7.7 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| Opnsense - Additional Blocklists | Blocklists | true | 2026-02-23T21:54:13.019Z | markdown | 2026-02-23T21:46:39.562Z |
OPNsense Additional Blocklists
Service: Firewall Aliases — URL Table blocklists Host: OPNsense firewall Applies To: WAN and ATT interfaces Update Frequency: Daily (automatic)
Overview
Your firewall already uses Spamhaus DROP and EDROP as IP blocklists. These three additional lists fill specific gaps that Spamhaus does not cover:
| List | What It Blocks | Why It's Needed |
|---|---|---|
| Feodo Tracker | Botnet command & control IPs | Stops malware on your network phoning home |
| Abuse.ch SSLBL | IPs with malicious SSL certificates | Catches malware that uses HTTPS to hide C2 traffic |
| Emerging Threats | Confirmed active attack IPs | Broad coverage of IPs currently conducting scans and exploits |
These work at the firewall alias level — the same mechanism as your existing Spamhaus lists. Traffic from/to these IPs is blocked before it reaches any service.
✓ These lists are also used by Suricata internally. Adding them as firewall aliases provides a second, independent enforcement point at the packet filter level — meaning blocks happen even if Suricata is restarted or temporarily inactive.
Current Blocklist State
From your configuration, these lists are already present and working:
| Alias | List | Status |
|---|---|---|
| SpamHaus_Drop | Spamhaus DROP | ⚠ Alias active, rule disabled |
| Spamhaus_edrop | Spamhaus EDROP | ⚠ Alias active, rule disabled |
| crowdsec_blacklists | CrowdSec IPv4 | ✓ Active |
| crowdsec6_blacklists | CrowdSec IPv6 | ✓ Active |
⚠ First priority: Before adding new blocklists, re-enable the existing Spamhaus block rules. See the Re-enable Existing Rules section at the bottom of this document.
Step 1 — Add Feodo Tracker Alias
Navigate to Firewall → Aliases → Add
| Field | Value |
|---|---|
| Name | Feodo_Tracker |
| Type | URL Table (IPs) |
| Description | Abuse.ch Feodo Tracker — Botnet C2 IPs |
| URL | https://feodotracker.abuse.ch/downloads/ipblocklist.txt |
| Refresh Frequency | 1 day |
| Enabled | ✓ |
Click Save, then Apply Changes.
Verify the list loaded:
Go to Firewall → Diagnostics → Aliases, select Feodo_Tracker — you should see a list of IP addresses populated.
Step 2 — Add Abuse.ch SSLBL Alias
Navigate to Firewall → Aliases → Add
| Field | Value |
|---|---|
| Name | AbuseCH_SSLBL |
| Type | URL Table (IPs) |
| Description | Abuse.ch SSL Blacklist — Malicious SSL certificate IPs |
| URL | https://sslbl.abuse.ch/blacklist/sslipblacklist.txt |
| Refresh Frequency | 1 day |
| Enabled | ✓ |
Click Save, then Apply Changes.
✓ The SSL Blacklist specifically targets IPs that have been observed using SSL/TLS certificates associated with malware botnets. It catches C2 traffic that would otherwise be hidden inside HTTPS.
Step 3 — Add Emerging Threats Alias
Navigate to Firewall → Aliases → Add
| Field | Value |
|---|---|
| Name | ET_Block_IPs |
| Type | URL Table (IPs) |
| Description | Emerging Threats — Active attack and scanning IPs |
| URL | https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt |
| Refresh Frequency | 1 day |
| Enabled | ✓ |
Click Save, then Apply Changes.
Step 4 — Create Firewall Block Rules
One block rule per alias, applied to both WAN and ATT interfaces. Add these rules above your existing PASS rules on each interface.
Navigate to Firewall → Rules → WAN
Rule 1 — Block Feodo Tracker (WAN)
Click Add (add to top of ruleset):
| Field | Value |
|---|---|
| Action | Block |
| Interface | WAN |
| Direction | in |
| Protocol | any |
| Source | Feodo_Tracker (single host or alias) |
| Destination | any |
| Description | Block Feodo Tracker botnet C2 |
| Log | ✓ Enable logging |
Click Save.
Rule 2 — Block Abuse.ch SSLBL (WAN)
| Field | Value |
|---|---|
| Action | Block |
| Interface | WAN |
| Direction | in |
| Protocol | any |
| Source | AbuseCH_SSLBL |
| Destination | any |
| Description | Block Abuse.ch SSL Blacklist |
| Log | ✓ Enable logging |
Click Save.
Rule 3 — Block Emerging Threats (WAN)
| Field | Value |
|---|---|
| Action | Block |
| Interface | WAN |
| Direction | in |
| Protocol | any |
| Source | ET_Block_IPs |
| Destination | any |
| Description | Block Emerging Threats IPs |
| Log | ✓ Enable logging |
Click Save.
Click Apply Changes on the WAN rules page.
Repeat for ATT Interface
Navigate to Firewall → Rules → ATT and add the same three rules with Interface: ATT. This ensures blocking applies to both WANs during the transition period, and only ATT after WAN is retired.
Step 5 — Also Block Outbound (Optional but Recommended)
Adding outbound blocks catches the case where an internal device is already compromised and attempting to contact C2 infrastructure. Apply to the LAN interface, direction out:
Navigate to Firewall → Rules → LAN, add rules with:
- Direction:
out - Source:
any - Destination: the respective alias (
Feodo_Tracker,AbuseCH_SSLBL,ET_Block_IPs) - Action:
Block
This means even if malware bypasses inbound filtering, outbound connections to known C2 IPs are still blocked.
Re-enable Existing Spamhaus Rules
While you are in the firewall rules, re-enable the three currently disabled rules:
Navigate to Firewall → Rules → WAN
Find these three rules (they appear greyed out):
Block DROP— source: SpamHaus_DropBlock EDROP— source: Spamhaus_edrop- GeoIP country block — source: Blocked_Countries
Click the enable toggle (grey circle icon) on each rule to enable them. Click Apply Changes.
✓ These aliases are already populated and refreshing automatically. The only reason they were not blocking is because the rules were disabled. Enabling them requires no other changes.
Verifying Blocklists Are Working
Check Alias Contents
Firewall → Diagnostics → Aliases — select each alias to see the current list of blocked IPs and confirm they are populated.
Check Firewall Logs
Firewall → Log Files → Live View — filter by the rule description (e.g., Feodo Tracker) to see blocks in real time.
Check Update Schedule
Aliases refresh on the schedule set during creation. To force an immediate refresh: Firewall → Diagnostics → Aliases → select alias → Flush + Force Update
Complete Blocklist Summary
After implementing all of the above, your firewall enforces the following IP blocklists:
| Alias | List | Covers | Update |
|---|---|---|---|
| SpamHaus_Drop | Spamhaus DROP | Hijacked/compromised netblocks | Daily |
| Spamhaus_edrop | Spamhaus EDROP | Extended DROP — bogon routes | Daily |
| Feodo_Tracker | Feodo Tracker | Botnet C2 IPs | Daily |
| AbuseCH_SSLBL | Abuse.ch SSLBL | Malicious SSL certificate IPs | Daily |
| ET_Block_IPs | Emerging Threats | Active scanners & attack IPs | Daily |
| crowdsec_blacklists | CrowdSec | Community-reported bad IPs (IPv4) | Real-time |
| crowdsec6_blacklists | CrowdSec | Community-reported bad IPs (IPv6) | Real-time |
| Blocked_Countries | MaxMind GeoIP | 70 blocked countries | Weekly |
Combined with Suricata (content inspection) and CrowdSec (IP reputation), this gives you a comprehensive multi-layer perimeter.
Related Documentation
- OPNsense Firewall — parent firewall documentation, full alias list
- Suricata IDS/IPS — content inspection layer, also uses these feed sources
- CrowdSec — real-time IP reputation blocking