From f71357f795cfc6423d6ba4c80a2256d8513bb0c9 Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Tue, 8 May 2018 19:37:03 +0200
Subject: added blocking of known bad IPs

---
 config/obr/badhosts | 2 ++
 config/obr/pf.conf  | 6 ++++++
 2 files changed, 8 insertions(+)
 create mode 100644 config/obr/badhosts

diff --git a/config/obr/badhosts b/config/obr/badhosts
new file mode 100644
index 0000000..a7f8014
--- /dev/null
+++ b/config/obr/badhosts
@@ -0,0 +1,2 @@
+# AHrefs.com Bot
+173.199.64.0/18
diff --git a/config/obr/pf.conf b/config/obr/pf.conf
index c6a4599..77c1040 100644
--- a/config/obr/pf.conf
+++ b/config/obr/pf.conf
@@ -6,6 +6,9 @@ table <nonroutable> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
 # protect against brute force attacks
 table <bruteforce>
 
+# protect against well-known badies
+table <badhosts> persist file "/etc/badhosts"
+
 # interfaces
 ext_if = vr0
 DMZ_if = vr1
@@ -73,6 +76,9 @@ block in quick on $ext_if from any to <intNetworks>
 block in quick on $ext_if from <nonroutable> to any
 block in quick on $ext_if from any to <nonroutable>
 
+# block badies
+block in quick on $ext_if from <badhosts> to any
+
 # allow to jump via the firewall, protect against brute force attacks
 block quick from <bruteforce>
 pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state \
-- 
cgit v1.2.3-54-g00ecf