pfSense Guide

Use this guide to integrate Cybora with pfSense using URL Table aliases. In native pfSense, this is the most direct way to consume an external IP-based threat feed and apply it in firewall rules.

What pfSense can do with a Cybora feed

  • pfSense can fetch remote IP-based feeds into URL Table aliases.
  • The alias can then be used in firewall rules anywhere a network alias is supported.
  • This native workflow is best for IP-based Cybora feeds.
  • pfSense native URL Table aliases refresh on a day-based schedule, so they are best suited to daily feed retrieval rather than high-frequency updates.

Before you start

  • Use a pfSense release that supports URL Table aliases.
  • Make sure the firewall can reach your Cybora feed URL over HTTPS.
  • Use an IP-based Cybora feed, because the native URL Table alias workflow is designed around remote IP/network data.
  • Keep the feed in plain text format with one IP, subnet, or range per line.

Create the alias

  1. Go to Firewall > Aliases and add a new alias.
  2. Enter a clear alias name and description.
  3. Set Type to URL Table (IPs).
  4. Paste your Cybora feed URL into the URL field.
  5. Set the update interval. With native pfSense URL Table aliases, the refresh cadence is day-based. Choose a value that stays within your Cybora plan and do not fetch more often than allowed. Only one request is permitted within the allowed interval, and excessive polling may cause the feed to be blocked.
  6. Save and apply the alias.

Apply the alias in firewall rules

  1. Open the firewall rule where you want to enforce the imported indicators.
  2. Use the Cybora alias as the source or destination, depending on your policy design.
  3. Set the rule action so matching traffic is blocked or rejected as intended.
  4. Enable logging on the rule so you can confirm matches later.
  5. Apply the firewall changes.

Validation

  1. Open the alias and confirm that the remote content has been fetched successfully.
  2. Verify that the alias appears in the intended firewall rule.
  3. Review firewall logs to confirm that matching traffic is being blocked by the rule that references the alias.
  4. If needed, inspect the alias table contents to confirm that the expected indicators are present.

Further reading

Back to Integrations