Contents of /etc/pf.badhosts

23.236.143.222/32
36.212.160.144/32
45.58.159.8/32
51.195.190.9/32
74.208.123.111/32
92.38.244.30/32
103.77.224.85/32
109.202.99.41/32
116.98.170.56/32
116.110.118.250/32
116.110.122.131/32
124.52.207.44/32
142.93.220.218/32
146.190.49.157/32
150.136.222.122/32
150.241.115.37/32
152.53.119.28/32
154.57.143.188/32
156.0.130.0/25
156.0.130.229/32
165.154.129.43/32
171.251.22.221/32
178.62.92.161/32
179.43.189.98/32
203.115.110.205/32
213.232.87.228/32

table <badhosts> persist file "/etc/pf.badhosts" block on $int_if from <badhosts> to any # '/etc/pf.goodhosts' will override any accidental blocks on '/etc/pf.badhosts' (e.g: Your LAN subnet.). table <goodhosts> persist file "/etc/pf.goodhosts" pass on $int_if from <goodhosts> to any

Advanced

Automatically block abusive IPs in pf.conf.

# Variables. int_if="vio0" ... ## In. # Block and log all packets except rules following. block log all # Allow IPv4 ICMP-echo(8) traffic, log and rate-limit. pass in log on $int_if inet proto icmp all icmp-type echoreq keep state (max-src-conn 50, max-src-conn-rate 10/30, overload <abusive_hosts> flush) # Allow IPv4 SSH traffic on tcp, log and rate-limit. pass in log on $int_if inet proto tcp from any to $int_if port { 22 } flags S/SA keep state (max-src-conn 50, max-src-conn-rate 10/30, overload <abusive_hosts> flush) # Allow IPv4 HTTP and HTTPs traffic on tcp, log and rate-limit. pass in log on $int_if inet proto tcp from any to $int_if port { 80, 443 } flags S/SA keep state (max-src-conn 100, max-src-conn-rate 20/10, overload <abusive_hosts> flush) ## Allow all outbound traffic. pass out all ... ## Tables. table persist block in on $int_if from to any

For UDP, it is the same pass in log on $int_if inet..... rule except you omit flags S/SA (as they are not used in UDP packets) and swap inet proto tcp for inet proto udp.

For example:

pass in log on $int_if inet proto udp from any to $int_if port { 8080 } keep state (max-src-conn 100, max-src-conn-rate 20/10, overload <abusive_hosts> flush)

Log IPs to a file from the <abusive_hosts> table and remove any duplicate IPs from the file

#!/bin/ksh ## Crontab: 0 */4 * * * /etc/pf.abusive_hosts.sh pfctl -t abusive_hosts -T show >> /etc/pf.abusive_hosts pfctl -t sshguard -T show >> /etc/pf.abusive_hosts sort -u /etc/pf.abusive_hosts > /etc/pf.abusive_hosts2 cp /etc/pf.abusive_hosts2 /etc/pf.abusive_hosts rm -f /etc/pf.abusive_hosts2

Block OS scanning (e.g: nmap) in pf.conf.

# Block nmap's OS detection scanning. block in log quick proto tcp flags FUP/WEUAPRSF block in log quick proto tcp flags WEUAPRSF/WEUAPRSF block in log quick proto tcp flags SRAFU/WEUAPRSF block in log quick proto tcp flags /WEUAPRSF block in log quick proto tcp flags SR/SR block in log quick proto tcp flags SF/SF

Contents of `/etc/pf.badhosts`:

Contents of `/etc/pf.goodhosts`:

`/etc/pfctl.conf` extract:

List all IPs currently blocked by the table.

Add/Delete an entry to the table.

Reload the table without reloading pf.

Advanced

Automatically block abusive IPs in `pf.conf`.

Log IPs to a file from the `<abusive_hosts>` table and remove any duplicate IPs from the file

Block OS scanning (e.g: nmap) in `pf.conf`.

Contents of /etc/pf.badhosts:

Contents of /etc/pf.goodhosts:

/etc/pfctl.conf extract:

List all IPs currently blocked by the table.

Add/Delete an entry to the table.

Reload the table without reloading pf.

Advanced

Automatically block abusive IPs in pf.conf.

Log IPs to a file from the <abusive_hosts> table and remove any duplicate IPs from the file

Block OS scanning (e.g: nmap) in pf.conf.

Contents of `/etc/pf.badhosts`:

Contents of `/etc/pf.goodhosts`:

`/etc/pfctl.conf` extract:

Automatically block abusive IPs in `pf.conf`.

Log IPs to a file from the `<abusive_hosts>` table and remove any duplicate IPs from the file

Block OS scanning (e.g: nmap) in `pf.conf`.