |
+| crowdsec6_blacklists | CrowdSec | Community-reported bad IPs (IPv6) | Real-time |
+| Blocked_Countries | MaxMind GeoIP | 70 blocked countries | Weekly |
+
+Combined with Suricata (content inspection) and CrowdSec (IP reputation), this gives you a comprehensive multi-layer perimeter.
+
+---
+
+## Related Documentation
+
+- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation, full alias list
+- [Suricata IDS/IPS](./suricata-ids-ips) — content inspection layer, also uses these feed sources
+- [CrowdSec](./crowdsec) — real-time IP reputation blocking