Any plans to add adguard home as an add on for IPFire?

Hello,

Currently using OPNsense with Adguard home plugin, there is one very annoying persistent issue with OPNsense, that dev’s refuse to fix, so i’m looking at moving on from OPNsense, to IPFire, but it seems Adguard home as add on is not available.

Will Adguard home be added in future ? Why not ? I’m not currently looking to run a dedicated separate VM or bare metal for Adguard…

I find Adguard particularly effective,

1. it updates it’s block domains list from URL metadata every day, automatically to keep upto date etc…
2. allows different client blocking configuration, per source IP networks, allowing for user configurable flexible different rule sets, based on src ip address/network etc, ie allows for a different client block list config for green and blue networks for example…
3. Adguard home also has effective parental control blocking, i have all children’s devices on dedicated WiFi SSID / VLAN, and additionally have Adguard parental controls enabled on this VLAN/ src IP client network..
4. very light weight, but very effective, when also having effective DoT and DoH blocking rules, unlike Suricata ( very heavy weight )

I see there is a partial unbound implementation in IPFire, but i could not find any examples or guides in using IPFire unbound block list capability…

I’m already aware of the recent RPZ developments, but it seems to lack at least 1 x capabilities i need

1. parental control block lists, applied only to specific src VLAN/IP/networks

AdGuard Home is just a local DNS server right? I am not sure what is the purpose of the plugin but I only noticed that there are AdGuard plugins for OPNSense and HomeAssistant.

I don’t think any of Adguard’s servers is on the “ IPFire recommended list “.

I use pihole to create different groups for DNS filtering but it requires separate Hardware or VM.

Adguard plugin integration with DNS groups sounds kind of cool I just don’t think their servers are “ IPFire friendly”

No.

No need for it.

This is up to you.

I am curious how do you accomplish this in IPfire?

Are you using a third party Wifi router / AP ?

AdGuard Home is a kind of DNS filtering, as PiHole for example.
But the filtering lists are located at the AdGuard DNS servers. This isn’t compatible to the ‘IPFire way’.
IPFire filters traffic itself: proxy filtering by URL filter, IP filtering by IPBlockLists, geolocation filtering using location, …
DNS filtering ( blocking certain DNS requests ) isn’t implemented yet. But one possible solution is PiHole on a dedicated device in LAN and forcing all DNS request going through this device.
At the moment in development a solution inside the DNS server of IPFire is discussed, with one possible prototype realized as ‘RPZ project’.

Reasons for the IPFire way are

• IPFire is the gateway to the WAN for the local networks, so it is straightforward to do all filtering there.
• the IPFire project needs external sources for blocking lists, but these are checked by the team for licensensing and LTS.
• no informations about local requests are stored outside the local network; AdGuard does this to allow reporting and adapting to local needs.

I configured unbound in a way that it “blocks” certain DNS requests and works exactly like a PiHole. The only downside compared to a PiHole is, that there is no statistical evaluation about what sites are “blocked” how many times, etc. but I don’t care. I know that they are “blocked” even though it’s not the correct way from a network-technician-perspective.

I also wrote a script, which updates the “blocklist” every week and adds some individual exclusions and inclusions.

I will post the scripts and requirements later this week when I find some time.

Greetings

Alex

I use Ubiquiti for WiFi AP, with on premises UniFI to manage the AP’s, including managing WiFi SSID to VLAN mapping is dead easy using Unifi.

Ubiquiti AP’s 1000Base-T uplink trunk interfaces connect to Cisco IOS switch, and have OPNsesne running in ESXi 6.7 VM, with 3 x network port groups/interfaces ( 1 x WAN + 2 x LAN interfaces ), vlan tagging is handled on ESXi vswitch, OPNsense does not handle vlan tagging, ESXi vswitch does.

On OPNsense, simply installed Adguard Home plugin, to listen on both ESXi vswitch port group VLAN LAN side interfaces…Within Agruard home, then define / configure client DNS blocking list based on src IP network prefix…Quite simple, and very effective really.

I haven’t seen any technical reasons provided why Aguard home couldn’t be added to IPFire, especially considering Adguard home has been supported in usual Linux distributions for a very long time already…

Interesting. But no relation to the topic, besides AdGuard.

Resources! Time, money, & man-power. There are very few volunteers available to create Adguard as an add-on. I invite you to consider developing the Adguard add-on yourself and submitting it for consideration.

I also had issues with IPFire frr add on completely broken, i managed to fix it myself, but still broken in IPFire repos, so it seems like an simpler solution is to just run

1. Adguard Home on Debian linux,
2. Just use iptables on same debian linux host to build my own firewall ( dead easy to do )
3. frr package just works on Debian linux,
4. easy to setup PPPoE client

Or use VYOS, with it’s F/W capability + Adguard Home container..

So i’ll be moving on from IPFire now…

I think that with all the options IPF has for blocking, the only thing that would be nice to do is to have a way to Allow/Deny a domain when it connect to a client.

Are you in charge of our roadmap now?

Hey there and happy shortest day of the year (in the northern hemisphere)!

Like I said, I’m gonna share my script(s) which let(s) IPFire act like a PiHole (except from the statistical evaluation part). No extra hardware or software needed.

The really nice thing about IPFire is, that it is pretty versatile. It might not have all the features you need but with a little bit of Linux-knowledge you can accomplish a lot of additional things. Anyway, let’s get to it.

First of all, because IPFire does not support the “rev”-command, I needed some “helper-script” (I found it somewhere on the web after Michael suggested it).

#!/usr/bin/sed -f

/../! b

# Reverse a line. Begin embedding the line between two newlines
s/^.*$/\
&\
/

# Move first character at the end. The regexp matches until
# there are zero or one characters between the markers
tx
:x
s/\(\n.\)\(.*\)\(.\n\)/\3\2\1/
tx

# Remove the newline markers
s/\n//g

This code does nothing else than reverse all characters in each line (not a document at whole, but rather line for line) so

bla bla
blup
123

will become

alb alb
pulb
321

I named it “reverse.sh” and put it in the home-folder. The next thing is the main-script itself:

sleep 1
wget -O- -q https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts > raw
sleep 1
sed -i '/^0.0.0.0/!d' raw
sleep 1
sed -i 's/^0.0.0.0 //' raw
sleep 1
sed -i 's/#.*//' raw
sleep 1
sed -i 's/ //g' raw
sleep 1
cp /root/include /root/include-backup
sleep 1
grep -F -f /root/exclude raw >> /root/include
sleep 1
sed -i 's/^.//' /root/exclude
sleep 1
sed -i 's/$/\\|/' /root/exclude
sleep 1
sed -i '$s/.$//' /root/exclude
sleep 1
exclude=$(cat /root/exclude | tr -d '\n')
sleep 1
sed -i '$s/.$/../' /root/exclude
sleep 1
sed -i 's/^/./' /root/exclude
sleep 1
sed -i 's/..$//' /root/exclude
sleep 1
cat raw | sed -f /root/reverse.sh > rawreverse
sleep 1
rm -f raw
sleep 1
sed -i 's/.[^.]*//3g' rawreverse
sleep 1
awk '!seen[$0]++' rawreverse > clean
sleep 1
rm -f rawreverse
sleep 1
cat clean | sed -f /root/reverse.sh > raw
sleep 1
rm -f clean
sleep 1
sed -i "/^\($exclude)/d" raw
sleep 1
sort raw > hosts
sleep 1
rm -f raw
sleep 1
sort /root/include >> hosts
sleep 1
rm -f /root/include
sleep 1
mv /root/include-backup /root/include
sleep 1
sed -i '1s/.*/server:/' hosts
sleep 1
sed -i '2,$s/^/local-zone: "/' hosts
sleep 1
sed -i '2,$s/$/" always_null/' hosts
sleep 1
rm -f /etc/unbound/local.d/hosts.conf
sleep 1
mv ~/hosts /etc/unbound/local.d/hosts.conf
sleep 1

I named it “hosts.sh” and also put it in the home-folder. Some of you might think “what’s with all the sleepies?”… but I’m old-school and I like to give the machine some time in between the steps, also for debugging purposes. So what does this script do?

I’m not going to explain every line, so I will summarizre. This script downloads one of the hostlists from steven black (in this case: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts). It then reformats this list, so that unbound can “read” it and increases the blocking-level by reformatting all sub-domains to the particular TLD, followed by deleting the duplicates (and therefore thinning out the “blocklist”). So for example if the original list contains “telemetry.adware.com”, “commercial.adware.com” and “whatever.adware.com” after the script did its work, it will simply contain “adware.com”.

It also does some exclusions, read from a file named “exclude” looking like this (for example):

.sourceforge.net
.stackoverflow.com

All TLD in this file will be excluded from the “blocklist”! IMPORTANT: Unbound will still block the subdomains, which are listed in Steven Blacks host-list. But there is no “TLD”-blocking for these domains.

And finally the script does some inclusions, read from a file named “include” looking like this (for example):

mov
zip

All domains in this file will be added to the “blocklist”. “exclude” and “include” are also located in the home-folder. The eventually generated “blocklist” is simply a *.conf-file in the folder “/etc/unbound/local.d/” and looks like this (for example):

server:
local-zone: "adware.com" always_null
local-zone: "bloatware.com" always_null
...

Then the script does some cleaning (deleting of temporarly necessary files). Restart of unbound is NOT included.

To keep the “blocklist” up to date, I like to run the script once a week (via fcron) before the IPFire does it’s weekly reboot, so no manual restart of unbound is necessary (except for testing purposes if everything works).

That’s it, feel free to use the script and optimize it.

Merry Christmas and a “good slide”

Alex

From a total noob in linux scripting… I see a lot of sleep 1 instruction, between almost any of the commands.

Probably they are there because “simply works”, but i’m asking myself if there’s any way to deliver, more than a 1-second timeout, a timely way to allow script execution assuming that some of these may be run on slow flash storage (like microsd or USB flashdrive, which should’t be done as a boot drive of a firewall IMVHO)

The sleep is just cosmetic. It does not allow for completion of any command as the commands are executed sequentially, each one waiting for the previous one to complete.

The script could be shortened as well as multiple sed commands can be done on one line but it makes readability harder.

I don’t think “wait completition of the command” might be defined “cosmetic” in any way, makes a LOT of sense, especially if a latter command depends of the result of a previous one.

However, a less arbitrary delay between commands might be inserted, for speedup the run on faster systems or (more importantly) slow script down on slow storage (like USB drives, microSD or not that good SSD) or slow CPU.

I totally agree that readability of more sed executions is king.

You have not read what I wrote. In that script, each command will only start when the previous one has completed, so the sleep command will only execute when the previous command has completed. The sleep command is entirely cosmetic. Even @lexuspolaris does not say it is to give the previous command time to complete in his script.

You are absolutely right and my expression “give the machine some time” is definitely misleading.

The “sleepies” are not necessary at all. When executing the script in verbose mode (for testing purposes), 1 second in-between the commands to see (for the human machine :D) if they work correctly or if something went wrong is extremely useful (because there is no “check” if the previous command leads to an error or not and before you recognize you have a complete mess).

Because the script works without any problems, you could delete all the “sleeps”.

And yes, you could execute multiple sed commands in a line but this makes it more complicated for debugging or inserting new commands, etc.

Greetings

Alex

What the difference between your script and adding the same list under IPF URL filter > black list editor?
yours keeps the list updated, right?

The URL-Filter works only if you have the squid-proxy enabled (as far as I know). It handles all the DNS-requests correctly and gives the client a “you are not allowed to visit this site”-message back, so it works more like a reject.

A “blocklist” on resolver-level with setting “always_null” works like a “drop”. It is a dirtier (not good from a network-technician-perspective) but more efficient solution. Instead of checking “does this site exist” and “who is a allowed to see it” and then replying to the client “this site exists but you are not allowed to see” it just gives a short “does not exist”-answer.

The disadvantage is, that you can not make exclusions on client level. All clients, who use the IPFire as DNS-Server / Resolver will have no access to the sites.