search

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home.html
GNU General Public License v3.0
25.46k stars 1.83k forks source link

Firewall-level blocking #2248

Open m5x opened 4 years ago

m5x commented 4 years ago

Problem Description

DNS filtering is a great way to block unsolicited content if the code downloading it depends on local DNS servers to find the IP address of the source endpoint. However code that uses its own (DoH, DoT, ...) name server or does not use name servers at all and works directly with IP adresses cannot be blocked this way.

Proposed Solution

It would be a very attractive feature of AGH to integrate with firewall to manage IP address blacklist and monitor firewall log to be able to show blocked connections/packets list (the same way query log is shown today) and statistics.

Ideally there would be an abstraction for firewall management and monitoring with different implementations for each supported firewall. On Linux for example AGH could manage all IP addresses to block in its own iptables chain and use log rules and NF_LOG to learn about blocked connections/packets.

List of IP addresses to block should be a union of IPs from user-selected IP blacklists (similar to DNS blocklists UI) with IPs resolved from selected DNS blocklists. IPs coming from DNS blocklists should optionally be periodically re-resolved.

Alternatives Considered

Alternative is to use different tool for this job. But since AdGuard Home already is a tool for this kind of job it would be great if it supported firewall-level blocking as well.

ameshkov commented 4 years ago

Sounds like a duplicate of https://github.com/AdguardTeam/AdGuardHome/issues/2206

m5x commented 4 years ago

May I kindly ask in what way is this a duplicate of #2206? This feature request asks for quite simple firewall integration but #2206 wants to make AGH to an IDS/IPS. I would not support #2206 but I greatly support this because it's doable and it would patch a hole any developer can easily use to circumvent AGH blocking functionality.

ameshkov commented 4 years ago

Both of these imply that AdGuard Home must control all network traffic which it does not do at the moment.

m5x commented 4 years ago

For this feature there is no need nor it would be desirable for AGH to control all network traffic. Just manage a list of IP addresses to block in firewall that's all. No integration with DHCP or anything else, just make sure firewall always has up to date list of IP-based blocking rules. And ideally also monitor firewall log to be able to display to user which IPs has been blocked, but that is optional.

ameshkov commented 4 years ago

Oh, okay, I see the difference. I'll reopen it then.