Thanks @nickh for your hint, RPZ looks very promising, looking forward to trying it out. However the main point that I would like to highlight is that it would be very helpful, and useful to attract new users, to have a documentation or blog post on how to configure IPFire in order to block (as much as possible) bypass attempts to its filters.
Let me elaborate a little more on this. There are tons of people nowadays looking for a practical system to protect home (or small office, church, etc) from family inappropriate content, and maybe disturbing ads, and also to block unsophisticated bypass attempts (DoH, VPN, Tor, etc). Something like Firewalla, but DIY.
Add to this that tons of people have Raspberry Pi (or similar) hardware available, and you get a huge potential user base available. Look at how popular has the Pi-hole project become, even with much fewer capabilities than IPFire.
I think that IPFire would have huge possibility to grow as a project among this use base, given that it can run on a Raspberry Pi, and that it has all pieces in place to behave like an open source Firewalla (kinda) equivalent software. The only drawback is that, for new and inexperienced users, it is rather complex to understand and follow all configuration steps needed to achieve that.
Take as a reference the OpenWrt Parental controls documentation page. Also this one is not simple to follow, because OpenWrt does not have all the features integrated in IPFire out of the box, however it is a starting point on this highly sought topic.
For IPFire, starting from @bbitsch very explicative post, the guide could contain the following information:
-
A brief introduction on what is needed to run IPFire (for instance a Raspberry Pi 4 Model B) and links to the installation instructions.
-
An explanation on why no single filtering technique is foolproof (with each one pros and cons) and why it is better to rely on several filtering layers and firewall rules working together.
-
How to configure the Proxy, which is the last filtering shield, for everything that has slipped through the DNS filtering, including for instance IP addresses entered directly which would bypass DNS altogether.
-
How to configure the firewall in order to force the use of the proxy, and to close all known ports for DNS over HTTPS/TLS, VPN, Tor, proxies, etc. These two steps provide the Blocking sites by using proxy servers technique described in the OpenWrt guide.
-
Add firewall and DNS filtering through IPblocklists and RPZ for added protection, or otherwise an explanation if these techniques could be used in place of the proxy, with pros and cons.
-
Instructions on how to optionally add ads filtering, using for instance Pi-hole or AdGuard or EasyList default blacklists.
At present I got the best starting point to figure out how to configure IPFire for this by asking ChatGPT “How to configure IPFire in order to get the main Firewalla capabilities to filter adult content and to block bypass attempts”. However I feel that some information are inaccurate or redundant, while some other are missing.
If I’m not the only one thinking that this guide would be useful for many people, and would attract many new users, I would also be happy to contribute, although I’m afraid that I do not have the required experience.
As a last note, I add that a guide similar to this one regarding Pi-hole on the official Raspberry Pi tutorial site would give to IPFire a huge visibility and attract many new users.
Please let me know if I went off topic and I should open a new post to discuss all this. Thanks