Blocklists

A private blocklist is a dynamically maintained list of IP addresses that NxtFireGuard has determined to be malicious. Each blocklist is accessible via a unique URL that your firewalls can poll to enforce blocks automatically.

Blocklists are populated by your Traffic Sensors. When a Traffic Sensor observes an IP whose score exceeds the blocklist's configured block threshold, it sends a block recommendation to the Arbiter. The Arbiter validates the recommendation and adds the IP to the blocklist if confirmed.

Each blocklist has a configurable Check Interval that controls how often blocked IPs are re-evaluated. IPs that are no longer considered a threat are removed automatically.

Creating a Blocklist

Creating a blocklist is a four-step process:

1. Go to My Blocklists under Blocklists in the sidebar and click + Create Blocklist.
2. Step 1 - Blocklist Name: Enter a descriptive name for the blocklist.
3. Step 2 - IP and Score Settings: Configure which IP types this blocklist can contain and their respective block thresholds.
   • Enable Include Private IPs and set the Private IP Score Threshold if you want private IPs to be eligible for blocking.
   • Enable Include Public IPs and set the Public IP Score Threshold for public IPs.
   • An IP must exceed the configured threshold for its type before a block recommendation is sent by a contributing Traffic Sensor.
4. Step 3 - Re-evaluation: Set the Check Interval in hours. This determines how frequently blocked IPs are re-scored and potentially removed from the blocklist.
5. Step 4 - Traffic Sensor Contribution: Choose which Traffic Sensors should contribute to this blocklist. Enable My Traffic Sensors Should Contribute and select the sensors from the list. Click Create Blocklist to finish.

Accessing Your Blocklist

After creation, open the blocklist via Edit to find the Blocklist URL. This is the endpoint your firewalls should poll to retrieve the current list of blocked IPs.

The URL format is:

https://limes.nxtfireguard.de/blocklist/<your-blocklist-id>

If your firewall has a limit on the number of entries it can handle, you can append the entries parameter to cap the list size:

https://limes.nxtfireguard.de/blocklist/<your-blocklist-id>?entries=500

This does not prevent IPs from being added to the blocklist — it only truncates what is returned by the URL.

Managing Blocklists

Editing a blocklist — click Edit on any blocklist card to update its name, IP settings, score thresholds, check interval, and contributing Traffic Sensors.

Contributing Traffic Sensors can also be updated after creation via the Edit button in the Contributing Traffic Sensors section of the Edit panel.

Deleting a blocklist — click Delete Blocklist inside the Edit panel. This permanently removes the blocklist and its URL. Any firewalls polling that URL will stop receiving updates.

Firewall Integration

The blocklist URL is compatible with any firewall that supports external dynamic IP lists. A few examples:

• PaloAlto NGFW and Panorama
• pfSense — note that pfSense supports IP lists up to 3,000 entries, so use the entries parameter if needed.

---

If you need help, reach out via the contact form.