i am using IPFire on dedicated hardware and i am happy with it.
There is one thing which could be improved:
As i am using Adguard Home (https://adguard.com/en/adguard-home/overview.html) on a separate hardware, my wish would be to install it as an addon inside IPFire.
I think DNS blocker (with a nice frontend) belongs to a modern firewall.
I know that i can make blocklists for unbound as well but i miss the graphical overview and configuration which Adguard Home gives me.
These are the requirements for building it:
go v1.14 or later.
node.js v10.16.2 or later.
npm v6.14 or later.
This topic has been discussed - sometimes heatedly - several times in the past (for example, here). To put it short, we disagree for security reasons (source):
[…] Another question frequently asked is why IPFire does not support filtering DNS replies for certain FQDNs, commonly referred to as a Response Policy Zone (RPZ). This is because an RPZ does what DNSSEC attempts to secure users against: Tamper with DNS responses. From the perspective of a DNSSEC-validating system, a RPZ will just look like an attacker (if the queried FQDN is DNSSEC-signed, which is what we strive for as much of them as possible), thus creating a considerable amount of background noise. Obviously, this makes detecting ongoing attacks very hard, most times even impossible - the haystack to search just becomes too big.
Further, it does not cover direct connections to hardcoded IP addresses, which is what some devices and attackers usually do, as it does not rely on DNS to be operational and does not leave any traces. Using an RPZ will not make your network more secure, it just attempts to cover up the fact that certain devices within it cannot be trusted. […]
Good grief. You certainly do not want to have this package manager running on a firewall…
Sorry to disappoint you: No.
Please consider using IPFire’s web proxy instead, and enforce a strict firewall policy (more on that can be read here) to drop any traffic from your devices you do not like.
Peter is totally right, however I understand your desire for a different blocker. I have a (complicated) solution for you.
I tried a Pi-Hole on a separate device and found that it was so useful and made monitoring so easy that I kept it. All my clients use it as their only DNS server and it in uses IPFire for (downstream) DNS. I’d recommend Pi-Hole over commercial Adguard and Peter’s right that the node package manager (NPM) ecosystem is a security nightmare built on a fragile house of cards!
Anyway, I’m now installing Pi-Hole on a VM on my IPFire server directly. This is a slight compromise, but means that I don’t have DNS on a separate system to my “router” which will improve reliability in some circumstances.
This isn’t for a newbie, you would want to have confidence administering Linux systems first. However, if you’re willing to experiment, see these wiki pages:
Thanks for your answers.
Please note that npm and the other dependencies are build dependencies, not runtime dependencies. I am able to run my self-build AdGuard Home binary on IPFire just fine with replacing Unbound.
Although i would like to intregrate the web frontend into the IPFire frontend but i guess that’s not possible right now.
I will consider to run AdGuard Home inside a virtual environment to improve the security.
@dnl: I also ran PiHole for quite a while but i switched because i need a stable REST API which PiHole does not have right now. Please see that the AdGuard Home is fully FOSS and not a commercial product.
IPFire has many strengths, but sadly has a very dated web interface. In case you’re not aware a more modern design was made in the IPFire version 3 branch many years ago but, probably due to lack of developer time/resources, IPFire 2 is still the stable version today.
@dnl: I also ran PiHole for quite a while but i switched because i need a stable REST API which PiHole does not have right now. Please see that the AdGuard Home is fully FOSS and not a commercial product.
Thanks for that. I did briefly look at the URL you linked in your post, but thought it was purely commercial due to the vendor behind it.
What are you going to use the API for? I’ve currently not seen a need for it, so I’m curious!
Also, I should say that I love that IPFire is a Linux distribution and can have a lot of spare resources (depending on what you run it on). This allows you to jump in to a shell configure it to do almost anything.
Of course the more you vary from the way it is designed the more cost for you to maintain your changes, but at least it’s flexible!
I am just using the API to read and visualize the statistics inside my network dashboard inside Home-Assistant and trigger some actions on conditions. AdGuard Home is fully supported but support for PiHole is limited. The opinions about this from one of the Home-Assistant main developers can be seen here: https://twitter.com/Frenck/status/1233902986520387584
But i think both solutions are good and a little bit competition is always good to have