Add additional sources to IPFire blocklist feature

The new Firewall blocklist in Core Update 170 looks promising. :ok_hand:

Is there a way to include more Blocklists? From a reputable source like Github, Gitlab etc… and are well maintained?

1 Like

Just went from zero to 16… Is it not enough?!?



HAHAHA, no I am not complaining, just I like to use blocklists to block services like DoH …

1 Like

Is there something specific that you had in mind? (something reputable and well maintained?) I am just curious…

1 Like

The file containing the list of blocklists is /var/ipfire/ipblocklist/sources. The explanation of the fields in the file is in the file header, so it’s easy enough to add new entries if you want, however the file will be overwritten by any future updates.

If you find any lists which would be useful to other people you could submit a patch to update this file, but before doing this it’s important to check that you’ve got the maximum frequency of checking for updates right, as many lists will block anyone trying to update too often. If you’re going to submit a patch it’s also important to check that the licence for the lists allows the list to be included in the ipfire distribution.

Possibly in a future update we can allow the possibility of a sources.local file, but I think the feature needs to be left as it is for a while before adding new functionality.



Welcome back @Timf :slight_smile:
Many thanks for your detailed explanation, I will follow it and post some lists below for discussion before submitting it.

Interesting that went or is going commercial very soon. so it makes sense to have option.
@jon There used to be plenty of open and well maintained lists, but they either went commercial or abandoned. But here are some I recently found and used in addition to the ones already in the addon:

1- This list contains Common DoH servers and I think it is useful in cases when clients are circumventing IPFire’s DNS server.
It doesn’t mention a Licence. In terms of update checks I think Github is pretty forgiving for update checks if done in a “random” pattern or intervals.

2- 3CoreSec Blacklist - they share threats from their honeypot projects

3coresec lists are under GNU Affero General Public License
3coresec doesn’t mention update check terms.

The "ALL list "above is combined from these specific lists

3- Hosts involved in SSH brute-force

4-Hosts involved in mass scanning and/or exploitation attempts

5-Hosts involved in HTTP brute-force and/or enumeration


Took the 4 lists once and hits are coming in. I also hope that later you can add your own lists via web interface.


Honey = All.
It makes no sense, to include the other ones.

1 Like

Looks like @Pablo78 found my suggestions useful:

Here is another one:
a Phishing Database of Active IP’s: by MitcheKrogza

Here is the readme and other lists

License: MIT License
Updated: hourly

Would it be useful to post a FULL DB in tar.gz
I think it contains Domains or Links.

would this still work with tar.gz

‘parser’ => ‘ip-or-net-list’,

let me know if you think it is useful.and I can submit a patch


Hello, old topic, but usefull
=> yes please add to the list (and perhaps allow us to have a section maintained by us to put a lot of more ?)
=> also perhaps you can put more (and at the end we choose through a list as you have done)

anyway thanks it is a great idea

Perhaps, Mitchell stopped supporting the IP-Active lists. about 6 months ago…?

He is still updating the Domains and Links lists so I think I will switch to a DNS based blocked for Phishing protection.

I also wonder if Gerd’s IP list is useful for IPFire IP blocklist:


Gerd Hagezi’s lists seem to be well maintained in a lot of formats and became popular in last few months

including an an Unbound list which would work for IP Fire, I believe.

Any thoughts?

1 Like

:thinking: Might be worth a look here

Thinking about using additional lists

1 Like

Is that a regional list?

I noticed a lot of .pl domain names

The idea to add own download URLs is a nice thing.
Same for URL Filter…

I manage my lists in “many” ~ 107 categories on DMZ at NAS;
for domains and IPs of different maintainers, either of who are no further active or reachable as ex. badips, shalla, fake domains, etc.
Other custom and reported … received spams and the phishing IPs URL domains.

Thanks Tim for that great job! Many positive hits were blocked and reported over the years.

By the way
Who think about adding blocklists, should either think about own managed.
Also it makes big sense to have (own) managed whitelist … for the case of false positive.


Old screenshot of modification to Tims code:

1 Like

I’m still clicking in boxes of the customize rulesets IPS :joy: :triumph: :see_no_evil: :hear_no_evil: but bookmarking this topic as peer-block lists sounds great to add in.

What is the screenshot from?

How is the URL filter working for URL’s that are using Https?

All phishing links now use https so I am not sure how to block these