ThreatHive Integration Guide - OPNsense Firewall

Log in to your OPNsense Web UI: Access your firewall via a web browser (e.g., https://<firewall-ip>).
Install and Enable the Firewall Alias Feature:
- Go to Firewall > Aliases.
- Click + Add to create a new alias.
- Configure the alias:
  - Name: ThreatHive_Blocklist
  - Type: URL Table (IPs)
  - Content: https://www.threathive.net/hiveblocklist.txt
  - Update Frequency: 15 Minutes
  - Description: ThreatHive.net Blocklist - Malicious IPs
- Click Save, then Apply Changes.
Create a Firewall Rule to Block Traffic:
- Go to Firewall > Rules > WAN.
- Click + Add to create a new rule.
- Configure the rule:
  - Action: Block
  - Interface: WAN
  - Direction: In
  - Source: Single host or alias
  - Source Address: ThreatHive_Blocklist
  - Destination: Any
  - Description: Block traffic from ThreatHive malicious IPs
  - Log: Optional, but recommended
- Click Save, then Apply Changes.
Enable Logging and Monitoring:
- Enable logging in the firewall rule.
- Go to Firewall > Log Files > Live View to see blocked IPs.
Confirm It’s Working:
- Go to Firewall > Aliases.
- Click the 🔍 icon next to ThreatHive_Blocklist.
- You should see a list of current IPs being blocked.
Additional Notes:
- The ThreatHive blocklist updates every 15 minutes. OPNsense will fetch the latest entries automatically.
- Ensure WAN rules are correctly ordered, especially if other allow/deny rules exist.
- This guide focuses on blocking incoming connections. You can adapt the method for outbound filtering.

Integration Steps