In order use PF with ThreatSTOP, we have a script that will configure PF for registered users. The script creates a file that PF can use to create a table.

When you download and extract the script, set the execute bit. Then run the perl.

Edit the 'tspf.conf' file and update the following items:

out_dir - The directory where the files will be saved

Add your lists. Each list you have must be defined. If you signed up to the free basic account, it is already configured for you.

Run the script and verify that it works properly and that the files are correctly written to the desired directory. There should be a file for each block list in the output directory.

Edit the '/etc/pf.conf' file and add the following entries:

        # Table for the ThreatSTOP basic list
        table <ThreatSTOP> file "/var/db/basic" file "/var/db/basic1" \
        file "/var/db/basic2" file "/var/db/basic3" file "/var/db/basic4"

        # Block incoming connections from the ThreatSTOP basic list
        block drop in log quick from <ThreatSTOP>;

        # Block outgoing connections to the ThreatSTOP basic list
        block drop out log quick to <ThreatSTOP>;

Reload PF and verify everything is setup correctly.

         Reload PF by running
        /sbin/pfctl -T load -f /etc/pf.conf

         Verify there are entries in the table:
        /sbin/pfctl -t ThreatSTOP -T show

        Verify the rules:
        /sbin/pfctl -s rules
        

        You should see 2 entries that look like this:

        block drop in log quick from <ThreatSTOP> to any
        block drop out log quick from any to <ThreatSTOP>

You will need to configure a cron job so the table is automatically updated for you.

The lists are updated every 2 hours. Here is an example that you can use:

# Update the ThreatSTOP lists. Every 2 hours, 15 minutes after the hour (00:15, 02:15, 04:15, etc.)
15  */2  *  *  *  /usr/local/sbin/tsupdate.sh 2>&1