Add additional sources to IPFire blocklist feature

The new Firewall blocklist in Core Update 170 looks promising. :ok_hand:

Is there a way to include more Blocklists? From a reputable source like Github, Gitlab etc… and are well maintained?

1 Like

Just went from zero to 16… Is it not enough?!?



HAHAHA, no I am not complaining, just I like to use blocklists to block services like DoH …

1 Like

Is there something specific that you had in mind? (something reputable and well maintained?) I am just curious…

1 Like

The file containing the list of blocklists is /var/ipfire/ipblocklist/sources. The explanation of the fields in the file is in the file header, so it’s easy enough to add new entries if you want, however the file will be overwritten by any future updates.

If you find any lists which would be useful to other people you could submit a patch to update this file, but before doing this it’s important to check that you’ve got the maximum frequency of checking for updates right, as many lists will block anyone trying to update too often. If you’re going to submit a patch it’s also important to check that the licence for the lists allows the list to be included in the ipfire distribution.

Possibly in a future update we can allow the possibility of a sources.local file, but I think the feature needs to be left as it is for a while before adding new functionality.



Welcome back @Timf :slight_smile:
Many thanks for your detailed explanation, I will follow it and post some lists below for discussion before submitting it.

Interesting that went or is going commercial very soon. so it makes sense to have option.
@jon There used to be plenty of open and well maintained lists, but they either went commercial or abandoned. But here are some I recently found and used in addition to the ones already in the addon:

1- This list contains Common DoH servers and I think it is useful in cases when clients are circumventing IPFire’s DNS server.
It doesn’t mention a Licence. In terms of update checks I think Github is pretty forgiving for update checks if done in a “random” pattern or intervals.

2- 3CoreSec Blacklist - they share threats from their honeypot projects

3coresec lists are under GNU Affero General Public License
3coresec doesn’t mention update check terms.

The "ALL list "above is combined from these specific lists

3- Hosts involved in SSH brute-force

4-Hosts involved in mass scanning and/or exploitation attempts

5-Hosts involved in HTTP brute-force and/or enumeration


Took the 4 lists once and hits are coming in. I also hope that later you can add your own lists via web interface.


Honey = All.
It makes no sense, to include the other ones.

Looks like @Pablo78 found my suggestions useful:

Here is another one:
a Phishing Database of Active IP’s: by MitcheKrogza

Here is the readme and other lists

License: MIT License
Updated: hourly

Would it be useful to post a FULL DB in tar.gz
I think it contains Domains or Links.

would this still work with tar.gz

‘parser’ => ‘ip-or-net-list’,

let me know if you think it is useful.and I can submit a patch