[Script] Dynamic IP Blocking with FireHOL for TrueNAS SCALE

Hi everyone,

I created a bash script for my TrueNAS SCALE server to block thousands of malicious IPs using FireHOL Level 1 and a personal static list. I decided to share it here because TrueNAS still lacks a robust built-in security panel for IP blacklisting, and not everyone has a dedicated firewall device.

Features:

  • Creates a custom BLACKLIST iptables chain

  • Blocks all IPs from the FireHOL Level 1 list (~4000+ known malicious IPs)

  • Adds local static IPs to a whitelist (e.g., 127.0.0.1, 192.168.0.0/16)

  • Optionally adds resolved IPs from custom DDNS hostnames to the whitelist

  • Reads additional IPs to block from a manually editable .txt file

  • Automatically appends newly blocked FireHOL IPs to the same .txt (no duplicates)

  • Can (optionally) sync to Nextcloud or your cloud solution (edit the final part of the script for that)

Note:

The DDNS domains and file paths in the script are just examples.

You should customize the path to the blocklist (LIST_PATH) and define your own safe IPs/DDNS hostnames.

How to use:

  1. Save the script anywhere on your system (e.g., /mnt/POOL/scripts/firewall-blocks.sh)
  2. Make it executable: chmod +x firewall-blocks.sh
  3. Create an empty firewall-blocks-list.txt file where you want your manual/dynamic IPs stored: touch /path/to/firewall-blocks-list.txt
  4. Add it to a cron job (e.g., every hour) or run manually

Let me know if you need help customizing it further or integrating it with your workflows!
firewall-block.txt (2.5 KB)

Is it a correct assessment that this is aims to block connection attempts to a TrueNAS server that is publicly reachable? The scripts uses iptables and a list downloaded from Github consisting of around 4k IPs.

If that is correct, may I ask why you would expose the server to the public in the first place?

Yes, the goal is exactly to block malicious connection attempts to a TrueNAS SCALE system exposed to the public internet.
While the ideal scenario would be complete network isolation, that’s simply not feasible for many users — especially when certain devices or services require public access.

In my case, I need to keep SSH open for automated backups from a Grandstream PBX, which — despite being a recent model — doesn’t allow changing the SFTP port and only supports Samba and SSH for scheduled backups. There’s no native support for cloud storage, rsync over SSH with custom ports, or other modern methods. That makes controlled public exposure necessary.

This script was developed to:
• Dynamically download and apply blocklists from FireHOL via iptables
• Allow whitelisting of safe addresses (including dynamic DNS)
• Maintain a plain .txt list that is human-readable and editable
• Automatically append new IPs if not already present

It’s not meant to be a replacement for a real firewall — but for those of us without dedicated hardware, it’s a lightweight and flexible extra layer of defense.

You’ll want to adapt the whitelist and cloud sync commands to your own environment. The current script assumes a typical remote access use case where remote management and external sync is required.

I would suggest using VPN if at all possible.
Relying on a blacklist or whitelist passed to iptables sounds risky.

Ideally, your PBX can reach the TrueNAS server using a VPN tunnel.