Articles on: THREATINT

Essential Protection for Devices: OPNsense®

Introduction


In this tutorial we will configure OPNsense® to use THREATINT Essential Protection for Devices data feeds to add an additional layer of protection to the firewall itself and all services protected by the firewall like VPN, web, and email servers.



Prerequisites


We need a working URL in order to allow the firewall to download the content of a feed.


Rember, the URL needs to be constructed according to the following schema:


https:// fulfilment.threatint.eu /tdf & ? email= <email address> & subscription= <subscription ID> & feed= <feeds>


Kindly refer to Essential Protection for Devices: Introduction for details on how to construct the URL and which feeds are available.


Configuration


Follow these steps to configure your firewall.


Login (1 ) to your OPNsense® firewall:


  • Select Firewall ( 1 ), then Aliases ( 2 )
  • Click the + sign ( 3 ) at the bottom right corner of the table to create a new alias:


  • Check Enabled ( 1 ).
  • Enter a Name ( 2 ).
  • Selext Type: URL Table (IPs) ( 3 ). This alias consequently becomes a references to a URL with IP addresses, aka: a data feed.
  • Enter a Refresh Frequency . This value determines, how often updates will get pulled from our servers. Every 1 hour is a reasonable choice to get started.
  • Enter the URL of the feed into Content ( 5 ). In this example we use the bad-networks-ipaddr feed.
  • Check Statistics ( 6 ) to enable a counter.
  • Click Save (7) at the bottom right corner.


Click Apply ( 1 ).


Loaded# ( 1 ) shows the number of lines loaded from the feed URL (1 line is 1 host IP address or 1 IP network), Last updated shows the timestamp of the last update.

If you feel that your firewall is running low on table entries ( 2 ), make adjustments to Firewall Maximum Table Entries (see Firewall, Settings, Advanced ).



We have created a new firewall alias that consists of a feed being updated automatically every hour. Now we need to create a firewall rule to use this alias.



  • Go to Firewall ( 1 ), Rules ( 2 ), WAN ( 3 ).
  • The table shows all existing firewall rules. Click the + sign ( 4 ) at the top right corner of the table.


  • Select Action ( 1 ) Block or Reject.
  • Select Apply the action immediately on match ( 2 ).
  • Select Interface ( 3 ): WAN.
  • Select Direction ( 4 ): in
  • Select TCP/IP Version ( 5 ) based on the feed choosen.
  • Select Protocol ( 6 ): Any
  • Select Source ( 7 ): your firewall alias, aka: the feed choosen


  • Scroll down, select Log packets that are handled by this rule ( 8 ).
  • Description ( 9 ) is optional, but helps you find blocks or rejects based on this rule in the logs.
  • Click Save ( 10 ).


  • Check the position of the firewall rule you just created and move it to the top of the list ( 1 ).
  • Click Apply changes ( 2 ) to commit the changes made to the firewall rules.


We had already created a firewall alias that consists of a feed being updated automatically every hour. We have also create a firewall rule that makes use of this alias. We finally need to validate that the firewall rule works as expected.


Go to Firewall ( 1 ) , Log Files ( 2 ), Live View ( 3 ).


Because we entered THREATINT bad-networks-ipaddr as Desciption for our firewall rule, we can now filter and show only log entries containing THREATINT ( 4 ).


Unfortunately there is a minor inconsistency in the UI: label from the log view is the same as Description in the firewall rule.


You usually see the first log entries within minutes:



Summary


Congratulations. You made it. You added an additional layer of security to your OPNsense® firewall and all services protected by your firewall by using THREATINT Essential Protection for Devices data feeds.

Updated on: 10/07/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!