search

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
3.03k stars 154 forks source link

[Feature Request] Global IP Blocklists #1138

Open RedSteel-1 opened 1 year ago

RedSteel-1 commented 1 year ago

On the PC, I use Peerblock as an additional firewall tool, which blocks traffic by IP ranges and has the ability to add and auto-update lists from source URLs.

This way, I can, for example, block the entire collection of Google IP ranges, which means that the all clear-connection traffic to anything Google-related is blocked system-wide. But together with that, if I want to open anything Google-related, like Youtube or anything else, I can do it in the browser routed to Tor, since all proxied traffic naturally bypasses IP blocker (Peerblock). So, when needed, I can access any Google-related website only when the traffic is proxied (for example to Tor). And this can be done with the IP ranges of any powerful cyber-criminal tech-giant. I can do the same thing with Facebook, Twitter, and other. To have them IP-blocked system-wide, but in the same time be able to open then when needed only when the traffic is proxied to 127.0.0.1.

This would have been great if it was possible to do on the mobile phone, with the help of Rethink. Yes there are "no google", "no facebook" lists, but this is a different thing - it's DNS blocklists. Once "no google" DNS blocklist is activated, even proxied traffic won't work cause it's blocked on the DNS level, before the address is even resolved to an IP: Opening Google-owned site in a browser with proxied traffic, for example to Orbot -> the address is blocked by DNS, is NOT resolved by DNS to an IP -> there is nothing to route to the proxy -> the website doesn't open.

The request is to add the Global IP Blocklists feature, include some default IP blocklists, and include an option to add lists by URL.

So, there would be 2 collections of blocklists in Rethink: the DNS blocklists (already present), and the IP blocklists.

Here are the examples of what would happen when IP blocklists are used and, for example, Google IP ranges are blocked with its Google blocklist:

  1. Trying to open a Google-owned site in a regular clearnet-browser: Opening youtube.com -> the address is resolved to an IP -> the IP is blocked and the website doesn't open. Good stuff.
  2. Trying to open a Google-owned site in a browser with proxied traffic, for example to Orbot: Opening youtube.com -> the address is resolved to an IP -> the browser forwards the IP to the proxy, so the IP where the traffic goes is 127.0.0.1 and not the resolved IP, so the traffic is not blocked and is routed to Orbot-> the traffic goes through Tor network and the resolved IP address is reached, youtube.com opens. Good stuff.

If this feature gets included to the roadmap, I would like to suggest the following IP blocklists collection to be initially included in Rethink:

Also, please check the following pages for blocklists and more:

ignoramous commented 1 year ago

Thanks, appreciate the detail write-up (:

Dup? #237

RedSteel-1 commented 1 year ago

On the one hand partly yes, they have some collisions. On the other hand it has differences and details that are not present in the issue you mentioned

ignoramous commented 1 year ago

On the other hand it has differences and details that are not present in the issue you mentioned

The only difference from the other issue that I spot is, if proxy (Orbot, WireGuard, SOCKS5, HTTP) is enabled, IP blocklists shouldn't apply? Are there any more that I miss?