The guide Force clients to use IPFire DNS Server applies only to clients using the unencrypted DNS protocol over port 53. Nowadays more and more systems use DNS over HTTS/TLS, or maybe some clients could use a VPN or Tor connection to bypass the IPFire DNS Server filter. A documentation or blog post describing how to configure the firewall to block (as much as possible) accidental or voluntary bypass attempts would be very useful.
Jon is working on this.
1 Like
As part of their protection suite, adamONE has a nice feature called Don’t Talk to Strangers (DTTS). What this does is block all traffic to any IP that has not come from a DNS lookup. This stops any traffic trying to use DoH or DoT or direct IP access which is a great concept. It struggles with P2P, so a lot of multi-player gaming and a few other bits, but as a concept, it is a great idea and would sit well with RPZ. Any clever programmers?
1 Like
Thanks @nickh for your hint, RPZ looks very promising, looking forward to trying it out. However the main point that I would like to highlight is that it would be very helpful, and useful to attract new users, to have a documentation or blog post on how to configure IPFire in order to block (as much as possible) bypass attempts to its filters.
Let me elaborate a little more on this. There are tons of people nowadays looking for a practical system to protect home (or small office, church, etc) from family inappropriate content, and maybe disturbing ads, and also to block unsophisticated bypass attempts (DoH, VPN, Tor, etc). Something like Firewalla, but DIY.
Add to this that tons of people have Raspberry Pi (or similar) hardware available, and you get a huge potential user base available. Look at how popular has the Pi-hole project become, even with much fewer capabilities than IPFire.
I think that IPFire would have huge possibility to grow as a project among this use base, given that it can run on a Raspberry Pi, and that it has all pieces in place to behave like an open source Firewalla (kinda) equivalent software. The only drawback is that, for new and inexperienced users, it is rather complex to understand and follow all configuration steps needed to achieve that.
Take as a reference the OpenWrt Parental controls documentation page. Also this one is not simple to follow, because OpenWrt does not have all the features integrated in IPFire out of the box, however it is a starting point on this highly sought topic.
For IPFire, starting from @bbitsch very explicative post, the guide could contain the following information:
-
A brief introduction on what is needed to run IPFire (for instance a Raspberry Pi 4 Model B) and links to the installation instructions.
-
An explanation on why no single filtering technique is foolproof (with each one pros and cons) and why it is better to rely on several filtering layers and firewall rules working together.
-
How to configure the Proxy, which is the last filtering shield, for everything that has slipped through the DNS filtering, including for instance IP addresses entered directly which would bypass DNS altogether.
-
How to configure the firewall in order to force the use of the proxy, and to close all known ports for DNS over HTTPS/TLS, VPN, Tor, proxies, etc. These two steps provide the Blocking sites by using proxy servers technique described in the OpenWrt guide.
-
Add firewall and DNS filtering through IPblocklists and RPZ for added protection, or otherwise an explanation if these techniques could be used in place of the proxy, with pros and cons.
-
Instructions on how to optionally add ads filtering, using for instance Pi-hole or AdGuard or EasyList default blacklists.
At present I got the best starting point to figure out how to configure IPFire for this by asking ChatGPT “How to configure IPFire in order to get the main Firewalla capabilities to filter adult content and to block bypass attempts”. However I feel that some information are inaccurate or redundant, while some other are missing.
If I’m not the only one thinking that this guide would be useful for many people, and would attract many new users, I would also be happy to contribute, although I’m afraid that I do not have the required experience.
As a last note, I add that a guide similar to this one regarding Pi-hole on the official Raspberry Pi tutorial site would give to IPFire a huge visibility and attract many new users.
Please let me know if I went off topic and I should open a new post to discuss all this. Thanks
Seems a clever idea to me, sounds like a kind of extension of the stateful firewall concept if I understand correctly.
One of my favorite blog posts as a new user.
https://www.ipfire.org/blog/firewall-configuration-recommendations-for-ipfire-users
I think there is a link in the wiki to it.
2 Likes
Thanks for sharing that, I’d never heard of them. DTTA sounds more advanced than other similar setups I’ve used at work over the years. False positives or blocks would be my concern. I guess that’s where the AI helps the most.
I can confirm :