Integrations · pfSense / OPNsense

HoneyLabs blocklist as a pfSense or OPNsense URL-table alias

Both pfSense and OPNsense can populate a firewall alias from a URL that returns one IP per line, refreshed on a schedule. That is the HoneyLabs plain-text feed verbatim, so the whole integration is one alias and one rule, using nothing but the stock firmware.

  1. 01

    Save a query

    Sign in (free) and save the HoneyLabs query you want the feed to track on the feeds page. Any lookup query works: a port, an ASN, a tag, or a boolean combination. The feed returns the source IPs currently matching it, so a tighter query means a tighter blocklist.

    # Example saved queries and what they feed you
    port:22 AND NOT tag:scanner     # SSH brute-forcers, known researchers removed
    tag:scanner                     # every recognized scanner IP
    cve:CVE-2024-4577               # IPs probing one specific CVE
    asn:14061 AND port:445          # SMB scans out of DigitalOcean
  2. 02

    Mint a feed token

    On the same page, mint a feed URL for the saved query. The token alone authorizes the fetch: no cookies, no headers, safe to paste into an appliance. Mint one token per consumer so you can revoke a leaked URL without breaking the others.

    # Your feed URL looks like
    https://honeylabs.net/feed/<token>        # plain text, one IP per line
    https://honeylabs.net/feed/<token>.csv    # ip,first_seen,last_seen,events,asn,country
    https://honeylabs.net/feed/<token>.json   # same fields as JSON
  3. 03

    Create the URL-table alias

    The firewall fetches the URL itself on the schedule you set. The feed is edge-cached and cheap to serve, so a daily refresh or faster is fine.

    # pfSense: Firewall > Aliases > URLs > Add
    Name             : HoneyLabs_Scanners
    Type             : URL Table (IPs)
    URL              : https://honeylabs.net/feed/<token>
    Update frequency : 1 day
    
    # OPNsense: Firewall > Aliases > Add
    Name              : HoneyLabs_Scanners
    Type              : URL Table (IPs)
    Content           : https://honeylabs.net/feed/<token>
    Refresh frequency : 1 day
  4. 04

    Reference it in a block rule

    Add a WAN rule that drops traffic whose source matches the alias, above your allow rules. Start with logging enabled so you can see what it catches before you trust it silently.

    Firewall > Rules > WAN > Add
    Action      : Block
    Source      : HoneyLabs_Scanners (alias)
    Destination : any
    Log         : checked (initially)

Worth knowing

  • One token per firewall: if a config backup leaks the URL, revoke that token on the feeds page and the other consumers keep working.
  • The alias updates on the firewall's own schedule; forcing a reload (Diagnostics > Tables) pulls immediately after you change the query.

The feed is plain text (one IP per line), CSV, or JSON, is revocable per token, and is edge-cached for five minutes, so a tight refresh schedule never hammers anything. Create yours on the feeds page, or browse the other integrations.