Blocking malicious IPs on firewall level is in general a good idea. Should you have a compromised client this can help blocking the communication before worse things happen.
While there are alternative approaches to catch this also with DNS or an IPS, the DNS protocol can be circumvented with DoH / DoT (DNS over http or TLS) and IPS is quite costly in terms of performance.
Therefore doing this on firewall connectivity level is a reliable and efficient approach.
External blacklist with OPNsense
1 - Creating an alias for external blacklists
OPNsense supports the use of externals blacklist within aliases and aliases can be used for firewall rules. We therefore start with creating an alias for the desired blacklists using the
URL Table (IPs) type.
Hint: Use a capital letter prefix in order for your custom aliases to appear before the system created ones and find them easily.
Note: We're not using the more extensive firehol_level1 list as it contains private IPs that will result in blocking local traffic as well.
Inspect the content of the lists prior to first use in order to avoid any unpleasant surprises. Some lists contain private IPs that may result in blocking local traffic.
2 - Creating a floating firewall rule
This is one of the situations where it can make sense to configure a floating rule since you want to block traffic to and from any of these IPs independent of the interface or direction it is originating from.
- Rule category:
- TCP Version:
Make sure you activate logging and fill in a meaningful description in order to be able to identify and inspect block entries in the log easily, should you run into any unexpected issues.
Now save the rule and click the
Apply changes button in order for the rule to become active.
3 - Verification of the new firewall rule
For the next minutes/hours you should keep an eye on the log to be sure everything works as desired.
We nevertheless want to quickly verify that the new rule works as desired. We therefore pick an IP from one of the blacklists and try to connect.
As expected ping nor ssh-ing the IP does work and we can also see in the firewall live log that the traffic is blocked.
Now with the basic setup working we can use more or different lists to ensure malicious hosts get blocked reliably on firewall level.
Note: If you use this feature extensively it may be necessary to increase the
Firewall Maximum Table Entries or other values in "Settings -> Advanced" in the firewall section.