are there any major concerns with running a vm (via libvirt addon and qemu)? i setup a test bed ipfire box to educate myself on how to do this, and i was successful thanks for the great documentation for ipfire.
in this vm, i would run pi-hole. i currently have pi-hole running on another vm not hosted on the ipfire box guarding my network. i’d like to move that vm to ipfire, however i don’t have a strong argument for it other than locating all network related services on a single box. the vm where i have pi-hole running now is inside the firewall, working very well for a couple years now.
production is a bit different than a testbed. my choices are to run the vm on a server when i have other vms running, or run it directly on the ipfire box.
if on ipfire, i’d configure the orange network for pi-hole.
Running vms on IPFire is not a really good idea, IMO.
This may punch holes into the hardened OS.
PiHole is a solution to block access at name resolution level. But it demands some effort to target all DNS requests to the PiHole application. If integrated into the IPFire device you can configure your local devices to use IPFire for DNS only. The DNS server in IPFire uses PiHole only as ‘external DNS server’.
BTW: unbound ( IPFire’s DNS server ) can do the PiHole functionality itself. There is a development process to activate the RPZ functions.
does this rely on using the web proxy? i am using pi-hole because it’s very easy to have every device on my network have ad’s blocked. with ipfire, i can see it has an ad blocklist (and custom block list), my understanding is that i must have all devices configured to ipfire’s web proxy as well.
Pi-Hole works on name resolution (DNS) level. You have to configure your devices to use pi-hole as DNS server. This can be accomplished by information from the DHCP server and forcing DNS requests to the DNS server (see wiki article).
If the functionality is implemented in the IPFire DNS server ( unbound ), this much more straightforward. You don’t need exceptions to the forcing of DNS requests; with an extra pi-hole server all DNS requests must go through this device, requests from the pi-hole device must be allowed to go to the WAN.
my setup is quite simple, and works for all devices on my network.
i have dhcp setup to use pihole’s address for the nameserver, pihole then points to ipfire for dns requests and ipfire does the dns lookup (assuming pihole allows the request to pass - i.e. its not blocked). i never touch the client to do any manual configuration. (this is talked about in the forums here, i just copied other’s configuration examples.)
i’m curious to learn if the same type of ‘hands off the client’ setup is possible using ipfire’s blocking capability, or do clients need to be configured to use the web proxy. from what i have read, it seems the web proxy is the only way to utilize ipfire’s block lists.
DNS blocking (pi-hole and RPZ) work on the name resolution level → all accesses ( resolve example.com, communicate with the resulting IP ) can be filtered, but the whole domain is possibly blocked.
IP Block Lists work on IP level using firewall rules → changing IPs for bad domains must be updated frequently, iptables rules are very fast.
It depends which tool you apply.
URLFilter is the weakest; many web accesses use HTTPS nowadays and applications other than web access cannot be filtered.