IP Blacklists with Auto Update

On a network firewall level, I use pfSense and pfBlockerNG which updates on a regular schedule from some IP Blacklists sourced from FireHOL IP Lists hxxp://iplists.firehol.org/

Note: as a new user I cannot put links in posts; I’ve replaced the http with hxxp in all my links

pfBlockerNG works great while I’m at home, but when the computer has to leave the home then I no longer get the added protection of the IP Blacklists.

Would be great if GlassWire could load some IP Blacklists and keep them updated. Not critical but might be useful.

As an example of some of the IP Blacklists I currently use…

  • firehol_level3 by FireHOL (updates every hour) - hxxp://iplists.firehol.org/?ipset=firehol_level3
  • bds_atif by Binary Defense Systems (updates every hour) - hxxp://iplists.firehol.org/?ipset=bds_atif
  • et_block by Emerging Threats (updates once a day) - hxxp://iplists.firehol.org/?ipset=et_block


Thanks for your feedback.

Why just IP lists? Why not hosts instead? Hosts are much easier to block with limited resource usage because you can use the Windows Host file.

I ask because we are looking at options on this but we wonder if it’s necessary to do IP addresses and hosts both, or just hosts, or just IP addresses. Normally we would just do both, but blocking IP addresses can have some resource usage issues in some cases. Blocking hosts should use almost no resources.

You could do host names. Doesn’t have to be just IP addresses.

Blocking using host/ip blacklists is a sort of nice to have feature but not necessary, as it can be done different ways on a local machine.

Your question got me thinking about this a little more, about why I wanted IP blacklists. I guess just convenience as that is what I am using successfully on my hardware firewall and just wanted to extend that configuration to when I’m mobile outside the home network. Looking beyond that…

I could write a PowerShell script that grabs a maintained host blacklist and updates the HOST file on each home computer. There are some maintained host name blacklists out there. Such as, the Ultimate Hosts Blacklist on github.

My experience with blocking with the hosts file was more that six years ago, and it became a re-active response on my part. As I identify a malicious host or an advertiser that serves malicious ads. I would add them to the block list. Which is ok, but the only reason I was adding the host, is that someone in the house had already interacted with the host name. Lots of times that host name was a burner: it was a new domain name, or was typosquatting, or was a compromised small business website that is serving up some malware/phishing page. Never really noticed those used again. So then I ended up doing a whitelist approach instead, adding hosts to an allowed whitelist. Which also has its own drawbacks.

Eventually I gave up on the host files and settled on the IP Blacklists in my hardware firewall and that has worked pretty well for about six years. What I like about the IP lists monitored by FireHOL is that is shows who maintains the list, and all the overlap with other lists FireHOL monitors and confirms if the lists are maintained and at what frequency. It was super easy to configure in the hardware firewall. Haven’t had many issues. The one time I remember having an issue was when Atlassian BitBucket acquired a new IP address that was previously used by someone nefarious for malicious activity. Caused some of my GIT repos to not sync until I looked at my firewall logs in pfSense.

So I guess I just gravitate to the IP blacklists, but maybe it’s time for me to look at one of the maintained host files and go that route. Which doesn’t need to be done through GlassWire at all.