I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my private setup and quickly cooked up the shell script below in a rough, first try. The funny thing is that I more or less instantantly got hits from the 5346 IP addresses in the table:
@0 block drop log quick from <pf_osint:5346> to any [ Evaluations: 502 Packets: 20 Bytes: 800 States: 0 ] [ Inserted: uid 0 pid 68515 State Creations: 0 ]
🧐. The script is currently designed to run every 3 hours and to remove all IP addresses which had been added to the table after a day. I am not too happy about some of the parts right now, first of all: I'd like to seperate download and parsing out to a non-privileged process and feed one large junk of data to pfctl(8).