How to configure Threat Shield application (IP blacklist and DNS blacklist)

Howto
1

I always forget how and where to find the information so I decided to make a Howto, mainly for me :slight_smile: hopefully, it will help others.

Requirement:

  • Nethserver 7 with at least one configured interface (green)
  • Application: Threat Shield

1. I found it is easier via cockpit

https://YOUR.NETHSERVER.IP:9090/nethserver#/applications/nethserver-blacklist

2. Under IP List

simply cut and paste https://github.com/firehol/blocklist-ipsets.git as your Download URL

image
image975×237 11.5 KB

Choose your poison

Basically enable a list from what you want to be protected.
As you could understand here The FireHol 1 list concatene the top 5 of these lists and demultiply the entries. So without specific need, FireHol 1 is a good list to active and could be the only one.

NOTE

Nethserver needs to act as gateway if the IPlist being efficient for all your network client (smartphones, workstations, smartTV, IOT, …)

3. DNS blacklist

simply cut and paste https://github.com/NethServer/dns-community-blacklist.git as your Download URL

image
image965×280 16.1 KB

Choose your poison

Sincerely here I choose one per category, but these list are like in your uBlock and/or piHole
You could find more list on github: https://github.com/topics/pihole-blocklists but
since malwares and most threats will be block via FireHol1 list we want to focus on Ads and annoyance here:

  • Adguarddns
  • Stevenblack
  • Wally3k
NOTE

Nethserver needs to act as DNS Server if the DNSlist being efficient for all your network client (smartphones, workstations, smartTV, IOT, …), unless it will be only protect your Nethserver and the container you have on it.

Voilà

I hope this is helpful for you as it is for me.

14 Likes
3

Or if you are an addict of the console (CLI) and/or want to do it programmatically

### BLACKLIST
db configuration setprop blacklist \
    Categories firehol_level1 \
    Url https://github.com/firehol/blocklist-ipsets.git \
    Status enabled

#### FTL (DNS Filtering)
db configuration setprop ftl \
    Categories adguarddns \
    Url https://github.com/NethServer/dns-community-blacklist.git \
    Status enabled

signal-event nethserver-blacklist-save
signal-event nethserver-blacklist-update
signal-event firewall-adjust
4 Likes
4

Very good, thanks.

5

image
image1036×435 19.4 KB

This should not happend right?

6

Right it should not happen;
but without context it is hard to understand

However it happened to me few minutes ago in the IP blacklist,

image
image1884×380 36.2 KB

Here my context

I activated few list by batch of 5 or 10 until I reached 35 list everything was fine.

and my understanding

  1. Everything you/I/we hit save it do an git pull (update the list) and github probably have a rules saying if you reload the same repository x times within a period but nothing as been change they flag you.
    So in my case I reload the page (hit the button save) maybe 8 times within 5 minutes.

  2. Or simplier, it could be one list who deny access to github :wink:

Does it make sense ?

What about you, how did happened to you, what is the context ?

7

But how I get out of this hell loops ?

  1. disable the service and save
  2. select enable the service but before hitting the button save
    2.1 Select all categories
    2.2 Disable them
    3 then save
8

@ssabbath

so in my case I found the list who is blocking github it is Firehol webserver.
but based on the logs, it seams to block Cloudflare DNS (1.1.1.1) so NS can’t resolve github.com

1 Like
9

hahah, sorry for the late response, i didnt get out of this, i just let it go, i was just trying the feature… :stuck_out_tongue:

10

but this feature worth the time to debug it :wink:
it easily protect the traffic IN/OUT of your network and block ads and malware and …
without using a lot of CPU and MEMORY like suricata (IPS) do.

1 Like
11

Agreed. But it can potentially slow down your network, at least i had this experience.

12

In my case, I often experiment a speed up, since less bandwith is consumed, do you have enough RAM on your machine ?

13

today I discovered than when I activate the DNS blacklist Wally3k, I can’t ping google.com, do you experiment the same behavior on your side ?

1 Like
14

I tested in a 24GB server.

Will test that out again soon, as i said i was just messing around with this.

15

I never noticed that… i can ping google, but from every server i test there is a diferent IP that replys.

With Wally3k:

image
image746×151 4.82 KB

Also with Wally but from a diferent server:
image
image741×140 4.7 KB

Without Wally in another server:
image
image722×157 4.95 KB

From my Windows desktop:
image