Using the Emerging Threats Firewall Rules

The firewall rulesets are versions of the IP Block lists in a format easily imported into IPF, IPTables, PF, and PIX firewalls.

These rulesets are updated at least daily, we recommend updating your firewalls at the very least once a week, as these hosts may change often. The Spamhaus DROP list is less dynamic, however it does change so be sure to update regularly.

As each update is made a revision number is incremented. That is available here: http://rules.emergingthreats.net/fwrules/FWrev

Ruleset sources include the DShield Top Attackers, the Spamhaus DROP list, and the Shadowserver.org Active Command and Control Servers.

Rules available here:

http://rules.emergingthreats.net/fwrules

A script by Joshua Gimer to automatically update an IPTables firewall is available here:

It should be easily adapted to service most any other firewall.

Changes in Version 2.0

• Added Syslog support
• Added IP address verification
• Added individual IP address and CIDR range white-listing support

• Note (May 10, 2011): You may receive Perl warnings from Net::IP::Match stating that CIDR ranges are not parsing correctly. This is incorrect; CIDR ranges are being parsed correctly. You can suppress these errors by sending stderr to /dev/null. (Example: emerging-iptables-update.pl 2>/dev/null &)

• emerging-iptables-update.pl.txt: Version 2.0 by Joshua Gimer

• emerging-ipset-update.pl.txt: an ipset version of the script by Joshua Gimer