I’ve spent some time testing the community lists of the NS8 threat shield.
From the tests I’ve done, I can say that:
The business lists do a good job, especially the nethesis L3 which is quite full (almost 27000 IPs) and the yoroi L2 (about 9400).
However, the FireHOL L1 list, despite being smaller, proved to be very effective in blocking a significant number of malicious requests across the three firewalls I tested it on."
Enabling too many lists, even on powerful hardware, negatively impacts network performance, including the local network, due to the high volume of traffic generated.
Therefore, I’ve concluded that:
The paid lists work well, although I expected more from Yoroi.
I hope it improves over time and they add 0-day IPs to the list quickly.
I found the “AbuseIPDB” list to be extremely effective, which is not included in OpenWRT and NS8.
If you go to their website (https://www.abuseipdb.com) and register, you can make 5 free requests per day to download the updated list.
To add it to the firewall, just edit the /etc/banip/banip.custom.feeds file and add the following at the end:
"abuseipdp": { "url_4": "[https://api.abuseipdb.com/api/v2/blacklist?plaintext=true&key=THEYKEYYOUFINDINAPISITE], "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "abuseipdb", "flag": "" } "
Of course, replace “THEYKEYYOUFINDINAPISITE” with the actual API key you find in the API section after registering on the site.
The other lists I’ve activated are:
- spamhaus drop compilation
- hacker and botnet IPs (BUT EDIT THE URL FIRST)
The “hacker and botnet IPs” list points to a URL with a 30% confidence level.
On their website, they also have a list with 100% confidence.
The URL is the same, so in the “banip.custom.feeds” file, just change “30” to “100” as shown below:
Absolutely, do not activate the "public DoH-Provider" list because it contains local network addresses (for example, 10.0.0.0/24) and even common DNS servers like Cloudflare (1.1.1.1) and Google (8.8.8.8). This would completely block your internet access.
In fact, to avoid problems, I strongly recommend adding the DNS servers you use to the “Allowlist”.
The other lists I tried caused issues with websites commonly used by users.
What are your experiences with these lists?
Are there any specific lists you recommend for more thorough testing?
I’m open to adding some “allowlist” entries to handle any false positives, as long as the list is generally effective.