January 10, 2021
OpenBSD | FreeBSD | DragonflyBSD | NetBSD | MacOS
Download Link: pf-badhost.sh | Previous Releases: Archives
Changelog: changelog.txt
Man Page: man.txt
Beta Snapshots: beta
Errata (instructions are within patch file): 001
pf-badhost is a fast, bi-directional network filtering utility powered by the PF firewall. pf-badhost blocks many of the internet's biggest irritants - annoyances such as SSH and SMTP bruteforcers are largely eliminated. Shodan scans and bots looking for webservers to abuse are stopped dead in their tracks. When used to filter outbound traffic, pf-badhost blocks many seedy, spooky malware containing web hosts.
Filtering performance is exceptional, as the badhost list is stored in a PF table. To quote the OpenBSD FAQ page regarding tables: "the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses."
pf-badhost is simple and powerful. The blocklists are pulled from quality, trusted sources. The 'Spamhause', 'Firehol', 'Blocklist.de', 'Emerging Threats' and 'Binary Defense' block lists are used as they are popular, regularly updated lists of the internet's most egregious offenders. pf-badhost can easily be expanded to use additional and/or alternate blocklists as well as setting custom filter rules.
pf-badhost works best when used in conjunction with unbound-adblock for the ultimate badhost blocking.
To receive notifications for new pf-badhost releases, send an email to announce@geoghegan.ca with this subject line: "subscribe pf-badhost"
If you believe my work has provided value to you, and if you have the means to, please consider donating.
If you want to donate, but aren't able to use PayPal, please get in contact with me and we can figure out a more suitable method.
I would like to give thanks to the following people for their donations of time, resources and/or money to the project:
Thanks to Mischa Peters and OpenBSD Amsterdam for sponsoring the project! They were kind enough to offer the project free computing resources to help facilitate development and testing of pf-badhost.
Thanks to Ethan Ferguson for providing access to MacOS devices to help facilitate pf-badhost development and for testing code and finding bugs!
Thanks to Sean Davies for his numerous code and manpage improvements. Thanks for the all the diffs!
If you've written or created something related to pf-badhost and would like to have your link listed here then please send me an email.
Q-1: How can I help the project?
A-1: You can find bugs, donate, or tell your friends about pf-badhost.
Q-2: Will this run on Linux?
A-2: Yes and No. pf-badhost can generate blocklists with the '-x' option on nearly any OS (including Windows via WSL). However, to install and manage firewall blocklist tables on a local machine requires an operating system featuring the PF firewall.
Q-3: Will this run on Solaris?
A-3: It likely will run on newer Solaris versions - if someone wants to give me SSH access to a Solaris test box (or any other OS with PF) I'll happily add support for it.
Q-4: How do I check pf-badhost's status?
A-4: By default, pf-badhost sends all log messages to syslog and also prints them to stderr. A copy of the two most recently generated blocklists are stored within '/var/log/pf-badhost'. These behaviors can be modified using commandline options.
Additionally, most cron daemons are configured to mail the cron job results/output to the cron job owner. If you have your local mail system configured on your machine, you can configure the status reports to be forwarded to your main email account. Please check the documentation relevant to your system for more info, as this is beyond the scope of pf-badhost's instuctions.
Q-5: Can't I just run this as root?
A-5: I'd tell you to stop being annoying, but you have a right to shoot yourself in the foot. You can use the '-D' option to disable UID checking.