Deploying categories with EGGuard¶
EGGuard is a community-maintained Python tool that synchronises public domain blocklists into EnforceGate vX as native on-box lists and policies. It pulls from upstream category feeds, normalises the data, writes domain lists and matching .policy files into the toolbox handoff dirs, and triggers a single engine reload per run.
This page is a short operator primer — enough to deploy EGGuard against a fresh appliance and pick a category set. The authoritative documentation, configuration schema, and source live in the project's GitHub repository and its README.md.
Third-party project
EGGuard is a community contribution. Exosys Sàrl does not author, audit, endorse, warrant, or support EGGuard, and assumes no responsibility for security, correctness, or any consequence of running it against an EnforceGate vX deployment. The disclaimer in the Community landing page applies in full. Before running it in production, read the source, review the licence chain, and validate against a staging deployment.
What ships in the box¶
EGGuard wraps two upstream blocklist sources:
- Université Toulouse Capitole (UT1) — ~65 categories spanning adult content, malware, phishing, gambling, social networks, VPN / proxy, redirectors and more. Public source, no authentication required. UT1 refreshes the corpus 2–3× per week.
- abuse.ch —
urlhaus(~600 domains, active malware-distribution URLs) andthreatfox(~44,000 domains, indicators of compromise). Both feeds require a free Auth-Key from https://auth.abuse.ch/ and have their own commercial-use terms.
Generated artefacts land on the shared volume in the standard toolbox handoff layout:
| Artefact | Path |
|---|---|
| Domain list | /etc/enforcegate-shared/lists/ut1-<category>.list |
| Policy rule | /etc/enforcegate-shared/rules.d/60-ut1-<category>.policy |
The 60- filename prefix orders EGGuard's rules among the other shared-dir rules; lowest-id-wins still applies, and any hand-authored rule in [policy].path outranks EGGuard's rules regardless of prefix — see Policies for the precedence model.
Prerequisites¶
- A standalone deployment with the toolbox sidecar enabled —
eghost toolbox enableif it is not already on. - EnforceGate vX 2026.32.0 or later. The Debian-base toolbox image ships
python3-requestsandpython3-yamlas system packages — see Toolbox → What ships inside the container. - An abuse.ch Auth-Key if you intend to enable the
urlhausorthreatfoxcategories (free; sign-up at https://auth.abuse.ch/). Not needed for the UT1 categories.
Install EGGuard into the toolbox¶
Use the toolbox's git-repo delivery path to clone the project into the persistent volume:
eghost toolbox enable # if not already on
eghost toolbox repo add egguard \
https://github.com/parsymonie/EGGuard.git \
--entrypoint scripts/egguard
The repo lands at /var/lib/enforcegate-toolbox/repos/egguard/ inside the container; the --entrypoint registers scripts/egguard as the per-run entry-point for eghost toolbox repo run.
Pick a category set¶
EGGuard exposes four ways to choose which categories are active. Use whichever fits your operator workflow:
Drop into the toolbox shell and install / remove categories by name:
eghost toolbox shell
python3 /var/lib/enforcegate-toolbox/repos/egguard/scripts/egguard install adult malware phishing
python3 /var/lib/enforcegate-toolbox/repos/egguard/scripts/egguard remove gambling
python3 /var/lib/enforcegate-toolbox/repos/egguard/scripts/egguard update
install fetches the upstream list, writes the .list and .policy, and triggers a single engine.reload(). update refreshes every currently-installed category. Per-run action override: --action deny|warn|aup|permit.
A curses-based UI for first-time category selection:
Useful for "I want to see what UT1 ships before I pick" sessions.
Pin the active set in /var/lib/enforcegate-toolbox/config.yaml so it survives reinstall:
policy_prefix: "60"
default_action: deny
actions:
adult: deny
malware: deny
social_networks: warn
include: [adult, malware, phishing, social_networks]
skip: [examen_pix, tricheur_pix]
abusech_auth_key: "your-auth-key"
include is the active set; skip opts out of categories that would otherwise be picked up; actions overrides the default verdict per category. abusech_auth_key is optional — supply via the file or the environment variable EGGUARD_ABUSECH_AUTH_KEY (env wins).
Once EGGuard is installed, schedule the periodic refresh in the toolbox's crontab:
A daily refresh is plenty (UT1 only republishes 2–3× per week):
update is idempotent — it consults the upstream's HTTP cache headers and only writes when a list actually changed.
Verifying enforcement¶
Confirm the engine picked up the new rules:
[enforcegate@enforcegate-vx ~]$ eghost cli
host> show policy summary
Policy summary
Default action (no rule matched): permit
Rules loaded: 18 (7 regex + 11 domain-list)
By source: 10 operator + 8 toolbox
...
host> show policy list
...
6010 ut1-adult deny match-domain-list — toolbox 60-ut1-adult.policy 281,402
6020 ut1-malware deny match-domain-list — toolbox 60-ut1-malware.policy 43,891
6030 ut1-phishing deny match-domain-list — toolbox 60-ut1-phishing.policy 7,128
...
host> show policy match https://example-known-blocked-site/
URI: https://example-known-blocked-site/
Matched: yes
Code: 300 (deny — redirect to portal)
Rule name: ut1-adult_e6010
Action: deny
The toolbox value in the Source column tells you the rule came from [policy].shared_path (EGGuard) rather than from your own [policy].path (rules.d/). The captive portal renders the description: field from the EGGuard-generated .policy on the visitor's block page.
Licence and upstream attribution¶
Three licence layers stack here. Operators are responsible for ensuring their use complies with each:
| Layer | Licence |
|---|---|
| EGGuard project code | Apache-2.0 |
| UT1 corpus data | CC BY-SA 4.0 (Université Toulouse Capitole) |
abuse.ch feeds (urlhaus, threatfox) |
Proprietary; commercial use may require a paid subscription — see https://abuse.ch/#terms-conditions |
The abuse.ch feeds are not under an open licence. Production deployments that rely on urlhaus or threatfox should confirm their use complies with abuse.ch's terms; EGGuard's authors and Exosys Sàrl neither warrant nor monitor that compliance.