[FR]: Add NetworkInterceptor

[jschenke488]

What should the feature be?

Due to Fractureiser, SkyRage, etc. we need some way to block outgoing requests to untrusted domains

If applicable, what are some existing implementations?

https://hangar.papermc.io/SlimeDog/NetworkInterceptor

# NetworkInterceptor configuration
# originally made with <3 by Luck
#
# Updated and maintained by drives_a_ford and SlimeDog

# Design: SlimeDog
# Implementation: drives_a_ford
# Testing: SlimeDog
#
# Supported MC versions:
# https://github.com/SlimeDog/NetworkInterceptor/wiki/Technical-Details
# Default configuration:
# https://github.com/SlimeDog/NetworkInterceptor/blob/master/src/main/resources/config.yml

# ========== METHODS ===============================================================================
# Network requests may be detected by either or both of the following methods.
#
# security-manager:
# * Installs a custom SecurityManager into the server
# * Will intercept all outgoing network requests
# * May be incompatible with other plugins which install a security manager
# * In particular, note that AAC disables itself if the security-manager method is enabled.
#
# proxy-selector:
# * Installs a custom ProxySelector into the server
# * Will intercept most outgoing HTTP requests
# * Will not catch requests which specifically define their proxy
# * Should not be incompatible with anything
#
# Both methods may be enabled, and are recommended.
methods:
  - security-manager
  - proxy-selector

# ========== CHECK FOR UPDATES =====================================================================
# If you do not want notification of available updates in the console log, you may disable it here.
check-for-updates: true
# Update source may be either Hangar (default) or SpigotMC.
update-source: Hangar

# ========== BSTATS METRICS ========================================================================
enable-metrics: true

# ========== PROCESSING MODE =======================================================================
# Processing mode is allow or deny
# In allow mode, outbound network connections to specified targets will be allowed.
# In deny mode, outbound network connections to specified targets will be denied (blocked).
# In either mode, trusted plugins may be specified.
mode: allow

# ========== LOGGING ===============================================================================
# Enable/disable logging of outbound network connections.
#
# Enable/disable stack traces for each connection attempt.
# Stack traces will always be included in the file output.
#
# Connection requests may be logged to the console
# or to plugins/NetworkInterceptor/intercept.log
# Options are
#   - console
#   - file
#   - all
logging:
  enabled: true
  include-traces: false
  mode: file
  truncate-file-on-start: true

# ========== BLOCKING ==============================================================================
# Enable/disable blocking.
# If blocking is disabled, logging will still occur unless disabled above.
blocking:
  enabled: true

# ========== MAPPING ===============================================================================
# Configure whether fully qualified domain names (FQDNs) are mapped to their IP addresses
# This will allow calls to IP addresses that are the result of a call to a specific FQDN
# within a certain amount of time of the former.
mapping:
  enabled: true
  # The time (in ms) within which IPs are allowed to pass as per their FQDN permissions
  timer: 1000

# ========== TRUSTED PLUGINS =======================================================================
# In allow mode, outbound network connections by these plugins will be allowed.
# In deny mode, outbound network connections by these plugins will be allowed,
# unless the target is explicitly blocked in the targets list.
#
# If LuckPerms is installed, we recommend listing it as a trusted plugin, to simplify configuration.
# Remove [] on the next line, and add the following line (without the # comment).
# - LuckPerms
trusted-plugins: []

# ========== BLOCKED PLUGINS =======================================================================
# No network connections by the listed plugin(s) will be allowed, period.
# Remove [] on the next line, and add the following line (without the # comment).
# - pluginName
blocked-plugins: []

# ========== TARGETS ===============================================================================
# A list of disallowed FQDNs and IP addresses
# Entries should be lowercase.
# In allow mode, outbound network connections to these targets will be allowed.
# In deny mode, outbound network connections to these targets will be blocked.
#
# A good place to start looking is the sample-allow-config.yml content.
# Then review the intercept log to discover more.
targets:
  # Mojang authentication
  - 'api.mojang.com'
  - 'sessionserver.mojang.com'
  - 'launcher.mojang.com'
  - 'launchermeta.mojang.com'

  # Update checking
  - 'api.papermc.io'
  - 'api.purpurmc.org'
  - 'hub.spigotmc.org'
  - 'hangar.papermc.io'
  - 'api.modrinth.com'
  - 'api.spiget.org'
  - 'api.spigotmc.org'
  - 'api.github.com'
  - 'gist.githubusercontent.com'
  - 'raw.githubusercontent.com'

  # Aikar timings
  - 'timings.aikar.co'
  - 'timings.spigotmc.org'

  # Metrics services
  - 'bstats.org'
  - 'mcstats.spigotmc.org'

  # SpigotMC library loader
  # For plugins that utilize the SpigotMC library loader
  # For example: LuckPerms, ntdLuckyBlock, TicketManager
  - 'repo.maven.apache.org'
  - '199.232.192.215'
  - '199.232.196.215'
  - '151.101.0.215'
  - '151.101.16.215'
  - '151.101.64.215'
  - '151.101.128.215'
  - '151.101.192.215'

  # LuckPerms
  - 'bytebin.lucko.me'                  # pastebin
  - 'metadata.luckperms.net'            # dependencies
  - 'nexus.lucko.me'                    # dependencies

  # Spark
  - 'spark-usercontent.lucko.me'        # pastebin

[jschenke488]

PebbleHost has a built-in anti-malware, but not everything will be detected. That's why I suggest using this to increase detection rates.