Firehol

Caution

Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.

Firehol blocklists are a collection of automatically updating ipsets from all available security IP feeds, mainly related to online attacks, online service abuse, malware, botnets, command and control servers, and other cybercrime activities.

VPS

Installation

Install the following packages:

sudo apt install ipset iprange

Firehol blocklists

Navigate to Firehol’s website or Firehol’s GitHub repo and choose which blocklists you want to enable.

Copy the raw links into /home/user/firehol/firehol.conf. For example:

/home/user/firehol/firehol.conf

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset

Firehol script

Create a script to refresh the firehol ipsets and recreate the iptables rules.

For example, /home/user/firehol/firehol.sh:

/home/user/firehol/firehol.sh

#!/bin/bash

LOG="/home/user/firehol/firehol.log"
URLS=$(cat "/home/user/firehol/firehol.conf")
echo "Updating Firehol $(date)" >> $LOG

iptables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > /dev/null 2>&1
iptables -D DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > /dev/null 2>&1
iptables -D FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > /dev/null 2>&1
iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >> $LOG
iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >> $LOG
iptables -I DOCKER-USER 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >> $LOG

for URL in $URLS
do
  echo $URL >> $LOG
  NAME=$(basename $URL)
  echo $NAME >> $LOG
  FILE="/home/user/firehol/$NAME"
  curl -s -k $URL > $FILE
  # The following sed removes LAN ranges from the lists otherwise you might block yourself
  sed -i -e 's#10.0.0.0/8##' -e 's#172.16.0.0/12##' -e 's#192.168.0.0/16##' -e 's#127.0.0.0/8##' $FILE
  COUNT=$(/usr/bin/iprange -C $FILE)
  COUNT=${COUNT/*,/}
  echo $COUNT >> $LOG
  /usr/sbin/ipset create --exist $NAME hash:net family inet maxelem 131072 >> $LOG
  /usr/sbin/ipset flush $NAME > /dev/null 2>&1
  /usr/bin/iprange $FILE --ipset-reduce 20 --ipset-reduce-entries 65535 --print-prefix "-A $NAME " > $FILE.ipset
  /usr/sbin/ipset restore --exist --file $FILE.ipset >> $LOG
  /usr/sbin/iptables -D FORWARD -m set --match-set $NAME src -j DROP &>/dev/null
  /usr/sbin/iptables -D INPUT -m set --match-set $NAME src -j DROP &>/dev/null
  /usr/sbin/iptables -D DOCKER-USER -m set --match-set $NAME src -j DROP &>/dev/null
  /usr/sbin/iptables -I DOCKER-USER 2 -m set --match-set $NAME src -j DROP >> $LOG
  /usr/sbin/iptables -I INPUT 2 -m set --match-set $NAME src -j DROP >> $LOG
  /usr/sbin/iptables -I FORWARD 2 -m set --match-set $NAME src -j DROP >> $LOG
done

Verify that it works and the ipsets have been filled:

chmod +x /home/user/firehol/firehol.sh
sudo /home/user/firehol/firehol.sh
sudo ipset list firehol_level1.netset

Cron scheduling

Caution

Make sure you are not accidentally blocking your own access to the VPS before proceeding.

Run the firehol script on reboot and daily.

For example, add the following to sudo crontab -e:

0 1 * * * /home/user/firehol/firehol.sh
@reboot sleep 120 && /home/user/firehol/firehol.sh

Verify that it runs on reboot and daily. There is a 2 minute delay before it applies after reboots, to give enough time to fix a lockout.

OPNSense

Alias

Navigate to Firewall > Aliases and create the following aliases:

Name: Firehol
Type: URL IPs
Content:
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset

Name: External
Type: Networks
Content: !10.0.0.0/8, !172.16.0.0/12, !192.168.0.0/16, !127.0.0.1

Name: Firehol_without_internal
Type: Network group
Content: External, Firehol

Firewall

Navigate to Firewall > Rules > WAN and create the following firewall rule:

Action: Block
Interface: WAN
Direction: in
TCP/IP Version: IPv4
Protocol: any
Source: Firehol_without_internal
Destination: any

Cron

Create a cron job to automatically update the blocklists every day.

Navigate to System > Settings > Cron and add the following job:

Enabled: checked
Minutes: 0
Hours: 0
Day of the month: *
Months: *
Days of the week: *
Command: Update and reload firewall aliases