Fireshield (Hydra transport)

In addition to VPN services, the Hydra SDK provides a content categorization service called Fireshield. When the SDK is configured with Fireshield enabled, the URLs of websites visited by the user are checked against a blacklist. If a website's URL is on the blacklist, traffic to and from it is blocked; otherwise, traffic is allowed through. The Hydra SDK provides an API to configure Fireshield and monitor its operation.

• Fireshield service is available only for Hydra protocol.

• Fireshield is not supported on tvOS platforms.

Creating a Fireshield Configuration

A categorization configuration is based on a specification of categories and rules for each category. To create categories, use one of the factory methods of the FireshieldCategory type:

Method	Description
FireshieldCategory.block(category: CategoryType) -> FireshieldCategory	Creates a category with the "block" action (traffic is blocked).
FireshieldCategory.proxy(category: CategoryType) -> FireshieldCategory	Creates a category with the "proxy" action (encrypted traffic goes through the tunnel as payload, for TCP only).
FireshieldCategory.bypass(category: CategoryType) -> FireshieldCategory	Creates a category with the "bypass" action (traffic goes directly to its destination, bypassing the VPN tunnel).
FireshieldCategory.alert(category: CategoryType) -> FireshieldCategory	Creates a category with the "block" action (traffic is blocked) and redirection to a specified alert page (HTTP only).

To add category rules that specify which domains belong to each category, use the following instance methods of the FireshieldConfig type:

Method Signature	Description
addRule(withFileName fileName: String, categoryType: FireshieldCategory.CategoryType, in bundle: Foundation.Bundle = .main)	Adds category rules from a file in the application bundle.
addRule(withDomains domains: [String], categoryType: FireshieldCategory.CategoryType)	Adds category rules from a list of domains.

In addition to file-based category configuration, you can use online categorization services. Possible values are defined as constants in the FireshieldConfig header file.

Fireshield Configuration

Fireshield can be either disabled or enabled with a particular mode. Set the mode using the fireshieldMode property of a FireshieldConfig instance. You can pass the respective config when initializing the HydraSDK (e.g., during application launch):

self.configuration = HydraConfiguration(
    // ...
    fireshieldConfig: makeFireshieldConfig(),
    // ...
)

// Fireshield config example
private func makeFireshieldConfig() -> FireshieldConfig {
    guard isFireshieldEnabled else {
        // Return `.disabled` if you don't need Fireshield
        return FireshieldConfig(
            mode: .disabled,
            groupData: VPNGroupData(
                groupID: "YOUR_GROUP_ID",
                usesSystemExtension: false
            )
        )
    }

    let config = FireshieldConfig(
        mode: .vpn,
        groupData: VPNGroupData(
            groupID: "YOUR_GROUP_ID",
            usesSystemExtension: false
        )
    )
    
    // Indicates that Fireshield started in DNS-mode only (default: false)
    config.isDNSModeEnabled = isDNSModeEnabled

    // Black and white lists
    do {
        // Blacklist rule
        try config.addRule(
            withDomains: ["untrusted-domain.com"],
            categoryType: .unsafe
        )

        // Whitelist rule 
        try config.addRule(
            withFileName: "whitelist.txt",
            categoryType: .safe  
        )

        print("Fireshield rules added")
    } catch {
        print("Fireshield rules error: \(error)") 
    }
    
    config.addService(.bitdefender)

    // Add behavior for safe category
    let safeCategory: FireshieldCategory = isBypassSafeTrafficEnabled ?
        .bypass(category: .safe) : .proxy(category: .safe)
    config.addCategory(safeCategory)
    
    // Block resources from unsafe category 
    config.addCategory(.block(category: .unsafe))

    // Custom categories
    if isSocialNetworkBlockingEnabled {
        config.addCategory(.block(category: .custom("safe:socialnetworks")))
    }

    return config
}

Always add a safe category to FireshieldConfig to allow safe traffic.

Fireshield Modes

Fireshield can operate in various modes for added flexibility. For example, you can blend VPN and Fireshield functionality or hide the VPN icon in the iOS status bar. The modes are represented by the FireshieldMode type:

Mode	Description
Disabled	Fireshield is disabled.
Enabled	Fireshield is enabled. The VPN icon is displayed in the status bar, but traffic does not go through the VPN.
VPN	This is the default value. Blends Fireshield and VPN functionality. All traffic goes through the VPN, while Fireshield blocks access to blacklisted websites. The VPN icon is displayed in the status bar.

Fireshield config settings may be overwritten by remote config.