OPNsense Guide

Use this guide to integrate Cybora with OPNsense using native firewall aliases. In OPNsense, the cleanest native workflow is to consume Cybora as an IP-based URL Table alias and then use that alias in firewall rules.

What OPNsense can do with a Cybora feed

  • OPNsense can fetch remote IP feeds into a URL Table alias and keep the alias updated automatically.
  • The imported alias can then be used in firewall rules anywhere you would normally use a host or network alias.
  • This native alias workflow is best suited for IP-based Cybora feeds. If you want domain- or URL-based enforcement, that typically requires additional DNS or web-layer controls outside the basic alias workflow.

Before you start

  • Use an OPNsense release that supports Firewall > Aliases and URL Table aliases.
  • Make sure the firewall can reach your Cybora feed URL over HTTPS.
  • Use an IP-based Cybora feed for the native OPNsense alias workflow.
  • The remote feed should stay in plain text format with one IP address, subnet, or range per line.

Create the alias

  1. Go to Firewall > Aliases and add a new alias.
  2. Enter a clear alias name and description.
  3. Set the alias type to URL Tables (IPs).
  4. Paste your Cybora feed URL into the content field.
  5. Set the Refresh frequency to match your Cybora plan as closely as your OPNsense setup allows. Do not poll the feed more often than your plan permits. Only one request is allowed within the permitted interval, and excessive polling may cause the feed to be blocked.
  6. Save the alias and apply the changes.

Apply the alias in policy

  1. Open the firewall rule where you want to block or match the imported indicators.
  2. Use the Cybora alias as the source or destination, depending on your policy design.
  3. Set the action to block, reject, or another action appropriate for your policy model.
  4. Enable logging on the rule so you can confirm matches in live traffic.
  5. Apply the updated firewall configuration.

Validation

  1. Go to Firewall > Diagnostics > Aliases and inspect the loaded alias contents.
  2. Confirm that Last updated changes after the alias refreshes.
  3. Use Find references or the live firewall logs to verify that the alias is being matched by the intended rules.
  4. Test with known matching traffic and confirm that the rule behaves as expected.

Further reading

Back to Home