diff options
| author | Andreas Baumann <mail@andreasbaumann.cc> | 2018-05-08 19:37:03 +0200 |
|---|---|---|
| committer | Andreas Baumann <mail@andreasbaumann.cc> | 2018-05-08 19:37:03 +0200 |
| commit | f71357f795cfc6423d6ba4c80a2256d8513bb0c9 (patch) | |
| tree | 8318dccc3e5134399ea72c2fcd071eb632f8d9c8 | |
| parent | 645c7bc017b4e1634f18e378eda37c6529bc7477 (diff) | |
| download | OpenBSD-firewall-f71357f795cfc6423d6ba4c80a2256d8513bb0c9.tar.gz OpenBSD-firewall-f71357f795cfc6423d6ba4c80a2256d8513bb0c9.tar.bz2 | |
added blocking of known bad IPs
| -rw-r--r-- | config/obr/badhosts | 2 | ||||
| -rw-r--r-- | config/obr/pf.conf | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/config/obr/badhosts b/config/obr/badhosts new file mode 100644 index 0000000..a7f8014 --- /dev/null +++ b/config/obr/badhosts @@ -0,0 +1,2 @@ +# AHrefs.com Bot +173.199.64.0/18 diff --git a/config/obr/pf.conf b/config/obr/pf.conf index c6a4599..77c1040 100644 --- a/config/obr/pf.conf +++ b/config/obr/pf.conf @@ -6,6 +6,9 @@ table <nonroutable> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ # protect against brute force attacks table <bruteforce> +# protect against well-known badies +table <badhosts> persist file "/etc/badhosts" + # interfaces ext_if = vr0 DMZ_if = vr1 @@ -73,6 +76,9 @@ block in quick on $ext_if from any to <intNetworks> block in quick on $ext_if from <nonroutable> to any block in quick on $ext_if from any to <nonroutable> +# block badies +block in quick on $ext_if from <badhosts> to any + # allow to jump via the firewall, protect against brute force attacks block quick from <bruteforce> pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state \ |