Firewall per domain/container
-
Hi;
If I remember well, Cloudron already do something similar with IPTables; it has rules, at least, to throttle connections per protocol on authentication for ssh and my. subdomain.
Per domain
So the idea is to push that concept a little further and to let the user being able to apply list per goal/protocol or even better per app/container/domain such as do FireHOL.
- FireHOL by goal (where goal are: mail, web, ftp, ssh, ...)
Listing
The second part of the idea is to being able to apply list, like it is now possible with Mail services and DNSBL list but to any services (goal). Where when I'm thinking list I'm referring to IPLists of FireHOL
The risk
The counterpart of this idea is more you have IP's in IPTables more this one slow down your network which is not the case with nftables; so that would mean
- or to mention using that is at your own risk,
- or Cloudron replace his firewall
The advantage
It's would be like having Cloudflare at the server level for the security part.
-
J JOduMonT referenced this topic on
-
I like the idea of integrating with an existing service like say FireHOL as opposed to letting the user provide raw IP lists. From what I have seen from our Cloudron instance, these lists go out of date and we end up blocking incorrect things over time. Are there other "trusted" sources like FireHOL ?
-
@girish I see https://firebog.net/ mentioned frequently in connection with Pi-Hole…
-
@necrevistonnezr said in Firewall per domain/container:
@girish I see https://firebog.net/ mentioned frequently in connection with Pi-Hole…
I might be confusing, but from what I understood
a solution like FireHOL is to block traffic in
and a solution like PiHOLE is to block traffic out
so in the case of PiHOLE and Firebog, they trick the DNS answer to send them to 127.0.0.1 or another blackhole.@girish From what I understand, [FireHOL iplist]https://iplists.firehol.org/#about) is an agglomeration of lists, not a list on itself. The beauty in FireHOL is the product is able to sort and make any entry unique.
@girish said in Firewall per domain/container:
From what I have seen from our Cloudron instance, these lists go out of date and we end up blocking incorrect things over time. Are there other "trusted" sources like FireHOL ?
On the website, you could see when they have been updated.
These lists are there since forever, I remembered using https://www.iblocklist.com/lists with napster.I used it for a while (3 months) as firewall on a Debian 10, it is pretty straight forward. Basically you only need one list to block most everything, then if you have specific services you want to protect, such as comment on a WordPress you look for a specific list for comment.
At that time (2 years ago) it wasn't working well with Docker, that part was on alpha.
I discovered that because I was looking for a replacement for pfBlocker on pfSense.
@girish But with the cloudron echosystem in mind, crowdsec might be a better approach
