Blocking malicious IPs with OPNsense and external blacklists

Blocking malicious IPs with OPNsense using spamhaus droplists and https://iplists.firehol.org is actually quite easy. Read how it's done:

Blocking malicious IPs with OPNsense and external blacklists
Photo by Kai Pilger / Unsplash

Blocking malicious IPs on firewall level is in general a good idea. Should you have a compromised client this can help blocking the communication before worse things happen.

While there are alternative approaches to catch this also with DNS or an IPS, the DNS protocol can be circumvented with DoH / DoT (DNS over http or TLS) and IPS is quite costly in terms of performance.

Therefore doing this on firewall connectivity level is a reliable and efficient approach.

External blacklist with OPNsense

1 - Creating an alias for external blacklists

OPNsense supports the use of externals blacklist within aliases and aliases can be used for firewall rules. We therefore start with creating an alias for the desired blacklists using the URL Table (IPs) type.

Hint: Use a capital letter prefix in order for your custom aliases to appear before the system created ones and find them easily.

Creating the alias

I use spamhaus drop and edrop and dshield 30 days from firehol with an update frequency of 12 hours.

https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
https://www.spamhaus.org/drop/dropv6.txt
https://iplists.firehol.org/files/dshield_30d.netset
Blocklist URLs

Note: We're not using the more extensive firehol_level1 list as it contains private IPs that will result in blocking local traffic as well.

Inspect the content of the lists prior to first use in order to avoid any unpleasant surprises. Some lists contain private IPs that may result in blocking local traffic.

2 - Creating a floating firewall rule

This is one of the situations where it can make sense to configure a floating rule since you want to block traffic to and from any of these IPs independent of the interface or direction it is originating from.

  • Rule category: Floating
  • Action: Block
  • Direction: Any
  • TCP Version: IPv4+IPv6
  • Protcol: any
  • Logging: Active

Make sure you activate logging and fill in a meaningful description in order to be able to identify and inspect block entries in the log easily, should you run into any unexpected issues.

Creating the floating firewall rule

Now save the rule and click the Apply changes button in order for the rule to become active.

3 - Verification of the new firewall rule

For the next minutes/hours you should keep an eye on the log to be sure everything works as desired.

We nevertheless want to quickly verify that the new rule works as desired. We therefore pick an IP from one of the blacklists and try to connect.

Verification

As expected ping nor ssh-ing the IP does work and we can also see in the firewall live log that the traffic is blocked.

What next

Now with the basic setup working we can use more or different lists to ensure malicious hosts get blocked reliably on firewall level.

Note: If you use this feature extensively it may be necessary to increase the Firewall Maximum Table Entries or other values in "Settings -> Advanced" in the firewall section.