Block countries on OpenBSD using pf


Same as in the previous article, full countries can be easily blocked on OpenBSD firewall using the pf command and https://ipdeny.com/.

The zone files provided by https://ipdeny.com/ need to be stored locally. A simple way to achieve this is by having a cronjob downloading those periodically (for instance once per day):


# download the latest country zone files
curl -s https://www.ipdeny.com/ipblocks/data/countries/ru.zone > /etc/ru.zone
curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone > /etc/cn.zone

We store them directly to /etc in the above example.

In the /etc/pf.conf, first add a table based on the files you have generated with the above statements:

# add a bad hosts table based on local disk text files
# one CIDR per line
table <badhosts> persist file "/etc/ru.zone" file "/etc/cn.zone"

In the above example, we have created a table called badhosts based on two local files.

Finally we need some rules which actually blocks from and to these network ranges, an example PF block rule could be:

# block bad IP addresses
block from <badhosts> to any
block from any to <badhosts>
Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Post

Block countries using IPtables and IPDeny.com

Next Post

Time based network access control on OpenBSD

Related Posts