Integrations · pfSense / OPNsense
HoneyLabs blocklist as a pfSense or OPNsense URL-table alias
Both pfSense and OPNsense can populate a firewall alias from a URL that returns one IP per line, refreshed on a schedule. That is the HoneyLabs plain-text feed verbatim, so the whole integration is one alias and one rule, using nothing but the stock firmware.
- 01
Save a query
Sign in (free) and save the HoneyLabs query you want the feed to track on the feeds page. Any lookup query works: a port, an ASN, a tag, or a boolean combination. The feed returns the source IPs currently matching it, so a tighter query means a tighter blocklist.
# Example saved queries and what they feed you port:22 AND NOT tag:scanner # SSH brute-forcers, known researchers removed tag:scanner # every recognized scanner IP cve:CVE-2024-4577 # IPs probing one specific CVE asn:14061 AND port:445 # SMB scans out of DigitalOcean - 02
Mint a feed token
On the same page, mint a feed URL for the saved query. The token alone authorizes the fetch: no cookies, no headers, safe to paste into an appliance. Mint one token per consumer so you can revoke a leaked URL without breaking the others.
# Your feed URL looks like https://honeylabs.net/feed/<token> # plain text, one IP per line https://honeylabs.net/feed/<token>.csv # ip,first_seen,last_seen,events,asn,country https://honeylabs.net/feed/<token>.json # same fields as JSON - 03
Create the URL-table alias
The firewall fetches the URL itself on the schedule you set. The feed is edge-cached and cheap to serve, so a daily refresh or faster is fine.
# pfSense: Firewall > Aliases > URLs > Add Name : HoneyLabs_Scanners Type : URL Table (IPs) URL : https://honeylabs.net/feed/<token> Update frequency : 1 day # OPNsense: Firewall > Aliases > Add Name : HoneyLabs_Scanners Type : URL Table (IPs) Content : https://honeylabs.net/feed/<token> Refresh frequency : 1 day - 04
Reference it in a block rule
Add a WAN rule that drops traffic whose source matches the alias, above your allow rules. Start with logging enabled so you can see what it catches before you trust it silently.
Firewall > Rules > WAN > Add Action : Block Source : HoneyLabs_Scanners (alias) Destination : any Log : checked (initially)
Worth knowing
- One token per firewall: if a config backup leaks the URL, revoke that token on the feeds page and the other consumers keep working.
- The alias updates on the firewall's own schedule; forcing a reload (Diagnostics > Tables) pulls immediately after you change the query.
The feed is plain text (one IP per line), CSV, or JSON, is revocable per token, and is edge-cached for five minutes, so a tight refresh schedule never hammers anything. Create yours on the feeds page, or browse the other integrations.