################################################################### # pf-badhost 0.5 Release Notes / Changelog # Copyright 2018-2021 Jordan Geoghegan ################################################################### # Acknowledgements * Thanks to Mischa Peters and OpenBSD Amsterdam for sponsoring the project! They were kind enough to offer the project free computing resources to help facilitate development and testing of pf-badhost. * Thanks to Ethan Fergusson for providing access to MacOS devices to help facilitate pf-badhost development and for testing code and finding bugs! * Thanks to Pedro Guizeline for his financial contributions to the project and for testing code and finding bugs! * Thank you to everyone who read and tested the pre-release beta code and for all your help finding and fixing bugs! # Changelog pf-badhost version 5 is our biggest release to date! pf-badhost has been confirmed to run on: * OpenBSD * FreeBSD * NetBSD * DragonflyBSD * MacOS If you have successfully run pf-badhost on a different OS, please send me an email and tell me about it! Release Notes: * Update notification service established: To receive email notifications of new pf-badhost releases send an email to with this subject line and body: "subscribe pf-badhost" * Major rewrite: Numerous code correctness, quality and readability improvements * Revised 'User Configuration Area' now serves as an integrated config file * Support added for getopts style command-line argument parsing * Support added for filtering networks by ASN (Autonomous System Number) * Support added for Tor filtering -- block/whitelist tor relays and/or exit points * Program has been documented and a man page written * Retry logic added to reattempt download should a list fail to be retrieved * "Strict mode" option added which tells pf-badhost to abort should it fail to download a blocklist after 'n' retries (3 by default) * Numerous Quality of Life Improvements - Easier user configuration: * Enabling optional features is now far more accessible and user friendly * User Configuration Area better organized and moved to top of file * IP address families can now be toggled/enabled independently * Custom blocklists are now much simpler to configure * Support added for gzip/tar.gz compressed lists * Most user-configurable options are now simple booleans * Improved whitelist ease-of-use * Power-users can now perform arbitrary filtering and list manipulation * Add '-x' option to output blocklist to stdout rather than refreshing PF blocklist table. This allows blocklists generated by pf-badhost to be exported and easily used elsewhere - Performance Improvements * RipGrep/GNUgrep and mawk/gawk are now used opportunistically for a large performance increase * Introduce experimental support for "aggy": a subnet/CIDR aggregator written in Go - aggy is 100 to 1000 times faster than alternative aggregators - Better Error Handling and Logging * Error messages are now much more informative * Error/abort logic improved to ensure we "Do The Right Thing(tm)" * Error messages are now logged to /var/log/messages * Blocklist changes are now logged to /var/log/pf-badhost/ - Quality and Correctness * PF table is now reloaded only if there are blocklist changes * Improved input sanitization * Addressed numerous documentation issues * pf-badhost has been confirmed to run on the following shells: oksh, ksh93, bash, zsh --- * pf-badhost is now run at a random time between midnight and 2am to ensure that pf-badhost users don't overwhelm blocklist hosts --- * pf-badhost must now be called with a mandatory OS type argument: Example: pf-badhost -O openbsd