Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Recommended staple IPv4, IPv6, DNSBL lists

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      code4food23
      last edited by

      I realize what works for you may not be ideal for me and vice versa, but what are the recommended lists that you have on your pfBlockerNG setup that you consider staples?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @code4food23
        last edited by

        CINS_Army
        ET_Block (includes DShield/ISC)
        ET_Comp
        Spamhaus_Drop
        Spamhaus_eDrop
        BDS_TOR
        Spamhaus_Drop6

        Note several of these also show up in Snort/Suricata rulesets, don't use both.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        C 1 Reply Last reply Reply Quote 1
        • C
          code4food23 @SteveITS
          last edited by

          @steveits said in Recommended staple IPv4, IPv6, DNSBL lists:

          Note several of these also show up in Snort/Suricata rulesets, don't use both.

          Thanks! Out curiosity why not use both? and how can tell if they show up in rulesets?

          NogBadTheBadN S 2 Replies Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @code4food23
            last edited by

            @code4food23

            https://rules.emergingthreats.net/blockrules/compromised-ips.txt

            https://isc.sans.edu/api/threatlist/shadowserver/?xml

            https://isc.sans.edu/api/threatlist/shodan/?xml

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 1
            • U
              Uglybrian
              last edited by

              Hi, for me and my home with two office's and after trying different list and combos. Have settled on just these 4 for DNSBL. The easy lists are set as the primary.
              -easy list
              -easy privacy
              -adaway
              -Dan Pollock SWC

              C 1 Reply Last reply Reply Quote 1
              • C
                code4food23 @Uglybrian
                last edited by

                @uglybrian Thanks! Any idea what the difference is between the Malicious and Malicious2 groups? I added both, but a list in Malicious2 group blocked sites like amazon.com and cnn.com for example. So I just removed the Malicious2 group altogether.

                1 Reply Last reply Reply Quote 0
                • U
                  Uglybrian
                  last edited by

                  I do not know the difference between the two lists. But, I would say that any block list with Amazon and CNN is more for bandwidth control in a big company. Just a guess.I have found that with a home /office when it comes to DNSBL that less is more. In exploring the feeds I have noticed lot of these list overlap each other.I settled on my given list through trial and error. And only chose feeds that showed when they have been updated. (see last line of posted pic below) My only goal was to block the most ads and spy,etc with the shortest lists. I kept a seat of the pants track of hits per list size on the feeds. Along with angry shouts of why is this blocked. Eventually settled on the the 4 I listed.
                  Screenshot from 2021-08-21 09-45-53.png

                  1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @code4food23
                    last edited by

                    @code4food23 said in Recommended staple IPv4, IPv6, DNSBL lists:

                    why not use both? and how can tell if they show up in rulesets

                    There's no point in scanning for DROP packets in Snort if they were blocked by the firewall. Category emerging-drop.rules is the Spamhaus DROP list. Click the category name to open the file and it usually has a note explaining what it is.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.