I primarily use OPNsense for my firewalls on generic x86 hardware such as devices found at:
Lanner Electronics
Inctel, Partaker (My preferred based on price)
I also found that you can install OPNsense on Barracuda Networks F Series Cloudgen firewalls and have had no issues doing so.
I'll be adding more snips here as I go.
I've implemented the IP blocklist feed used by Maltrail and published at Github's repository: https://github.com/stamparm/ipsum
It uses over 30 known blacklists and aggregates the information with a counter next to each IP for how many blacklists it is on.
To continue, you'll need a Linux web server that is accessible from your OPNsense firewall. These instructions use an example URL for a web server at https://example.com.
crontab -e
@daily curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1 >/var/www/example.com/files/ipsum.txt && chown www-data:www-data /var/www/example.com/files/ipsum.txt #Download Blocklist
Note: The above command will only add IPs that are listed in 3 or more Blacklists. If you want to change that, Change the numbers inside the bracket [1-2] - example [1-3] would add IPs on 4 or more lists and [1] would add IPs on 2 or more lists. Remove the entire "grep -v -E "\s[1-2]$" |" section to add ALL IPs (but you're likely to get some false positives).
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1 >/var/www/example.com/files/ipsum.txt && chown www-data:www-data /var/www/example.com/files/ipsum.txt
Check your /var/www/example.com/files folder to verify the file is there.
Browse to the URL https or http://example.com/files/ipsum.txt and you should see the long list of IPs.
5. Log into your OPNSense firewall and go to Firewall->Aliases
6. Add a new Alias and fill out:
When viewing the logs, remember the first rule the IP matches will apply, so if you have multiple rules that might block the same IP (such as GeoIP rules in the next section), put them in the order of precedence you would like them to be filtered.
Snip Complete!
I get more than 1000 IPs per day so the MaxMind GeoIP account won't work for me. I'm cheap so I'm not going to pay for the subscription, so instead I manually update text files based on country or continent once per month or so. I obtain the IPs from the Country IP Blocks website.
Review the previous Snip on adding Block Lists to the firewall to see about the web server info. I use the same folder on my webserver to store these text files, but since we don't automate the process we don't use Cron to update the files...
When you copy and paste the ACL, there is a trailing Space after each line which will cause issues with OPNsense reading in the IPs. I use Notepad++ to automatically delete the trailing space and save the file using the next step. If you have another text editor that can do this, have at it.
If you want to monitor your logs to see what country or continent is being blocked, you can generate separate ACLs and save to individual text files.