some time ago I started using PiHole and then became aware of the new threat shield module which I had to test immediately as I really like your work on nethserver, guys. It’s indeed spectacular and I want to thank you for having created such a nice, featurerich server, that I really enjoy exploring and I am looking forward to use it in production soon. I see a limitation on threat shield compared to PiHole that might not even really exist and could be based on my limited knowledge. I am posting this so maybe it could be seen as feature request, that threat shield could benefit from, or maybe there is just another way to acheive the same result doing it differently that I am not aware of.
As in PiHole I have activated a whole bunch of lists, but then wanted to whitelist some domains in order do let the windows clients still being able to update. In PiHole there is a possibility to add domains (optionally wildcard) in a whitelist, that would be nice, if this would be possible also in threat shield. Another very nice thing in PiHole is, that in their query log, I see red blocked and green allowed domains with a button behind to whitelist or blacklist them.
Again I want to thank you all for being such a nice community and providing such a powerfull server
Reading through this topic I will also start reading on which lists to use instead of activating them all or almost all.
I don’t know about the inner workings, but it came to my mind, if the rules from the Web & Proxy and filter have higher priority I could add the needed domains in the white list there. Would they still get blocked by threat shield?
There are lists they are blocking google DNS (8.8.8.8) and my own IP router. Threat Shield is really a headache because you must disable one by one elements. I disabled this feature.
Reading the documentation, I only enabled a few lists, and added my own networks to whitelist. Working fine, still need further testing though. I’d like to activate more lists, but have to read first who serves them and how good they are kept up to date. I also would apreciate some kind of recommended lists to chose from.
Depend on what (FTP, SSH, SMTP, HTTPS, bitcoin farming, …) you expose to the web (wordpress, forum, …), from what you want to be protected (what you want to block (bot, trojan, proxy, …), which kind of device/service you want to protect (android, iphone, scada, windows client, windows server, …) and so on…
Such as is you expose you mail service and consider this one critical list with the name mail, postfix and dovecot are to look at
sames goes for each services and protocols you expose to the net such as FTP, HTTPS, …
After that the reputation of the maintainer is also to consider
Abuse.ch is good for transnational website (ecommerce)
Alien Vault is interesting because they sell appliance and centralize the logs, so their list is based on realtime data from real business around the world.
For general usage, Team Cymru, DShield and Spamhaus, have pretty good reputation and are there since a long time.
For specific usage such as to protect a wordpress, a forum and/or a website with a commenting system you should look after BadIPs.com
But at the end as they explain on their website, the firehol_level1 list cover most case scenario.
