How to configure Threat Shield application (IP blacklist and DNS blacklist)

I always forget how and where to find the information so I decided to make a Howto, mainly for me :slight_smile: hopefully, it will help others.

Requirement:

  • Nethserver 7 with at least one configured interface (green)
  • Application: Threat Shield

1. I found it is easier via cockpit

https://YOUR.NETHSERVER.IP:9090/nethserver#/applications/nethserver-blacklist

2. Under IP List

simply cut and paste https://github.com/firehol/blocklist-ipsets.git as your Download URL

Choose your poison

Basically enable a list from what you want to be protected.
As you could understand here The FireHol 1 list concatene the top 5 of these lists and demultiply the entries. So without specific need, FireHol 1 is a good list to active and could be the only one.

NOTE

Nethserver needs to act as gateway if the IPlist being efficient for all your network client (smartphones, workstations, smartTV, IOT, …)

3. DNS blacklist

simply cut and paste https://github.com/NethServer/dns-community-blacklist.git as your Download URL

Choose your poison

Sincerely here I choose one per category, but these list are like in your uBlock and/or piHole
You could find more list on github: https://github.com/topics/pihole-blocklists but
since malwares and most threats will be block via FireHol1 list we want to focus on Ads and annoyance here:

  • Adguarddns
  • Stevenblack
  • Wally3k
NOTE

Nethserver needs to act as DNS Server if the DNSlist being efficient for all your network client (smartphones, workstations, smartTV, IOT, …), unless it will be only protect your Nethserver and the container you have on it.

Voilà

I hope this is helpful for you as it is for me.

14 Likes

Or if you are an addict of the console (CLI) and/or want to do it programmatically

### BLACKLIST
db configuration setprop blacklist \
    Categories firehol_level1 \
    Url https://github.com/firehol/blocklist-ipsets.git \
    Status enabled

#### FTL (DNS Filtering)
db configuration setprop ftl \
    Categories adguarddns \
    Url https://github.com/NethServer/dns-community-blacklist.git \
    Status enabled

signal-event nethserver-blacklist-save
signal-event nethserver-blacklist-update
signal-event firewall-adjust
4 Likes

Very good, thanks.

This should not happend right?

Right it should not happen;
but without context it is hard to understand

However it happened to me few minutes ago in the IP blacklist,

Here my context

I activated few list by batch of 5 or 10 until I reached 35 list everything was fine.

and my understanding

  1. Everything you/I/we hit save it do an git pull (update the list) and github probably have a rules saying if you reload the same repository x times within a period but nothing as been change they flag you.
    So in my case I reload the page (hit the button save) maybe 8 times within 5 minutes.

  2. Or simplier, it could be one list who deny access to github :wink:

Does it make sense ?

What about you, how did happened to you, what is the context ?

But how I get out of this hell loops ?

  1. disable the service and save
  2. select enable the service but before hitting the button save
    2.1 Select all categories
    2.2 Disable them
    3 then save

@ssabbath

so in my case I found the list who is blocking github it is Firehol webserver.
but based on the logs, it seams to block Cloudflare DNS (1.1.1.1) so NS can’t resolve github.com

hahah, sorry for the late response, i didnt get out of this, i just let it go, i was just trying the feature… :stuck_out_tongue:

but this feature worth the time to debug it :wink:
it easily protect the traffic IN/OUT of your network and block ads and malware and …
without using a lot of CPU and MEMORY like suricata (IPS) do.

1 Like

Agreed. But it can potentially slow down your network, at least i had this experience.

In my case, I often experiment a speed up, since less bandwith is consumed, do you have enough RAM on your machine ?

today I discovered than when I activate the DNS blacklist Wally3k, I can’t ping google.com, do you experiment the same behavior on your side ?

1 Like

I tested in a 24GB server.

Will test that out again soon, as i said i was just messing around with this.

I never noticed that… i can ping google, but from every server i test there is a diferent IP that replys.

With Wally3k:


Also with Wally but from a diferent server:

Without Wally in another server:

From my Windows desktop:
image