search

puzzle / puzzle.opnsense

An Ansible Collection to configure an opnsense Firewall
https://puzzle.github.io/puzzle.opnsense/collections/puzzle/opnsense/index.html
GNU General Public License v3.0
24 stars 12 forks source link

Module Request: services_unbound_blocklist #142

Open DonGiovanni83 opened 3 months ago

DonGiovanni83 commented 3 months ago

Module Description

As far is I could tell from some research configuring block and whitelists for Unbound DNS, we could implement this functionality into this collection.

Clipboard - July 10, 2024 2_26 PM )

Minimum Viable Product (MVP)

Express your minimal viable product in the form of the Ansible DOCUMENTATION block format:

module: services_unbound_blocklist
short_description: Configuration of Unbound blocklists.
description:
  - Configuration of Unbound blocklists
options:
  enable:
    description: "Enable the usage of DNS blocklists."
    type: bool
    default: true
  force_safe_search:
    description: "Force the usage of SafeSearch on Google, DuckDuckGo, Bing, Qwant, PixaBay and YouTube"
    type: bool
    required: true
    default: false
  predefined_blocklists:
    description: 
      - "Select which predeifined DNSBL you want to use."
      - "See https://docs.opnsense.org/manual/unbound.html#predefined-sources for detailed source description"
    type: list
    elements: str
  blocklist_urls:
    description: "List of domains from where blocklist will be downloaded."
    type: list
    elements: str
    required: false
  whitelist_domains:
    description: "List of domains to whitelist. You can use regular expressions."
    type: list
    elements: str
    required: false
  blocklist_domains:
    description: "List of domains to blocklist. Only exact matches are supported."
    type: list
    elements: str
    required: false
  wildcard_domains:
    description: "List of wildcard domains to blocklist. All subdomains of the given domain will be blocked. Blocking first-level domains is not supported."
    type: list
    required: false
  destination_address:
    description: "Destination ip address for entries in the blocklist (leave empty to use default: 0.0.0.0). Not used when \"Return NXDOMAIN\" is checked."
    type: str
    required: false
  nxdomain:
    description: "Use the DNS response code NXDOMAIN instead of a destination address."
    type: bool
    default: false

The types and values should be implemented according to the OPNsense core code: https://github.com/opnsense/core/blob/24.1.9/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml#L174

Examples

Mock up some usage examples in the form of the Ansible EXAMPLES block format:

---
- name: Configure Blocklist.site blocklists with a few whitelisted exceptions
  puzzle.opnsense.services_unbound_blocklist:
    predefined_blocklists: 
      - "Blocklist.site Abuse"
      - "Blocklist.site Ads"
      - "Blocklist.site Crypto"
      - "Blocklist.site Drugs"
      - "Blocklist.site Fraud"
      - "Blocklist.site Facebook"
      - "Blocklist.site Gambling"
      - "Blocklist.site Malware"
      - "Blocklist.site Phishing"
      - "Blocklist.site Piracy"
      - "Blocklist.site Porn"
      - "Blocklist.site Ransomware"
      - "Blocklist.site Redirect"
      - "Blocklist.site Scam"
      - "Blocklist.site Tiktok"
      - "Blocklist.site Torrent"
      - "Blocklist.site Tracking"
    whitelist_domains:
      - "*.giphy.com" # since Facebook blocklist block giphy