Same as in the previous article, full countries can be easily blocked on OpenBSD firewall using the pf command and https://ipdeny.com/.
The zone files provided by https://ipdeny.com/ need to be stored locally. A simple way to achieve this is by having a cronjob downloading those periodically (for instance once per day):
#!/bin/sh # download the latest country zone files curl -s https://www.ipdeny.com/ipblocks/data/countries/ru.zone > /etc/ru.zone curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone > /etc/cn.zone
We store them directly to /etc in the above example.
In the /etc/pf.conf, first add a table based on the files you have generated with the above statements:
# add a bad hosts table based on local disk text files # one CIDR per line table <badhosts> persist file "/etc/ru.zone" file "/etc/cn.zone"
In the above example, we have created a table called badhosts based on two local files.
Finally we need some rules which actually blocks from and to these network ranges, an example PF block rule could be:
# block bad IP addresses block from <badhosts> to any block from any to <badhosts>