Essential Protection for Devices: Introduction

Introduction

THREATINT Essential Protection for Devices is a collection of data feeds that provide essential network protection for firewalls like OPNsense® or pfSense®, and publicly accessible servers.

IP addresses conducting malicious activities (including but not limited to hosting malware, phishing or command and control infrastructure, sending spam and scanning hosts) will eventually be added to our data feeds. These feeds can be used by our subscribers to block unwanted traffic.

Data quality

We take precautions to not affect legitimate IP addresses by maintaining a list of well known public APIs and services and never adding them to our feeds. This list includes but is not limited to the following:

AWS (Amazon Web Services)
Google APIs and Services including Gmail
Microsoft 365
Cloudflare, Bunny CDN, and CDN77 edge servers

Kindly note that this does not apply to user instances, e.g. Amazon AWS EC2 or customers' Google Cloud resources.

Feeds

Our feeds contain lists of IP addresses (both single hosts and/or networks) from which we recommend not to allow any incoming and/or outgoing traffic.

Kindly choose from the following list depending on your network environment (IPv4, IPv6) and the capabilities of your device:

Feed	Description
`bad-ipaddr`	single host IPs, both IPv4 and IPv6
`bad-ipaddr-ipv4`	single host IPs, IPv4 only
`bad-ipaddr-ipv6`	single host IPs, IPv6 only
`bad-networks`	IP networks, both IPv4 and IPv6
`bad-networks-ipv4`	IP networks, IPv4 only
`bad-networks-ipv6`	IP networks, IPv6 only
`bad-networks-ipaddr`	single host IPs and IP networks combined, both IPv4 and IPv6
`bad-networks-ipaddr-ipv4`	single host IPs and IP networks combined, IPv4 only
`bad-networks-ipaddr-ipv6`	single host IPs and IP networks combined, IPv6 only

OPNsense® or pfSense® can utilise feeds with single host IP addresses and IP networks in one feed, which makes bad-networks-ipaddr the perfect choice for these platforms.

Accessing the feeds

All feeds must be accessed via HTTP GET. Platform like OPNsense® or pfSense® have builtin support for HTTP GET, other platforms or servers might need command line clients or libraries like curl or wget.

We have intentionally added whitespaces to all URLs to prevent search engines like Google or Bing from crawling these URLs. Please remove all whitespaces from all URLs before using them.

Please construct all URLs according to the following scheme to access the feeds:

https:// fulfilment.threatint.eu /tdf ? email=<email address> & subscription=<subscription ID> & feed=<feed>

Part	Description
email	The email address used to purchase the subscription
subscription ID	Subscription ID from our welcome mail
feed	Feed, see table above

Updated on: 13/07/2025

Was this article helpful?

Thank you!