From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jon Murphy <jon.murphy@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] RPZ: update code to include WEBGUI and additional languages
Date: Thu, 06 Feb 2025 10:35:22 -0600
Message-ID: <20250206163522.2363178-1-jon.murphy@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0030393767620402246=="
List-Id: <development.lists.ipfire.org>

--===============0030393767620402246==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

What is it?
Response Policy Zone (RPZ) is a mechanism to define local policies in a
standardized way and load those policies from external sources.
Bottom line: RPZ allows admins to easily block access to websites via DNS loo=
kup.

RPZ can block websites via categories.  Examples include: fake websites, anno=
ying
pop-up ads, newly registered domains, DoH bypass sites, bad "host" services,
maliscious top level domains (e.g., *.zip, *.mov), piracy, gambling, pornogra=
phy,
and more.  RPZ lists come from various RPZ providers and their available
catagories.

This RPZ add-on enables the RPZ functionality by adding a couple lines in a
configuration file.  This add-on simply adds configuration files and adds
scripts (config, metrics and sleep) to make RPZ easier for the admin to use.

The RPZ scripts include additional languages: German, Spanish, French, Turkis=
h,
and Italian.

RPZ itself was release in 2010 and has been part of the IPFire build since ~2=
015.

Why is it needed?  What is its value?

 - The RPZ concept places this filtering into IPFire, our internet access
gateway, which is (should be) solely used as DNS source of the internal netwo=
rk.

 - As most sites use HTTPS it makes it difficult to filter traffic with URL
Filter without also properly configuring conventional (non-transparent)
mode on the proxy.  RPZ is a nice replacement for the URL Filter.

 - No need to install and maintain an additional device like PiHole or AdBlock
browser extensions on multiple user devices.

 - This is an additional layer of protection for users. Less worry someone wi=
ll
click on something that gets them into trouble. And, saying this with emphasi=
s,
the ability to do it in one place!

 - Blocked sites save on unneeded traffic and can lessen the threat of malware
in advertisements

 - Logging allows the admin to see the site blocked and take actions

 - RPZ will be used at the home, home-office (work from home), schools,
ministerial, and at the office.  Device counts are small (2-6) to medium (~80)
to mediam-large (200+).

 - RPZ can block ads, popups, phishing, scammers, spyware, malware, annoying
popups, NSFW links, DOH servers, and the usual internet trash.

------------------------------

Change Log for RPZ add-on

rpz-1.0.0-18 on 2025-02-05
 - Build for approval & release as IPFire add-on

---

rpz-beta-0.1.18-18.ipfire on 2025-02-01
rpz.cgi:
 - new feature: added a mod key to force a unbound restart

rpz-config and rpz-make:
 - new feature: added action for unbound restart `rpz-config unbound-restart`

rpz-metrics:
 - simple reformatting
 - rename far right column from "last update" to "last download"

---

rpz-beta-0.1.17-17.ipfire on 2024-12-09
rpz-make
 - bug fix: corrected validation regex for wildcards like: `*.domain.com`

---

rpz-beta-0.1.16-16.ipfire on 2024-11-18
rpz-make
 - new feature: updated validation regex
 - bug fix: moved validation to beginning of process.  Now we validate before
creating config files.

rpz.cgi:
 - new feature: use CSS color variables of the main ipfire theme
 - bug fix: empty zonefile remarks were stored as =E2=80=9Cundef=E2=80=9D and=
 caused a warning
 - bug fix: HTML textarea removes the first empty line in a custom list
 - thank you Leo!

---

rpz-beta-0.1.15-15.ipfire on 2024-11-04
rpz.cgi:
 - new feature: added new language file for Turkish (thank you Peppe)

rpz-make
 - bug fix: corrected empty allow/block list issue.  An empty allow/block list
will now remove contents of allow/block.rpz files and remove unneeded
allow/block.conf file.  (thank you iptom)

---

rpz-beta-0.1.14-14.ipfire on  2024-10-29
rpz-config:
 - bug fix: correct missing rpz extension. `rpz-config list` displayed URL
incorrectly (thank you Bernhard)

rpz.cgi:
 - bug fix: remove extra `"` in language files (thank you Bernhard)
 - new feature: slightly dim "apply" button when not enabled

---

rpz-beta-0.1.13-13.ipfire on 2024-10-27
 - skipped

---

rpz-beta-0.1.12-12.ipfire on 2024-10-21
rpz.cgi:
 - new feature: added new language file for French  (thank you gw-ipfire)

---

rpz-beta-0.1.11-11.ipfire on 2024-10-18
rpz.cgi:
- new feature: added new language file for Italian (thank you umberto)
- new feature: added new language file for Spanish (thank you Roberto)

---

rpz-beta-0.1.10-10.ipfire on 2024-10-15
rpz-make:
 - bug fix: corrected validation error for a custom list entry (thank you sio=
sios)
   - e.g., `*.cloudflare-dns.com`

install.sh:
 - bug fix: add chown to correct user created files

update.sh:
 - bug fix: add chown to correct user created files (thank you siosios)

---

rpz-beta-0.1.9-9.ipfire on 2024-10-08
rpz.cgi:
 - new feature: added new language file for German (thank you Leo)
 - bug fix: add missing "rpz exitcode 110"
 - bug fix: corrected missing RPZ menu item at menu > IPFire

---

rpz-beta-0.1.8-8.ipfire on 2024-10-04
 - skipped

---

rpz-beta-0.1.7-7.ipfire on 2024-10-03
All:
 - new feature: includes beta version numbers for pakfire package,
instead of only `rpz-1.0.0-1.ipfire`, for each release.

rpz.cgi:
 - new feature: added new WebGUI at `rpz.cgi`
    - a BIG thank you to Leo Hofmann for all of his work creating the webgui!!
 - bug fix: corrected missing RPZ menu item at menu > IPFire

rpz-make:
 - new feature: validate entries in allowlist and blocklist
 - new feature: add "no-reload" option for WebGUI

rpz-metrics:
 - new feature: info can be sorted by name, by hit count, by line count, by
"enabled" list or all lists

backups:
 - bug fix: include all files in `/var/ipfire/dns/rpz` directory in backup

update.sh:
 - bug fix: corrected ownership for `/var/ipfire/dns/rpz` directory during an
update

Build:
 - bug fix: `block.rpz.conf` and `block.rpz` from build.  Files to be created
by `rpz-make`

WebGUI and German language file
Contribution-by: Leo-Andres Hofmann <hofmann(a)leo-andres.de>

Spanish language file
Contribution-by: Roberto Pe=C3=B1a

Italian language file
Contribution-by: Umberto Parma

French language file
Contribution-by: gw-ipfire

Turkish language file
Contribution-by: Peppe Tech

Contribution-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Contribution-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
Signed-off-by: Jon Murphy <jon.murphy(a)ipfire.org
---
 config/backup/includes/rpz                 |   4 +
 config/cfgroot/manualpages                 |   1 +
 config/menu/EX-rpz.menu                    |   6 +
 config/rootfiles/common/configroot         |   1 +
 config/rootfiles/common/web-user-interface |   1 +
 config/rootfiles/packages/rpz              |  20 +
 config/rpz/00-rpz.conf                     |  10 +
 config/rpz/rpz-config                      | 130 +++
 config/rpz/rpz-functions                   |  85 ++
 config/rpz/rpz-make                        | 203 +++++
 config/rpz/rpz-metrics                     | 170 ++++
 config/rpz/rpz-sleep                       |  58 ++
 config/rpz/rpz.de.pl                       |  30 +
 config/rpz/rpz.en.pl                       |  30 +
 config/rpz/rpz.es.pl                       |  30 +
 config/rpz/rpz.fr.pl                       |  30 +
 config/rpz/rpz.it.pl                       |  30 +
 config/rpz/rpz.tr.pl                       |  30 +
 html/cgi-bin/rpz.cgi                       | 923 +++++++++++++++++++++
 lfs/rpz                                    |  96 +++
 make.sh                                    |   3 +-
 src/paks/rpz/install.sh                    |  36 +
 src/paks/rpz/uninstall.sh                  |  38 +
 src/paks/rpz/update.sh                     |  52 ++
 24 files changed, 2016 insertions(+), 1 deletion(-)
 create mode 100644 config/backup/includes/rpz
 create mode 100644 config/menu/EX-rpz.menu
 create mode 100644 config/rootfiles/packages/rpz
 create mode 100644 config/rpz/00-rpz.conf
 create mode 100644 config/rpz/rpz-config
 create mode 100644 config/rpz/rpz-functions
 create mode 100644 config/rpz/rpz-make
 create mode 100755 config/rpz/rpz-metrics
 create mode 100755 config/rpz/rpz-sleep
 create mode 100644 config/rpz/rpz.de.pl
 create mode 100644 config/rpz/rpz.en.pl
 create mode 100644 config/rpz/rpz.es.pl
 create mode 100644 config/rpz/rpz.fr.pl
 create mode 100644 config/rpz/rpz.it.pl
 create mode 100644 config/rpz/rpz.tr.pl
 create mode 100644 html/cgi-bin/rpz.cgi
 create mode 100644 lfs/rpz
 create mode 100644 src/paks/rpz/install.sh
 create mode 100644 src/paks/rpz/uninstall.sh
 create mode 100644 src/paks/rpz/update.sh

diff --git a/config/backup/includes/rpz b/config/backup/includes/rpz
new file mode 100644
index 000000000..36513e494
--- /dev/null
+++ b/config/backup/includes/rpz
@@ -0,0 +1,4 @@
+/var/ipfire/dns/rpz/*
+/etc/unbound/zonefiles/allow.rpz
+/etc/unbound/zonefiles/block.rpz
+/etc/unbound/local.d/*rpz.conf
diff --git a/config/cfgroot/manualpages b/config/cfgroot/manualpages
index 1f7e01efc..d3a48c633 100644
--- a/config/cfgroot/manualpages
+++ b/config/cfgroot/manualpages
@@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pakfire
 wlanap.cgi=3Daddons/wireless
 tor.cgi=3Daddons/tor
 samba.cgi=3Daddons/samba
+rpz.cgi=3Daddons/rpz
=20
 #	Logs menu
 logs.cgi/summary.dat=3Dconfiguration/logs/summary
diff --git a/config/menu/EX-rpz.menu b/config/menu/EX-rpz.menu
new file mode 100644
index 000000000..2f4daf410
--- /dev/null
+++ b/config/menu/EX-rpz.menu
@@ -0,0 +1,6 @@
+$subipfire->{'20.rpz'} =3D {
+    'caption' =3D> $Lang::tr{'rpz'},
+    'uri' =3D> '/cgi-bin/rpz.cgi',
+    'title' =3D> "RPZ",
+    'enabled' =3D> 1,
+};
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/con=
figroot
index 9839eee45..b30d6aae4 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu
 #var/ipfire/menu.d/EX-apcupsd.menu
 #var/ipfire/menu.d/EX-guardian.menu
 #var/ipfire/menu.d/EX-mympd.menu
+#var/ipfire/menu.d/EX-rpz.menu
 #var/ipfire/menu.d/EX-samba.menu
 #var/ipfire/menu.d/EX-tor.menu
 #var/ipfire/menu.d/EX-transmission.menu
diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/co=
mmon/web-user-interface
index 816241dae..e00464076 100644
--- a/config/rootfiles/common/web-user-interface
+++ b/config/rootfiles/common/web-user-interface
@@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/qos.cgi
 srv/web/ipfire/cgi-bin/remote.cgi
 srv/web/ipfire/cgi-bin/routing.cgi
+#srv/web/ipfire/cgi-bin/rpz.cgi
 #srv/web/ipfire/cgi-bin/samba.cgi
 srv/web/ipfire/cgi-bin/services.cgi
 srv/web/ipfire/cgi-bin/shutdown.cgi
diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/packages/rpz
new file mode 100644
index 000000000..1c8663049
--- /dev/null
+++ b/config/rootfiles/packages/rpz
@@ -0,0 +1,20 @@
+etc/unbound/local.d/00-rpz.conf
+etc/unbound/zonefiles
+etc/unbound/zonefiles/allow.rpz
+usr/sbin/rpz-config
+usr/sbin/rpz-functions
+usr/sbin/rpz-make
+usr/sbin/rpz-metrics
+usr/sbin/rpz-sleep
+var/ipfire/addon-lang/rpz.de.pl
+var/ipfire/addon-lang/rpz.en.pl
+var/ipfire/addon-lang/rpz.es.pl
+var/ipfire/addon-lang/rpz.fr.pl
+var/ipfire/addon-lang/rpz.it.pl
+var/ipfire/addon-lang/rpz.tr.pl
+var/ipfire/backup/addons/includes/rpz
+var/ipfire/dns/rpz
+var/ipfire/dns/rpz/allowlist
+var/ipfire/dns/rpz/blocklist
+var/ipfire/menu.d/EX-rpz.menu
+srv/web/ipfire/cgi-bin/rpz.cgi
diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.conf
new file mode 100644
index 000000000..f005a4f2e
--- /dev/null
+++ b/config/rpz/00-rpz.conf
@@ -0,0 +1,10 @@
+server:
+    module-config: "respip validator iterator"
+
+rpz:
+    name:                    allow.rpz
+    zonefile:                /etc/unbound/zonefiles/allow.rpz
+    rpz-action-override:     passthru
+    rpz-log:                 yes
+    rpz-log-name:            allow
+    rpz-signal-nxdomain-ra:  yes
diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config
new file mode 100644
index 000000000..c72d50f9b
--- /dev/null
+++ b/config/rpz/rpz-config
@@ -0,0 +1,130 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024-2025  IPFire Team  <info(a)ipfire.org>                =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+version=3D"2025-01-11 - v44"
+
+###############     Functions     ###############
+
+source /usr/sbin/rpz-functions
+
+###############       Main        ###############
+
+tagName=3D"unbound"
+
+rpzAction=3D"${1}"                    #  input RPZ action
+rpzName=3D"${2}"                      #  input RPZ name
+rpzURL=3D"${3}"                       #  input RPZ URL
+rpzOption1=3D"${4}"                   #  input RPZ option #1
+rpzOption2=3D"${5}"                   #  input RPZ option #2
+
+rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf"    #  output zone con=
f file
+rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz"         #  output for RPZ =
file
+
+rpzLog=3D"yes"                        #  log default is yes
+ucReload=3D"yes"                      #  reload default is yes
+
+while [[ $# -gt 0 ]] ; do
+    case "$1" in
+        --no-log )      rpzLog=3D"no"   ;;
+        --no-reload )   ucReload=3D"no" ; checkConf=3D"no" ;;
+    esac
+    shift       # Shift after checking all the cases to get next option
+done
+
+case "${rpzAction}" in
+    #  add new rpz list
+    add )
+        check_name "${rpzName}"             #  is this a valid name?
+        #  does this config already exist?  If yes, then exit
+        if [[ -f "${rpzConfig}" ]] ; then
+            msg_log "error: rpz: duplicate - ${rpzConfig} already exists. ex=
it"
+            exit 104
+        fi
+
+        #  is this a valid URL?
+        regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:alnum:]\+&@#/%=
=3D~_|]'
+        if ! [[ "${rpzURL}" =3D~ $regex ]] ; then
+            msg_log "error: rpz: the URL is not valid: \"${rpzURL}\". exit."
+            exit 105
+        fi
+
+        #  create the zone config file
+        {
+        echo "rpz:"
+        echo "    name:                   ${rpzName}.rpz"
+        echo "    zonefile:               ${rpzFile}"
+        echo "    url:                    ${rpzURL}"
+        echo "    rpz-action-override:    nxdomain"
+        echo "    rpz-log:                ${rpzLog}"
+        echo "    rpz-log-name:           ${rpzName}"
+        echo "    rpz-signal-nxdomain-ra: yes"
+        } > "${rpzConfig}"
+
+        #  set-up zonefile
+        #    create an empty rpz file if it does not exist
+        if [[ ! -f "${rpzFile}" ]] ; then
+            touch "${rpzFile}"
+            #  unbound requires these settings for rpz files
+            set_permissions "${rpzFile}" "${rpzConfig}"
+        fi
+        ;;
+
+    #  trash config file & rpz file
+    remove )
+        if ! [[ -f "${rpzConfig}" ]] ; then
+            msg_log "error: rpz: cannot remove ${rpzConfig}, does not exist.=
 exit"
+            exit 106
+        fi
+
+        msg_log "info: rpz: remove config file & rpz file \"${rpzName}\""
+        rm "${rpzConfig}"
+        rm "${rpzFile}"
+        ;;
+
+    reload )
+        check_unbound_conf "${checkConf}"
+        ;;
+
+    list )
+        awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, "",$2) ; NAME=3D$2=
 } \
+            /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME"=3D"$2":"$3} ' =
 \
+            /etc/unbound/local.d/*rpz.conf
+        exit
+        ;;
+
+    unbound-restart )
+        check_unbound_conf "${checkConf}"
+        unbound_restart
+        exit
+        ;;
+
+    * )
+        msg_log "error: rpz: missing or incorrect parameter"
+        printf "Usage:   $(basename "$0") <ACTION> <NAME> <URL> <OPTION> <OP=
TION>\n"
+        printf "Version: ${version}\n"
+        exit 108
+        ;;
+
+esac
+
+unbound_control_reload "${ucReload}"
+
+exit
diff --git a/config/rpz/rpz-functions b/config/rpz/rpz-functions
new file mode 100644
index 000000000..ace1d2690
--- /dev/null
+++ b/config/rpz/rpz-functions
@@ -0,0 +1,85 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                     =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+version=3D"2024-12-10 - v02"
+
+###############     Functions     ###############
+
+msg_log () {
+    logger --tag "${tagName}" "$*"
+    if tty --silent ; then
+        echo "${tagName}:" "$*"
+    fi
+}
+
+#  check for a valid name
+check_name () {
+    local theName=3D"${1}"
+
+    regex=3D'^[a-zA-Z0-9_]+$'             # no dash or plus, alpha numeric o=
nly
+    regex1=3D'^(allow|block)$'            # allow and block are reserved NAM=
Es
+    if [[ ! "${theName}" =3D~ $regex ]] || [[ "${theName}" =3D~ $regex1 ]] ;=
 then
+        msg_log "error: rpz: the NAME is not valid: \"${theName}\". exit."
+        exit 101
+    fi
+}
+
+set_permissions () {
+    chown nobody:nobody "$@"
+    chmod 644 "$@"
+}
+
+check_unbound_conf () {
+    local thecheckConf=3D"${1:-yes}"      #   check config default is yes
+
+    #  check the above config files
+    if [[ "${thecheckConf}" =3D=3D yes ]] ; then
+        msg_log "info: rpz: check for errors with \"unbound-checkconf\""
+
+        if ! unbound-checkconf ; then
+            msg_log "error: rpz: unbound-checkconf found invalid configurati=
on."
+            msg_log \
+              "error: rpz: In Terminal run the command \"unbound-checkconf\"=
 for more information. exit."
+            exit 102
+        fi
+    fi
+}
+
+unbound_control_reload () {
+    local theReload=3D"${1:-yes}"     #   reload default is yes
+
+    if [[ "${theReload}" =3D=3D yes ]] ; then
+        #  reload due to the changes
+        msg_log  "info: rpz: run \"unbound-control reload\""
+
+        if ! unbound-control reload ; then
+            msg_log "error: rpz: unbound-control reload. exit."
+            exit 109
+        fi
+    fi
+}
+
+unbound_restart () {
+    #  restart due to the changes
+    msg_log  "info: rpz: run \"unbound restart\""
+
+    /usr/local/bin/unboundctrl restart
+}
diff --git a/config/rpz/rpz-make b/config/rpz/rpz-make
new file mode 100644
index 000000000..927d55170
--- /dev/null
+++ b/config/rpz/rpz-make
@@ -0,0 +1,203 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024-2025  IPFire Team  <info(a)ipfire.org>                =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+version=3D"2025-01-11 - v14"
+
+###############     Functions     ###############
+
+source /usr/sbin/rpz-functions
+
+#   create the config file for allow
+make_allow_config () {
+    local theLog=3D"${1:-yes}"                            #  log default ON
+    local theConfig=3D"/etc/unbound/local.d/00-rpz.conf"  #  output zone con=
f file
+    local theList=3D"/var/ipfire/dns/rpz/allowlist"       #  input custom li=
st of domains
+
+    msg_log "info: rpz: make config file \"00-rpz.conf\""
+
+    echo "server:
+    module-config: \"respip validator iterator\"" > "${theConfig}"
+
+    #  does allow list exist?
+    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
+
+    echo "rpz:
+    name:                   allow.rpz
+    zonefile:               /etc/unbound/zonefiles/allow.rpz
+    rpz-action-override:    passthru
+    rpz-log:                ${theLog}
+    rpz-log-name:           allow
+    rpz-signal-nxdomain-ra: yes" >> "${theConfig}"
+
+    fi
+
+    #  set-up zonefile - unbound requires these settings for rpz files
+    set_permissions "${theConfig}"
+}
+
+#   create the config file for block
+make_block_config () {
+    local theLog=3D"${1:-yes}"                                #  log default=
 ON
+    local theConfig=3D"/etc/unbound/local.d/block.rpz.conf"   #  output zone=
 conf file
+    local theList=3D"/var/ipfire/dns/rpz/blocklist"           #  input custo=
m list of domains
+
+    msg_log "info: rpz: make config file \"block.rpz.conf\""
+
+    #  does block list exist?
+    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
+
+    echo "rpz:
+    name:                   block.rpz
+    zonefile:               /etc/unbound/zonefiles/block.rpz
+    rpz-action-override:    nxdomain
+    rpz-log:                ${theLog}
+    rpz-log-name:           block
+    rpz-signal-nxdomain-ra: yes" > "${theConfig}"
+
+        #  set-up zonefile - unbound requires these settings for rpz files
+        set_permissions "${theConfig}"
+    else
+        #   no - trash the config file
+        rm --verbose /etc/unbound/local.d/block.rpz.conf
+    fi
+}
+
+#   create an RPZ file for allow or block
+make_rpz_file () {
+    local theName=3D"${1}"        #   allow or block
+    local theAction=3D'.'         # the default is nxdomain or block
+    local actionList
+
+    local theList=3D"/var/ipfire/dns/rpz/${theName}list"         #  input cu=
stom list of domains
+    local theZonefile=3D"/etc/unbound/zonefiles/${theName}.rpz"  #  output f=
ile for RPZ
+
+    #  does a list exist?
+    if [[ -s "${theList}" ]] && grep -q . "${theList}" ; then
+
+        # for allow set to passthru
+        [[ "${theName}" =3D=3D allow ]] && theAction=3D'rpz-passthru.'
+
+        #  drop any extra "blanks" and add "CNAME <RPZ action>." to each line
+        actionList=3D$( awk '{$1=3D$1};1' "${theList}" |
+            sed "/^[^;].*[[:alnum:]]/ s|$|  CNAME   ${theAction}|" )
+
+        msg_log "info: rpz: create zonefile for \"${theName}list\""
+
+echo "; Name:             ${theName} list
+; Last modified:    $(date "+%Y-%m-%d at %H.%M.%S %Z")
+;
+;   domains with actions list
+;
+${actionList}" > "${theZonefile}"
+
+        #  set-up zonefile - unbound requires these settings for rpz files
+        set_permissions "${theZonefile}"
+        #  set-up allow/block list files
+        set_permissions "${theList}"
+    else
+        msg_log "info: rpz: the ${theList} is empty."
+
+        rm --verbose "${theZonefile}"   # trash the RPZ file
+    fi
+}
+
+#   check if allow/block list is valid
+validate_list () {
+    local theName=3D"${1}"        #   allow or block
+    local theList=3D"/var/ipfire/dns/rpz/${theName}list"  #  input custom li=
st of domains
+
+	#   remove good:
+	#    - properly formated domain names with or without leading wildcard
+	#    - properly formated top level domain (TLD) names with wildcard
+	#    - blank lines and comment lines
+	#   remaining lines are considered "bad"
+    bad_lines=3D$( sed --regexp-extended  \
+        '/^(\*\.)?([a-zA-Z0-9](([a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+([a-zA-=
Z]{2,}|xn--[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])$/d ;
+         /^(\*\.)([a-z]{2,61}|xn--[a-z0-9]{1,60})$/d ;
+         /^$/d ; /^;/d' "${theList}" )
+
+    if [[ ! -z "${bad_lines}" ]] ; then
+        msg_log "error: rpz: invalid line(s) in ${theList}."
+        printf "%s\n" "bad line(s): ${bad_lines}"
+        exit 110
+    fi
+}
+
+
+###############       Main        ###############
+
+tagName=3D"unbound"
+
+rpzName=3D"${1}"                      #  input RPZ name
+
+rpzLog=3D"yes"                        #  log default is yes
+ucReload=3D"yes"                      #  reload default is yes
+
+while [[ $# -gt 0 ]] ; do
+    case "$1" in
+        --no-log )      rpzLog=3D"no"   ;;
+        --no-reload )   ucReload=3D"no" ;  checkConf=3D"no" ;;
+    esac
+    shift       # Shift after checking all the cases to get next option
+done
+
+case "${rpzName}" in
+    #  make a new allow or block rpz file
+
+    allow )
+        validate_list 'allow'           #   is the allowlist valid?
+        make_allow_config "${rpzLog}"
+        make_rpz_file 'allow'
+        ;;
+
+    allowblock )
+        validate_list 'allow'           #   is the list valid?
+        make_allow_config "${rpzLog}"
+        make_rpz_file 'allow'
+        ;&
+
+    block )
+        validate_list 'block'           #   is the blocklist valid?
+        make_block_config "${rpzLog}"
+        make_rpz_file 'block'
+        ;;
+
+    reload )
+        check_unbound_conf "${checkConf}"
+        ;;
+
+    unbound-restart )
+        check_unbound_conf "${checkConf}"
+		unbound_restart
+		exit
+        ;;
+
+    * )
+        msg_log "error: rpz: missing or incorrect parameter"
+        printf "Usage:   $(basename "$0") <NAME> <OPTION> <OPTION>\n"
+        printf "Version: ${version}\n"
+        exit 108
+        ;;
+esac
+
+unbound_control_reload "${ucReload}"
+
+exit
diff --git a/config/rpz/rpz-metrics b/config/rpz/rpz-metrics
new file mode 100755
index 000000000..4d43e1629
--- /dev/null
+++ b/config/rpz/rpz-metrics
@@ -0,0 +1,170 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                     =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+version=3D"2025-01-20 - v25"
+
+###############       Main        ###############
+
+weeks=3D"2"                   #   default to two message logs
+sortBy=3D"name"               #   default "by name"
+rpzActive=3D"enabled"         #   default "enabled only"
+
+while [[ $# -gt 0 ]] ; do
+    case "$1" in
+        --by-names | --by-name | name )				sortBy=3D"name"   ;;
+
+        --by-hits | --by-hit | hits | hit )     	sortBy=3D"hit"    ;;
+
+        --by-lines | --by-line | lines | line )    	sortBy=3D"line"   ;;
+
+        --by-effect )								sortBy=3D"effect"   ;;
+
+        --enabled-only )            				rpzActive=3D"enabled" ;;
+
+        --active-all | --all | all )      			rpzActive=3D"all"     ;;
+
+        [0-9] | [0-9][0-9] )        				weeks=3D$1        ;;
+    esac
+    shift       # Shift after checking all the cases to get next option
+done
+
+#  get the list of message logs for N weeks
+messageLogs=3D$( find /var/log/messages* -type f | sort --version-sort |
+    head -"${weeks}" )
+
+#  get the list of RPZ names & counts from the message log(s)
+rpzNameCount=3D$( for logf in ${messageLogs} ; do
+    zgrep --text --fixed-strings 'info: rpz: applied' "${logf}" |
+      awk '$10 ~ /\[\w*]/ { print $10 }' ;
+    done | sort | uniq --count )
+
+#  flip results and remove brackets `[` and `]`
+rpzNameCount=3D$( echo "${rpzNameCount}" |
+    awk '{ print $2, $1 }' |
+    sed --regexp-extended 's|^\[(.*)\]|\1|' )
+
+#  grab only names
+rpzNames=3D$( echo "${rpzNameCount}" | awk '{ print $1 }' )
+
+#  get list of RPZ files
+rpzFileList=3D$( find /etc/unbound/zonefiles -type f -iname "*.rpz" )
+
+#  get basename of those files
+rpzBaseNames=3D$( echo "${rpzFileList}" |
+    sed 's|/etc/unbound/zonefiles/||g ; s|\.rpz||g ;' )
+
+#  add to rpzNames
+rpzNames=3D"${rpzNames}"$'\n'"${rpzBaseNames}"
+
+#  drop duplicate names
+rpzNames=3D$( echo "${rpzNames}" | sort --unique  )
+
+#  get line count for each RPZ
+lineCount=3D$( echo "${rpzFileList}" | xargs wc -l )
+
+#  get comment line count and blank line count for each RPZ
+commentCount=3D$( echo "${rpzFileList}" | xargs grep --count -e "^$" -e "^;"=
 )
+
+#  get modified date each RPZ
+modDateList=3D$( echo "${rpzFileList}" | xargs stat -c '%.10y  %n' )
+
+ucListAuthZones=3D$( unbound-control list_auth_zones )
+
+#  get width of RPZ names
+pWidth=3D$( echo "${rpzNames}" | awk '{ print $1"   " }' | wc -L )
+pFormat=3D"%-${pWidth}s %-8s %-8s %8s %12s %12s\n"
+
+#  print title line
+printf "${pFormat}" "name" "hits" "active" "lines" " hits/line" "last downlo=
ad"
+printf -- "--------------"
+
+theResults=3D""
+totalLines=3D0
+totalHits=3D0
+while read -r theName
+do
+    printf -- "--"        #   pretend progress bar
+
+    #  is this RPZ list active?
+    theActive=3D"disabled"
+    if grep --quiet "^${theName}\.rpz" <<< "${ucListAuthZones}"
+    then
+        theActive=3D"enabled"
+    else
+        [[ "${rpzActive}" =3D=3D enabled ]] && continue
+    fi
+
+    #  get hit count
+    theHits=3D"0"
+    if output=3D$( grep "^${theName}\s" <<< "${rpzNameCount}" ) ; then
+        theHits=3D$( echo "${output}" | awk '{ print $2 }' )
+        totalHits=3D$(( totalHits + theHits ))
+    fi
+
+    #  get line count
+    theLines=3D"n/a"
+    hitsPerLine=3D"0"
+    if output=3D$( grep --fixed-strings "/${theName}.rpz" <<< "${lineCount}"=
 ) ; then
+        theLines=3D$( echo "${output}" | awk '{ print $1 }' )
+        totalLines=3D$(( totalLines + theLines ))
+
+        if [[ "${theLines}" -gt 2 ]] ; then
+            hitsPerLine=3D$(( 100 * theHits / theLines ))
+        fi
+    fi
+
+    #  get modification date
+    theModDate=3D"n/a"
+    if output=3D$( grep --fixed-strings "/${theName}.rpz" <<< "${modDateList=
}" ) ; then
+        theModDate=3D$( echo "${output}" | awk '{ print $1 }' )
+    fi
+
+    #  add to results list
+    theResults+=3D"${theName} ${theHits} ${theActive} ${theLines} ${hitsPerL=
ine} ${theModDate}"$'\n'
+
+done <<< "${rpzNames}"
+
+case "${sortBy}" in
+    #  sort by "active" then by "name"
+    name) sortArg=3D(-k3,3r -k1,1)			;;
+
+    #  sort by "active" then by "hits" then by "name"
+    hit)  sortArg=3D(-k3,3r -k2,2nr -k1,1)	;;
+
+    #  sort by "active" then by "lines" then by "name"
+    line) sortArg=3D(-k3,3r -k4,4nr -k1,1)	;;
+
+    #  sort by "active" then by "effect" then by "name"
+    effect) sortArg=3D(-k3,3r -k5,5nr -k1,1)	;;
+esac
+
+printf -- "--------------\n"
+#  remove blank lines, sort, print as columns
+echo "${theResults}" |
+    awk '!/^[[:space:]]*$/' |
+    sort "${sortArg[@]}"    |
+    awk --assign=3Dwidth=3D"${pWidth}" \
+        '{ printf "%-*s %-8s %-8s %8s %10s %% %12s\n", width, $1, $2, $3, $4=
, $5, $6 }'
+
+printf "${pFormat}" "" "=3D=3D=3D=3D=3D=3D=3D" "" "=3D=3D=3D=3D=3D=3D=3D=3D"=
 "" ""
+printf "${pFormat}" "Totals -->" "${totalHits}" "" "${totalLines}" "" ""
+
+exit
diff --git a/config/rpz/rpz-sleep b/config/rpz/rpz-sleep
new file mode 100755
index 000000000..dd3603599
--- /dev/null
+++ b/config/rpz/rpz-sleep
@@ -0,0 +1,58 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                     =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+version=3D"2024-08-16"        # v05
+
+###############     Functions     ###############
+
+#   send message to message log
+msg_log () {
+    logger --tag "${tagName}" "$*"
+    if tty --silent ; then
+        echo "${tagName}:" "$*"
+    fi
+}
+
+###############       Main        ###############
+
+tagName=3D"unbound"
+
+sleepTime=3D"${1:-5m}"            #  default to sleep for 5m (5 minutes)
+
+zoneList=3D$( unbound-control list_auth_zones | awk '{print $1}' )
+
+for zone in ${zoneList} ; do
+    printf "disable ${zone}\t"
+    unbound-control rpz_disable "${zone}"
+done
+
+msg_log "info: rpz: disabled all zones for ${sleepTime}"
+
+sleep "${sleepTime}"
+
+for zone in ${zoneList} ; do
+    printf "enable ${zone}\t"
+    unbound-control rpz_enable "${zone}"
+done
+
+msg_log "info: rpz: enabled all zones"
+
+exit
diff --git a/config/rpz/rpz.de.pl b/config/rpz/rpz.de.pl
new file mode 100644
index 000000000..3770c6bb0
--- /dev/null
+++ b/config/rpz/rpz.de.pl
@@ -0,0 +1,30 @@
+#  Added for Response Policy Zone (RPZ) add-on
+%tr =3D (%tr,
+'rpz' =3D> 'Response Policy Zones (RPZ)',
+'rpz apply' =3D> '=C3=9Cbernehmen',
+'rpz cl allow enable' =3D> 'Benutzerdefinierte Allowlist aktivieren:',
+'rpz cl allow info' =3D> 'Zugelassene Domains (eine pro Zeile)<br>Beispiel: =
domain.com, *.domain.com',
+'rpz cl allow' =3D> 'Benutzerdefinierte Allowlist',
+'rpz cl block enable' =3D> 'Benutzerdefinierte Blocklist aktivieren:',
+'rpz cl block info' =3D> 'Gesperrte Domains (eine pro Zeile)<br>Beispiel: do=
main.com, *.domain.com',
+'rpz cl block' =3D> 'Benutzerdefinierte Blocklist',
+'rpz cl' =3D> 'Benutzerdefinierte Listen',
+'rpz exitcode 101' =3D> 'Der Name enth=C3=A4lt unzul=C3=A4ssige Zeichen',
+'rpz exitcode 102' =3D> 'unbound-checkconf hat eine fehlerhafte Konfiguratio=
n ermittelt. F=C3=BChren Sie das Kommando unbound-checkconf auf der Konsole a=
us, um weitere Informationen zu erhalten.',
+'rpz exitcode 103' =3D> 'Die benutzerdefinierte Allow-/Blocklist ist leer',
+'rpz exitcode 104' =3D> 'Ein Eintrag mit identischem Namen existiert bereits=
',
+'rpz exitcode 105' =3D> 'Die URL ist ung=C3=BCltig',
+'rpz exitcode 106' =3D> 'Eintrag kann nicht entfernt werden, der Name existi=
ert nicht',
+'rpz exitcode 107' =3D> 'Der Name ist ung=C3=BCltig - nur "allow" oder "bloc=
k" m=C3=B6glich',
+'rpz exitcode 108' =3D> 'Fehlende oder inkorrekte Parameter',
+'rpz exitcode 109' =3D> 'unbound-control reload ist fehlgeschlagen',
+'rpz exitcode 110' =3D> 'Die benutzerdefinierte Allow-/Blocklist enth=C3=A4l=
t unzul=C3=A4ssige Eintr=C3=A4ge',
+'rpz exitcode 201' =3D> 'Die Anmerkung enth=C3=A4lt unzul=C3=A4ssige Zeichen=
',
+'rpz exitcode 202' =3D> 'Ung=C3=BCltiger Eintrag in der benutzerdefinierten =
Allowlist, Zeile ',
+'rpz exitcode 203' =3D> 'Ung=C3=BCltiger Eintrag in der benutzerdefinierten =
Blocklist, Zeile ',
+'rpz exitcode 204' =3D> 'Ausgew=C3=A4hlter Eintrag existiert nicht: ',
+'rpz zf editor' =3D> 'Zonendatei-Eintrag bearbeiten',
+'rpz zf imported' =3D> '(importiert aus rpz-config)',
+'rpz zf remark info' =3D> 'Erlaubte Zeichen sind a-z, A-Z, 0-9 und Unterstri=
che',
+'rpz zf' =3D> 'Zonendateien',
+);
diff --git a/config/rpz/rpz.en.pl b/config/rpz/rpz.en.pl
new file mode 100644
index 000000000..0720a8940
--- /dev/null
+++ b/config/rpz/rpz.en.pl
@@ -0,0 +1,30 @@
+#  Added for Response Policy Zone (RPZ) add-on
+%tr =3D (%tr,
+'rpz' =3D> 'Response Policy Zones (RPZ)',
+'rpz apply' =3D> 'Apply',
+'rpz cl allow enable' =3D> 'Enable custom allowlist:',
+'rpz cl allow info' =3D> 'Allowed domains (one per line)<br>Example: domain.=
com, *.domain.com',
+'rpz cl allow' =3D> 'Custom allowlist',
+'rpz cl block enable' =3D> 'Enable custom blocklist:',
+'rpz cl block info' =3D> 'Blocked domains (one per line)<br>Example: domain.=
com, *.domain.com',
+'rpz cl block' =3D> 'Custom blocklist',
+'rpz cl' =3D> 'Custom lists',
+'rpz exitcode 101' =3D> 'the NAME is not valid',
+'rpz exitcode 102' =3D> 'unbound-checkconf found invalid configuration. In t=
he Terminal run the command unbound-checkconf for more information',
+'rpz exitcode 103' =3D> 'the allow/block list is empty',
+'rpz exitcode 104' =3D> 'duplicate - NAME already exists',
+'rpz exitcode 105' =3D> 'the URL is not valid',
+'rpz exitcode 106' =3D> 'cannot remove the NAME does not exist',
+'rpz exitcode 107' =3D> 'the NAME is not valid - "allow" or "block" only',
+'rpz exitcode 108' =3D> 'missing or incorrect parameter',
+'rpz exitcode 109' =3D> 'unbound-control reload failed',
+'rpz exitcode 110' =3D> 'custom Allowlist/Blocklist contains invalid entries=
',
+'rpz exitcode 201' =3D> 'the REMARK is not valid',
+'rpz exitcode 202' =3D> 'invalid entry in allowlist, line ',
+'rpz exitcode 203' =3D> 'invalid entry in blocklist, line ',
+'rpz exitcode 204' =3D> 'Selected entry does not exist: ',
+'rpz zf editor' =3D> 'Edit zonefiles entry',
+'rpz zf imported' =3D> '(imported from rpz-config)',
+'rpz zf remark info' =3D> 'Valid characters are a-z, A-Z, 0-9 and underscore=
.',
+'rpz zf' =3D> 'Zonefiles',
+);
diff --git a/config/rpz/rpz.es.pl b/config/rpz/rpz.es.pl
new file mode 100644
index 000000000..98628e4aa
--- /dev/null
+++ b/config/rpz/rpz.es.pl
@@ -0,0 +1,30 @@
+#  Added for Response Policy Zone (RPZ) add-on
+%tr =3D (%tr,
+'rpz' =3D> 'Zonas de pol=C3=ADtica de respuesta (RPZ)',
+'rpz apply' =3D> 'Aplicar',
+'rpz cl allow enable' =3D> 'Habilitar la lista blanca personalizada:',
+'rpz cl allow info' =3D> 'Dominio permitido (uno por l=C3=ADnea)<br>Ejemplo:=
 domain.com, *.domain.com',
+'rpz cl allow' =3D> 'Lista blanca personalizada',
+'rpz cl block enable' =3D> 'Habilitar la lista negra personalizada:',
+'rpz cl block info' =3D> 'Dominio bloqueado (uno por l=C3=ADnea)<br>Ejemplo:=
 domain.com, *.domain.com',
+'rpz cl block' =3D> 'Lista negra personalizada',
+'rpz cl' =3D> 'Lista personalizada',
+'rpz exitcode 101' =3D> 'El NOMBRE no es v=C3=A1lido',
+'rpz exitcode 102' =3D> 'unbound-checkconf ha encontrado una configuraci=C3=
=B3n no v=C3=A1lida. Desde Terminal, ejecute el comando unbound-checkconf par=
a mayor informaci=C3=B3n',
+'rpz exitcode 103' =3D> 'La lista de permitidos/bloqueados est=C3=A1 vac=C3=
=ADa',
+'rpz exitcode 104' =3D> 'duplicado - NOMBRE ya existe',
+'rpz exitcode 105' =3D> 'la URL no es v=C3=A1lida',
+'rpz exitcode 106' =3D> 'no es posible eliminar el NOMBRE que no existe',
+'rpz exitcode 107' =3D> 'el NOMBRE no es v=C3=A1lido - s=C3=B3lo "permitir" =
o "bloquear"',
+'rpz exitcode 108' =3D> 'par=C3=A1metro faltante o incorrecto',
+'rpz exitcode 109' =3D> 'Error al recargar unbound-control',
+'rpz exitcode 110' =3D> 'la Lista blanca/Lista negra personalizada contiene =
entradas no v=C3=A1lidas',
+'rpz exitcode 201' =3D> 'el COMENTARIO no es v=C3=A1lido',
+'rpz exitcode 202' =3D> 'entrada no v=C3=A1lida en la lista blanca, l=C3=ADn=
ea ',
+'rpz exitcode 203' =3D> 'entrada no v=C3=A1lida en la lista negra, l=C3=ADne=
a ',
+'rpz exitcode 204' =3D> 'La entrada seleccionada no existe: ',
+'rpz zf editor' =3D> 'Editar la entrada de archivos de zona',
+'rpz zf imported' =3D> '(importado de rpz-config)',
+'rpz zf remark info' =3D> 'Los caracteres v=C3=A1lidos son a-z, A-Z, 0-9 y g=
ui=C3=B3n bajo',
+'rpz zf' =3D> 'Archivos de zona',
+);
diff --git a/config/rpz/rpz.fr.pl b/config/rpz/rpz.fr.pl
new file mode 100644
index 000000000..f35f3c2d0
--- /dev/null
+++ b/config/rpz/rpz.fr.pl
@@ -0,0 +1,30 @@
+#  Added for Response Policy Zone (RPZ) add-on
+%tr =3D (%tr,
+'rpz' =3D> 'Response Policy Zones (RPZ)',
+'rpz apply' =3D> 'Appliquer',
+'rpz cl allow enable' =3D> 'Activer la liste d\'autorisations personnalis=C3=
=A9e:',
+'rpz cl allow info' =3D> 'Domaines autoris=C3=A9s (un par ligne)<br>Example:=
 domain.com, *.domain.com',
+'rpz cl allow' =3D> 'Liste d\'autorisations personnalis=C3=A9e',
+'rpz cl block enable' =3D> 'Activer la liste de blocage personnalis=C3=A9e:',
+'rpz cl block info' =3D> 'Domaines bloqu=C3=A9s (un par ligne)<br>Example: d=
omain.com, *.domain.com',
+'rpz cl block' =3D> 'liste de blocage personnalis=C3=A9',
+'rpz cl' =3D> 'Listes personnalis=C3=A9es',
+'rpz exitcode 101' =3D> 'le NOM n\'est pas valide',
+'rpz exitcode 102' =3D> 'unbound-checkconf configuration non valide trouv=C3=
=A9e. Dans le terminal, ex=C3=A9cutez la commande unbound-checkconf pour plus=
 d\'informations',
+'rpz exitcode 103' =3D> 'la liste autoriser/bloquer est vide',
+'rpz exitcode 104' =3D> 'le NOM existe d=C3=A9j=C3=A0',
+'rpz exitcode 105' =3D> 'L\'URL n\'est pas valide',
+'rpz exitcode 106' =3D> 'impossible de supprimer le NOM n\'existe pas',
+'rpz exitcode 107' =3D> 'le NOM n\'est pas valide - =C2=AB autoriser =C2=BB =
ou =C2=AB bloquer =C2=BB seulement',
+'rpz exitcode 108' =3D> 'param=C3=A8tre manquant ou incorrect',
+'rpz exitcode 109' =3D> 'unbound-control rechargement =C3=A9chou=C3=A9',
+'rpz exitcode 110' =3D> 'la liste autoriser/bloquer contient des entr=C3=A9e=
s non valides',
+'rpz exitcode 201' =3D> 'la REMARQUE n\'est pas valable',
+'rpz exitcode 202' =3D> 'entr=C3=A9e non valide dans la liste d\'autorisatio=
n, ligne ',
+'rpz exitcode 203' =3D> 'entr=C3=A9e non valide dans la liste de blocs, lign=
e ',
+'rpz exitcode 204' =3D> 'L\'entr=C3=A9e s=C3=A9lectionn=C3=A9e n\'existe pas=
: ',
+'rpz zf editor' =3D> 'Modifier l\'entr=C3=A9e Fichiers Zone',
+'rpz zf imported' =3D> '(import=C3=A9 de rpz-config)',
+'rpz zf remark info' =3D> 'Les caract=C3=A8res valides sont a-z, A-Z, 0-9 et=
 soulignement.',
+'rpz zf' =3D> 'Fichiers Zone',
+);
diff --git a/config/rpz/rpz.it.pl b/config/rpz/rpz.it.pl
new file mode 100644
index 000000000..ee81605c9
--- /dev/null
+++ b/config/rpz/rpz.it.pl
@@ -0,0 +1,30 @@
+#  Added for Response Policy Zone (RPZ) add-on
+%tr =3D (%tr,
+'rpz' =3D> 'Response Policy Zones (RPZ)',
+'rpz apply' =3D> 'Applica',
+'rpz cl allow enable' =3D> 'Abilita la Whitelist personalizzata:',
+'rpz cl allow info' =3D> 'Domini consentiti (uno per riga)<br>Esempio: domai=
n.com, *.domain.com',
+'rpz cl allow' =3D> 'Whitelist personalizzata',
+'rpz cl block enable' =3D> 'Abilita la Blacklist personalizzata:',
+'rpz cl block info' =3D> 'Domini bloccati (uno per riga)<br>Esempio: domain.=
com, *.domain.com',
+'rpz cl block' =3D> 'Blacklist personalizzata',
+'rpz cl' =3D> 'Liste personalizzate',
+'rpz exitcode 101' =3D> 'il NOME non =C3=A8 valido',
+'rpz exitcode 102' =3D> 'unbound-checkconf ha trovato una configurazione non=
 valida. Dal Terminale esegui il comando unbound-checkconf per maggiori infor=
mazioni',
+'rpz exitcode 103' =3D> 'l\'elenco consentiti/bloccati =C3=A8 vuoto',
+'rpz exitcode 104' =3D> 'duplicato - NAME esiste di gi=C3=A0',
+'rpz exitcode 105' =3D> 'l\'URL non =C3=A8 valido',
+'rpz exitcode 106' =3D> 'non =C3=A8 possibile rimuovere il NOME non esiste',
+'rpz exitcode 107' =3D> 'il NOME non =C3=A8 valido - solo "consenti" o "bloc=
ca"',
+'rpz exitcode 108' =3D> 'parametro mancante o non corretto',
+'rpz exitcode 109' =3D> 'ricaricamento del controllo non associato non riusc=
ito',
+'rpz exitcode 110' =3D> 'la Whitelist/Blacklist personalizzata contiene voci=
 non valide',
+'rpz exitcode 201' =3D> 'l"OSSERVAZIONE non =C3=A8 valida',
+'rpz exitcode 202' =3D> 'voce non valida nella Whitelist, riga ',
+'rpz exitcode 203' =3D> 'voce non valida nella Blacklist, riga ',
+'rpz exitcode 204' =3D> 'La voce selezionata non esiste: ',
+'rpz zf editor' =3D> 'Modifica la voce dei file di zona',
+'rpz zf imported' =3D> '(importato da rpz-config)',
+'rpz zf remark info' =3D> 'I caratteri validi sono a-z, A-Z, 0-9 e trattino =
basso',
+'rpz zf' =3D> 'Zonefiles',
+);
diff --git a/config/rpz/rpz.tr.pl b/config/rpz/rpz.tr.pl
new file mode 100644
index 000000000..00226e192
--- /dev/null
+++ b/config/rpz/rpz.tr.pl
@@ -0,0 +1,30 @@
+#  I=EF=BF=BDin eklendi Ayriyeten Response Policy Zone (RPZ)
+%tr =3D (%tr,
+'rpz' =3D> 'Response Policy Zones (RPZ)',
+'rpz apply' =3D> 'Uygulamak',
+'rpz cl allow enable' =3D> '=EF=BF=BDzel Etkinlestir allowlist:',
+'rpz cl allow info' =3D> 'Izin verilmis domains (satir basina bir)<br>=EF=BF=
=BDrnegin: domain.com, *.domain.com',
+'rpz cl allow' =3D> 'Etkinlestir allowlist',
+'rpz cl block enable' =3D> '=EF=BF=BDzel Etkinlestir blocklist:',
+'rpz cl block info' =3D> 'Engellenmis domains (satir basina bir)<br>=EF=BF=
=BDrnegin: domain.com, *.domain.com',
+'rpz cl block' =3D> 'Engellenmis blocklist',
+'rpz cl' =3D> 'Engellenmis lists',
+'rpz exitcode 101' =3D> 'NAME ge=EF=BF=BDerli degil',
+'rpz exitcode 102' =3D> 'unbound-checkconf ge=EF=BF=BDersiz yapilandirma bul=
undu. Terminalde daha fazla bilgi i=EF=BF=BDin Unbound-checkConf komutunu =EF=
=BF=BDalistirin',
+'rpz exitcode 103' =3D> 'allow/block liste bos',
+'rpz exitcode 104' =3D> 'kopyalamak - NAME zaten var',
+'rpz exitcode 105' =3D> 'URL ge=EF=BF=BDerli degil',
+'rpz exitcode 106' =3D> '=EF=BF=BDikarilamiyor NAME yok',
+'rpz exitcode 107' =3D> 'NAME ge=EF=BF=BDerli degil - "allow" veya "block" y=
alniz',
+'rpz exitcode 108' =3D> 'Parametre eksik veya yanlis',
+'rpz exitcode 109' =3D> 'unbound-control basarisiz',
+'rpz exitcode 110' =3D> 'Engellenmis Allowlist/Blocklist ge=EF=BF=BDersiz gi=
risler i=EF=BF=BDerir',
+'rpz exitcode 201' =3D> 'REMARK ge=EF=BF=BDerli degil',
+'rpz exitcode 202' =3D> 'Ge=EF=BF=BDersiz giris allowlist, line ',
+'rpz exitcode 203' =3D> 'Ge=EF=BF=BDersiz giris blocklist, line ',
+'rpz exitcode 204' =3D> 'Se=EF=BF=BDilen giris yok: ',
+'rpz zf editor' =3D> 'yazimlamak zonefiles giris',
+'rpz zf imported' =3D> '(ithal edildi rpz-config)',
+'rpz zf remark info' =3D> 'Ge=EF=BF=BDerli karakterler a-z, A-Z, 0-9ve alt=
=EF=BF=BDst.',
+'rpz zf' =3D> 'Zonefiles',
+);
diff --git a/html/cgi-bin/rpz.cgi b/html/cgi-bin/rpz.cgi
new file mode 100644
index 000000000..a821c92ac
--- /dev/null
+++ b/html/cgi-bin/rpz.cgi
@@ -0,0 +1,923 @@
+#!/usr/bin/perl
+############################################################################=
###
+#                                                                           =
  #
+# IPFire.org - A linux based firewall                                       =
  #
+# Copyright (C) 2005-2024  IPFire Team  <info(a)ipfire.org>                 =
    #
+#                                                                           =
  #
+# This program is free software: you can redistribute it and/or modify      =
  #
+# it under the terms of the GNU General Public License as published by      =
  #
+# the Free Software Foundation, either version 3 of the License, or         =
  #
+# (at your option) any later version.                                       =
  #
+#                                                                           =
  #
+# This program is distributed in the hope that it will be useful,           =
  #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of            =
  #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             =
  #
+# GNU General Public License for more details.                              =
  #
+#                                                                           =
  #
+# You should have received a copy of the GNU General Public License         =
  #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.     =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+use strict;
+use Scalar::Util qw(looks_like_number);
+
+# debugging
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+#use Data::Dumper;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+
+###--- Extra HTML ---###
+my $extraHead =3D <<END
+<style>
+	/* alternating row background */
+	.tbl tr:nth-child(2n+2) {
+		background-color: var(--color-light-grey);
+	}
+	.tbl tr:nth-child(2n+3) {
+		background-color: var(--color-grey);
+	}
+	/* text styles */
+	.tbl th:not(:last-child) {
+		text-align: left;
+	}
+	div.right {
+		text-align: right;
+		margin-top: 0.5em;
+	}
+	/* customlist input */
+	textarea.domainlist {
+		margin: 0.5em 0;
+		resize: vertical;
+		min-height: 10em;
+		overflow: auto;
+		white-space: pre;
+	}
+	button[type=3Dsubmit]:disabled {
+		opacity: 0.6;
+	}
+</style>
+END
+;
+###--- End of extra HTML ---###
+
+
+### Settings ###
+
+# Request DNS service reload after configuration change
+my $RPZ_RELOAD_FLAG =3D "${General::swroot}/dns/rpz/reload.flag";
+
+# Configuration file for all available zonefiles
+# Format: index, name (unique), enabled (on/off), URL, remark
+my $ZONEFILES_CONF =3D "${General::swroot}/dns/rpz/zonefiles.conf";
+
+# Configuration file for custom lists
+# IDs: 0=3Dallowlist, 1=3Dblocklist, 2=3Doptions (allow/block enabled)
+my $CUSTOMLISTS_CONF =3D "${General::swroot}/dns/rpz/customlists.conf";
+
+# Export custom lists to rpz-config
+my $RPZ_ALLOWLIST =3D "${General::swroot}/dns/rpz/allowlist";
+my $RPZ_BLOCKLIST =3D "${General::swroot}/dns/rpz/blocklist";
+
+
+### Preparation ###
+
+# Create missing config files
+unless(-f $ZONEFILES_CONF) { &General::system('touch', "$ZONEFILES_CONF"); }
+unless(-f $CUSTOMLISTS_CONF) { &General::system('touch', "$CUSTOMLISTS_CONF"=
); }
+
+
+## Global gui data
+my $errormessage =3D "";
+
+## Global configuration data
+my %zonefiles =3D ();
+my %customlists =3D ();
+&_zonefiles_load();
+&_customlists_load();
+
+## Global CGI form data
+my %cgiparams =3D ();
+&Header::getcgihash(\%cgiparams);
+
+my $action =3D $cgiparams{'ACTION'} // 'NONE';
+my $action_key =3D $cgiparams{'KEY'} // ''; # entry being edited, empty =3D =
none/new
+
+
+###--- Process form actions ---###
+
+# Zonefiles action: Check whether the requested entry exists
+if((substr($action, 0, 3) eq 'ZF_') && ($action_key)) {
+	unless(defined $zonefiles{$action_key}) {
+		$errormessage =3D &_rpz_error_tr(204, $action_key);
+		$action =3D 'NONE';
+	}
+}
+
+## Perform actions
+if($action eq 'ZF_SAVE') {				## Save new or modified zonefiles entry
+	if(&_action_zf_save()) {
+		$action =3D 'NONE'; # success, return to main page
+		&_http_prg_redirect();
+	} else {
+		$action =3D 'ZF_EDIT'; # error occured, keep editing
+	}
+
+} elsif($action eq 'ZF_TOGGLE') {		## Toggle on/off
+	if(&_action_zf_toggle()) {
+		$action =3D 'NONE';
+		&_http_prg_redirect();
+	}
+
+} elsif($action eq 'ZF_REMOVE') {		## Remove entry
+	if(&_action_zf_remove()) {
+		$action =3D 'NONE';
+		&_http_prg_redirect();
+	}
+
+} elsif($action eq 'CL_SAVE') {			## Save custom lists
+	if(&_action_cl_save()) {
+		$action =3D 'NONE';
+		&_http_prg_redirect();
+	}
+
+} elsif($action eq 'RPZ_RELOAD') {		## Reload dns configuration
+	if(&_action_rpz_reload()) {
+		$action =3D 'NONE';
+		&_http_prg_redirect();
+	}
+
+} elsif($action eq 'UNB_RESTART') {		## Restart unbound service
+	if(&_action_unb_restart()) {
+		$action =3D 'NONE';
+		&_http_prg_redirect();
+	}
+
+}
+
+
+###--- Start GUI ---###
+
+## Start http output
+&Header::showhttpheaders();
+
+# Start HTML
+&Header::openpage($Lang::tr{'rpz'}, 1, $extraHead);
+&Header::openbigbox('100%', 'left', '');
+
+# Show error messages
+if($errormessage) {
+	&_print_message($errormessage);
+}
+
+# Handle zonefile add/edit mode
+if($action eq "ZF_EDIT") {
+	&_print_zonefile_editor();
+
+	# Finalize page and exit cleanly
+	&Header::closebigbox();
+	&Header::closepage();
+	exit(0);
+}
+
+# Show gui elements
+&_print_zonefiles();
+&_print_customlists();
+&_print_gui_extras();
+
+&Header::closebigbox();
+&Header::closepage();
+
+###--- End of GUI ---###
+
+
+###--- Internal configuration file functions ---###
+
+# Load all available zonefiles from rpz-config and the internal configuration
+sub _zonefiles_load {
+	# Clean start
+	%zonefiles =3D ();
+
+	# Source 1: Get the currently enabled zonefiles from rpz-config (expected f=
ormat [name]=3D[URL])
+	my @enabled_files =3D &General::system_output('/usr/sbin/rpz-config', 'list=
');
+
+	foreach my $row (@enabled_files) {
+		chomp($row);
+
+		# Use regex instead of split() to skip non-matching lines
+		next unless($row =3D~ /^(\w+)=3D(.+)$/);
+		my ($name, $url) =3D ($1, $2);
+
+		# Unique names are already guaranteed by rpz-config
+		if(&_rpz_validate_zonefile($name, $url, '', 0) =3D=3D 0) {
+			# Populate global data hash, mark all found entries as enabled
+			my %entry =3D ('enabled' =3D> 'on',
+				'url' =3D> $url,
+				'remark' =3D> $Lang::tr{'rpz zf imported'});
+
+			$zonefiles{$name} =3D \%entry;
+		}
+	}
+
+	# Source 2: Get additional data and disabled entries from configuration file
+	my %configured_files =3D ();
+	&General::readhasharray($ZONEFILES_CONF, \%configured_files);
+
+	foreach my $row (values (%configured_files)) {
+		my ($name, $enabled, $url, $remark) =3D @$row;
+		$remark //=3D "";
+
+		next unless($name);
+
+		# Check whether this row belongs to an entry already imported from rpz-con=
fig
+		if(defined $zonefiles{$name}) {
+			# Existing entry, only merge additional data
+			$zonefiles{$name}{'remark'} =3D $remark;
+		} else {
+			# Skip entry if it is marked as enabled but not found by rpz-config. It w=
as then deleted manually
+			if($enabled ne 'on') {
+				# Populate global data hash
+				my %entry =3D ('enabled' =3D> 'off',
+					'url' =3D> $url // "",
+					'remark' =3D> $remark);
+
+				$zonefiles{$name} =3D \%entry;
+			}
+		}
+	}
+}
+
+# Save internal zonefiles configuration
+sub _zonefiles_save_conf {
+	my $index =3D 0;
+	my %export =3D ();
+
+	# Loop trough all zonefiles and create "hasharray" type export
+	foreach my $name (keys %zonefiles) {
+		my @entry =3D ($name,
+			$zonefiles{$name}{'enabled'},
+			$zonefiles{$name}{'url'},
+			$zonefiles{$name}{'remark'});
+
+		$export{$index++} =3D \@entry;
+	}
+
+	&General::writehasharray($ZONEFILES_CONF, \%export);
+}
+
+# Load custom lists from rpz-config and the internal configuration
+sub _customlists_load {
+	# Clean start
+	%customlists =3D ();
+
+	# Load configuration file
+	my %lists_conf =3D ();
+	&General::readhasharray($CUSTOMLISTS_CONF, \%lists_conf);
+
+	# Get list options, enabled by default to start import
+	$customlists{'allow'}{'enabled'} =3D $lists_conf{2}[0] // 'on';
+	$customlists{'block'}{'enabled'} =3D $lists_conf{2}[1] // 'on';
+
+	# Import enabled list from rpz-config, otherwise retrieve stored or empty l=
ist from configuration file
+	if($customlists{'allow'}{'enabled'} eq 'on') {
+		&_customlist_import('allow', $RPZ_ALLOWLIST);
+	} else {
+		$customlists{'allow'}{'list'} =3D $lists_conf{0} // [];
+	}
+	if($customlists{'block'}{'enabled'} eq 'on') {
+		&_customlist_import('block', $RPZ_BLOCKLIST);
+	} else {
+		$customlists{'block'}{'list'} =3D $lists_conf{1} // [];
+	}
+}
+
+# Save internal custom lists configuration
+sub _customlists_save_conf {
+	my %export =3D ();
+
+	# Match IDs with import function
+	$export{0} =3D $customlists{'allow'}{'list'};
+	$export{1} =3D $customlists{'block'}{'list'};
+	$export{2} =3D [$customlists{'allow'}{'enabled'}, $customlists{'block'}{'en=
abled'}];
+
+	&General::writehasharray($CUSTOMLISTS_CONF, \%export);
+}
+
+# Import a custom list from plain file, returns empty list if file is missing
+sub _customlist_import {
+	my ($listname, $filename) =3D @_;
+	my @list =3D ();
+
+	# File exists, load and check all lines
+	if(-f $filename) {
+		open(my $FH, '<', $filename) or die "Can't read $filename: $!";
+		while(my $line =3D <$FH>) {
+			chomp($line);
+			push(@list, $line);
+		}
+		close($FH);
+
+		# Clean up imported data
+		&_rpz_validate_customlist(\@list, 1);
+	}
+
+	$customlists{$listname}{'list'} =3D \@list;
+}
+
+# Export a custom list to plain file or clear file if list is disabled
+sub _customlist_export {
+	my ($listname, $filename) =3D @_;
+	return unless(defined $customlists{$listname});
+
+	# Write enabled domain list to file, otherwise save empty file
+	open(my $FH, '>', $filename) or die "Can't write $filename: $!";
+
+	if($customlists{$listname}{'enabled'} eq 'on') {
+		foreach my $line (@{$customlists{$listname}{'list'}}) {
+			print $FH "$line\n";
+		}
+	} else {
+		print $FH "; Note: This list is currently disabled by $ENV{'SCRIPT_NAME'}\=
n";
+	}
+
+	close($FH);
+}
+
+
+###--- Internal gui functions ---###
+
+# Show simple message box
+sub _print_message {
+	my ($message, $title) =3D @_;
+	$title ||=3D $Lang::tr{'error messages'};
+
+	&Header::openbox('100%', 'left', $title);
+	print "<span>$message</span>";
+	&Header::closebox();
+}
+
+# Show all zone files and related gui elements
+sub _print_zonefiles {
+	&Header::openbox('100%', 'left', $Lang::tr{'rpz zf'});
+
+	print <<END
+<table class=3D"tbl" width=3D"100%">
+	<tr>
+		<th>$Lang::tr{'name'}</th>
+		<th>URL</th>
+		<th>$Lang::tr{'remark'}</th>
+		<th colspan=3D"3">$Lang::tr{'action'}</th>
+	</tr>
+END
+;
+
+	# Sort zonefiles by name and loop trough all entries
+	foreach my $name (sort keys %zonefiles) {
+
+		# Toggle button label translation
+		my $toggle_tr =3D ($zonefiles{$name}{'enabled'} eq 'on') ? $Lang::tr{'clic=
k to disable'} : $Lang::tr{'click to enable'};
+
+		print <<END
+	<tr>
+		<td>$name</td>
+		<td>$zonefiles{$name}{'url'}</td>
+		<td>$zonefiles{$name}{'remark'}</td>
+
+		<td align=3D"center" width=3D"5%">
+			<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+				<input type=3D"hidden" name=3D"KEY" value=3D"$name">
+				<input type=3D"hidden" name=3D"ACTION" value=3D"ZF_TOGGLE">
+				<input type=3D"image" src=3D"/images/$zonefiles{$name}{'enabled'}.gif" t=
itle=3D"$toggle_tr" alt=3D"$toggle_tr">
+			</form>
+		</td>
+		<td align=3D"center" width=3D"5%">
+			<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+				<input type=3D"hidden" name=3D"KEY" value=3D"$name">
+				<input type=3D"hidden" name=3D"ACTION" value=3D"ZF_EDIT">
+				<input type=3D"image" src=3D"/images/edit.gif" title=3D"$Lang::tr{'edit'=
}" alt=3D"$Lang::tr{'edit'}">
+			</form>
+		</td>
+		<td align=3D"center" width=3D"5%">
+			<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+				<input type=3D"hidden" name=3D"KEY" value=3D"$name">
+				<input type=3D"hidden" name=3D"ACTION" value=3D"ZF_REMOVE">
+				<input type=3D"image" src=3D"/images/delete.gif" title=3D"$Lang::tr{'rem=
ove'}" alt=3D"$Lang::tr{'remove'}">
+			</form>
+		</td>
+	</tr>
+END
+;
+	}
+
+	# Disable reload button if not needed
+	my $reload_state =3D &_rpz_needs_reload() ? "" : " disabled";
+
+	print <<END
+</table>
+
+<div class=3D"right">
+	<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+		<input type=3D"hidden" name=3D"KEY" value=3D"">
+		<button type=3D"submit" name=3D"ACTION" value=3D"ZF_EDIT">$Lang::tr{'add'}=
</button>
+		<button type=3D"submit" name=3D"ACTION" value=3D"RPZ_RELOAD" class=3D"comm=
it"$reload_state>$Lang::tr{'rpz apply'}</button>
+	</form>
+</div>
+END
+;
+
+	&Header::closebox();
+}
+
+# Show zonefiles entry editor
+sub _print_zonefile_editor {
+
+	# Key specified: Edit existing entry
+	if(($action_key) && (defined $zonefiles{$action_key})) {
+		# Load data to be edited, but don't override already present values (allow=
s user to edit after error)
+		$cgiparams{'ZF_NAME'} //=3D $action_key;
+		$cgiparams{'ZF_URL'} //=3D $zonefiles{$action_key}{'url'};
+		$cgiparams{'ZF_REMARK'} //=3D $zonefiles{$action_key}{'remark'};
+	}
+
+	# Fallback to empty form
+	$cgiparams{'ZF_NAME'} //=3D "";
+	$cgiparams{'ZF_URL'} //=3D "";
+	$cgiparams{'ZF_REMARK'} //=3D "";
+
+	&Header::openbox('100%', 'left', $Lang::tr{'rpz zf editor'});
+
+	print <<END
+<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+<input type=3D"hidden" name=3D"KEY" value=3D"$action_key">
+<table width=3D"100%">
+	<tr>
+		<td width=3D"20%">$Lang::tr{'name'}:&nbsp;<img src=3D"/blob.gif" alt=3D"*"=
></td>
+		<td><input type=3D"text" name=3D"ZF_NAME" value=3D"$cgiparams{'ZF_NAME'}" =
size=3D"40" maxlength=3D"32" title=3D"$Lang::tr{'rpz zf remark info'}" patter=
n=3D"[a-zA-Z0-9_]{1,32}" required></td>
+	</tr>
+	<tr>
+		<td width=3D"20%">URL:&nbsp;<img src=3D"/blob.gif" alt=3D"*"></td>
+		<td><input type=3D"url" name=3D"ZF_URL" value=3D"$cgiparams{'ZF_URL'}" siz=
e=3D"40" maxlength=3D"128" required></td>
+	</tr>
+	<tr>
+		<td width=3D"20%">$Lang::tr{'remark'}:</td>
+		<td><input type=3D"text" name=3D"ZF_REMARK" value=3D"$cgiparams{'ZF_REMARK=
'}" size=3D"40" maxlength=3D"32"></td>
+	</tr>
+	<tr>
+		<td colspan=3D"2"><hr></td>
+	</tr>
+	<tr>
+		<td width=3D"55%"><img src=3D"/blob.gif" alt=3D"*">&nbsp;$Lang::tr{'requir=
ed field'}</td>
+		<td align=3D"right"><button type=3D"submit" name=3D"ACTION" value=3D"ZF_SA=
VE">$Lang::tr{'save'}</button></td>
+	</tr>
+</table>
+</form>
+
+<div class=3D"right">
+	<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+		<button type=3D"submit" name=3D"ACTION" value=3D"NONE">$Lang::tr{'back'}</=
button>
+	</form>
+</div>
+END
+;
+
+	&Header::closebox();
+}
+
+# Show custom allow/block files and related gui elements
+sub _print_customlists {
+
+	# Load lists from config, unless they are currently being edited
+	if($action ne 'CL_SAVE') {
+		$cgiparams{'ALLOW_LIST'} =3D join("\n", @{$customlists{'allow'}{'list'}});
+		$cgiparams{'BLOCK_LIST'} =3D join("\n", @{$customlists{'block'}{'list'}});
+
+		$cgiparams{'ALLOW_ENABLED'} =3D ($customlists{'allow'}{'enabled'} eq 'on')=
 ? 'on' : undef;
+		$cgiparams{'BLOCK_ENABLED'} =3D ($customlists{'block'}{'enabled'} eq 'on')=
 ? 'on' : undef;
+	}
+
+	# Fallback to empty form
+	$cgiparams{'ALLOW_LIST'} //=3D "";
+	$cgiparams{'BLOCK_LIST'} //=3D "";
+
+	# HTML checkboxes, unchecked =3D no or undef value in POST data
+	my %checked =3D ();
+	$checked{'ALLOW_ENABLED'} =3D (defined $cgiparams{'ALLOW_ENABLED'}) ? " che=
cked" : "";
+	$checked{'BLOCK_ENABLED'} =3D (defined $cgiparams{'BLOCK_ENABLED'}) ? " che=
cked" : "";
+
+	# Disable reload button if not needed
+	my $reload_state =3D &_rpz_needs_reload() ? "" : " disabled";
+
+	&Header::openbox('100%', 'left', $Lang::tr{'rpz cl'});
+
+	print <<END
+<form method=3D"post" action=3D"$ENV{'SCRIPT_NAME'}">
+<table width=3D"100%">
+	<tr>
+		<td colspan=3D"2"><b>$Lang::tr{'rpz cl allow'}</b><br>$Lang::tr{'rpz cl al=
low info'}</td>
+		<td colspan=3D"2"><b>$Lang::tr{'rpz cl block'}</b><br>$Lang::tr{'rpz cl bl=
ock info'}</td>
+	</tr>
+	<tr>
+		<td colspan=3D"2"><textarea name=3D"ALLOW_LIST" class=3D"domainlist" cols=
=3D"45">
+$cgiparams{'ALLOW_LIST'}</textarea></td>
+		<td colspan=3D"2"><textarea name=3D"BLOCK_LIST" class=3D"domainlist" cols=
=3D"45">
+$cgiparams{'BLOCK_LIST'}</textarea></td>
+	</tr>
+	<tr>
+		<td><label for=3D"allow_enabled">$Lang::tr{'rpz cl allow enable'}</label><=
/td>
+		<td width=3D"15%"><input type=3D"checkbox" name=3D"ALLOW_ENABLED" id=3D"al=
low_enabled"$checked{'ALLOW_ENABLED'}></td>
+		<td><label for=3D"block_enabled">$Lang::tr{'rpz cl block enable'}</label><=
/td>
+		<td width=3D"15%"><input type=3D"checkbox" name=3D"BLOCK_ENABLED" id=3D"bl=
ock_enabled"$checked{'BLOCK_ENABLED'}></td>
+	</tr>
+	<tr>
+		<td colspan=3D"4"><hr></td>
+	</tr>
+	<tr>
+		<td align=3D"right" colspan=3D"4">
+			<button type=3D"submit" name=3D"ACTION" value=3D"CL_SAVE">$Lang::tr{'save=
'}</button>
+			<button type=3D"submit" name=3D"ACTION" value=3D"RPZ_RELOAD" class=3D"com=
mit"$reload_state>$Lang::tr{'rpz apply'}</button>
+		</td>
+</table>
+</form>
+END
+;
+
+	&Header::closebox();
+}
+
+# Output javascript and extra gui elements
+sub _print_gui_extras {
+
+	# Apply/Restart button modifier key handler
+	if(&_rpz_needs_reload()) {
+		print <<END
+<script>
+	// Commit modifier key handler
+	(function(jq, document) {
+		var keyEventsOn =3D false;	// Keyboard events attached
+		var keyModify =3D false;		// Modifier key pressed
+		var mouseHover =3D false;		// Mouse over commit button
+		var btnModified =3D false;	// Button modified to "Restart"
+
+		// Document-level key events, enable only while cursor is over button
+		function attachKeyEvents() {
+			if(keyEventsOn) {
+				return;
+			}
+			keyEventsOn =3D true;
+
+			jq(document).on("keydown.rpz", function(event) {
+				if((!keyModify) && event.shiftKey) {
+					keyModify =3D true;
+					handleModify();
+				}
+			});
+			jq(document).on("keyup.rpz", function(event) {
+				if(keyModify && (!event.shiftKey)) {
+					keyModify =3D false;
+					handleModify();
+				}
+			});
+		}
+		function removeKeyEvents() {
+			keyModify =3D false;
+			if(keyEventsOn) {
+				jq(document).off("keydown.rpz keyup.rpz");
+				keyEventsOn =3D false;
+			}
+		}
+
+		// Attach mouse hover events to commit buttons
+		function attachMouseEvents() {
+			jq("button.commit").on("mouseenter", function(event) {
+				if(!mouseHover) {
+					mouseHover =3D true;
+					attachKeyEvents();
+					// Handle already pressed key
+					keyModify =3D !!(event.shiftKey);
+					handleModify();
+				}
+			});
+
+			// Cursor moved away: Disable key listener to minimize events
+			jq("button.commit").on("mouseleave", function() {
+				if(mouseHover) {
+					mouseHover =3D false;
+					removeKeyEvents();
+					handleModify();
+				}
+			});
+		}
+
+		// Modify commit button
+		function handleModify() {
+			let modify =3D mouseHover && keyModify;
+			if(btnModified !=3D modify) {
+				if(modify) {
+					jq("button.commit").text("$Lang::tr{'restart'}").val("UNB_RESTART");
+				} else {
+					jq("button.commit").text("$Lang::tr{'rpz apply'}").val("RPZ_RELOAD");
+				}
+				btnModified =3D modify;
+			}
+		}
+
+		// jQuery DOM ready
+		jq(function() {
+			attachMouseEvents();
+		});
+	})(jQuery, document);
+</script>
+END
+;
+	} # End of modifier key handler
+
+}
+
+
+###--- Internal action processing functions ---###
+
+# Toggle zonefile on/off
+sub _action_zf_toggle {
+	return unless(defined $zonefiles{$action_key});
+
+	my $result =3D 0;
+	my $enabled =3D $zonefiles{$action_key}{'enabled'};
+
+	# Perform toggle action
+	if($enabled eq 'on') {
+		$enabled =3D 'off';
+		$result =3D &General::system('/usr/sbin/rpz-config', 'remove', $action_key=
, '--no-reload');
+	} else {
+		$enabled =3D 'on';
+		$result =3D &General::system('/usr/sbin/rpz-config', 'add', $action_key, $=
zonefiles{$action_key}{'url'}, '--no-reload');
+	}
+
+	# Check for errors, request service reload on success
+	return unless &_rpz_check_result($result, 1);
+
+	# Save changes
+	$zonefiles{$action_key}{'enabled'} =3D $enabled;
+	&_zonefiles_save_conf();
+
+	return 1;
+}
+
+# Remove zonefile
+sub _action_zf_remove {
+	return unless(defined $zonefiles{$action_key});
+
+	# Remove from rpz-config if currently active
+	if($zonefiles{$action_key}{'enabled'} eq 'on') {
+		my $result =3D &General::system('/usr/sbin/rpz-config', 'remove', $action_=
key, '--no-reload');
+
+		# Check for errors, request service reload on success
+		return unless &_rpz_check_result($result, 1);
+	}
+
+	# Remove from data hash and save changes
+	delete $zonefiles{$action_key};
+	&_zonefiles_save_conf();
+
+	# Clear action_key, as the entry is now removed entirely
+	$action_key =3D "";
+
+	return 1;
+}
+
+# Create or update zonefile entry
+# Returns undef if gui needs to stay in editor mode
+sub _action_zf_save {
+	my $result =3D 0;
+
+	my $name =3D $cgiparams{'ZF_NAME'} // "";
+	my $url =3D $cgiparams{'ZF_URL'} // "";
+	my $remark =3D $cgiparams{'ZF_REMARK'} // "";
+	my $enabled =3D 'on'; # Enable new entries by default
+
+	# Note on variables:
+	# name =3D unique key, will be used to address the entry
+	# action_key =3D name of the entry being edited, empty for new entry
+
+	# Only check for unique name if it changed
+	# (this also checks new entries because the action_key is empty in this cas=
e)
+	$result =3D &_rpz_validate_zonefile($name, $url, $remark, (lc($name) ne lc(=
$action_key)));
+	return unless &_rpz_check_result($result, 0);
+
+	# Edit existing entry: Determine what was changed
+	if(($action_key) && (defined $zonefiles{$action_key})) {
+		# Name und URL remain unchanged, only save remark and finish
+		if(($name eq $action_key) && ($url eq $zonefiles{$action_key}{'url'})) {
+			$zonefiles{$action_key}{'remark'} =3D $remark;
+			&_zonefiles_save_conf();
+
+			return 1;
+		}
+
+		# Entry was changed and needs to be recreated, preserve status
+		$enabled =3D $zonefiles{$action_key}{'enabled'};
+
+		# Remove from rpz-config
+		return unless &_action_zf_remove();
+	}
+
+	# Add new entry to rpz-config
+	if($enabled eq 'on') {
+		$result =3D &General::system('/usr/sbin/rpz-config', 'add', $name, $url, '=
--no-reload');
+
+		# Check for errors, request service reload on success
+		return unless &_rpz_check_result($result, 1);
+	}
+
+	# Add to global data hash and save changes
+	my %entry =3D ('enabled' =3D> $enabled,
+		'url' =3D> $url,
+		'remark' =3D> $remark);
+
+	$zonefiles{$name} =3D \%entry;
+	&_zonefiles_save_conf();
+
+	return 1;
+}
+
+# Save custom lists
+sub _action_cl_save {
+	return unless((defined $cgiparams{'ALLOW_LIST'}) && (defined $cgiparams{'BL=
OCK_LIST'}));
+
+	my $result =3D 0;
+
+	my @allowlist =3D split(/\R/, $cgiparams{'ALLOW_LIST'});
+	my @blocklist =3D split(/\R/, $cgiparams{'BLOCK_LIST'});
+
+	# Validate lists
+	$result =3D &_rpz_validate_customlist(\@allowlist);
+	if($result !=3D 0) {
+		$errormessage =3D &_rpz_error_tr(202, $result);
+		return;
+	}
+	$result =3D &_rpz_validate_customlist(\@blocklist);
+	if($result !=3D 0) {
+		$errormessage =3D &_rpz_error_tr(203, $result);
+		return;
+	}
+
+	# Add to global data hash and save changes
+	$customlists{'allow'}{'list'} =3D \@allowlist;
+	$customlists{'block'}{'list'} =3D \@blocklist;
+	$customlists{'allow'}{'enabled'} =3D (defined $cgiparams{'ALLOW_ENABLED'}) =
? 'on' : 'off';
+	$customlists{'block'}{'enabled'} =3D (defined $cgiparams{'BLOCK_ENABLED'}) =
? 'on' : 'off';
+
+	&_customlists_save_conf();
+	&_customlist_export('allow', $RPZ_ALLOWLIST);
+	&_customlist_export('block', $RPZ_BLOCKLIST);
+
+	# Make new lists, request service reload on success
+	$result =3D &General::system('/usr/sbin/rpz-make', 'allowblock', '--no-relo=
ad');
+	return unless &_rpz_check_result($result, 1);
+
+	return 1;
+}
+
+# Trigger rpz-config reload
+sub _action_rpz_reload {
+	return 1 unless &_rpz_needs_reload();
+
+	# Immediately clear flag to prevent multiple reloads
+	if(-f $RPZ_RELOAD_FLAG) {
+		unlink($RPZ_RELOAD_FLAG) or die "Can't remove $RPZ_RELOAD_FLAG: $!";
+	}
+
+	# Perform reload, recreate reload flag on error to enable retry
+	my $result =3D &General::system('/usr/sbin/rpz-config', 'reload');
+	if(not &_rpz_check_result($result, 0)) {
+		&General::system('touch', "$RPZ_RELOAD_FLAG");
+		return;
+	}
+
+	return 1;
+}
+
+# Trigger unbound restart
+sub _action_unb_restart {
+	return 1 unless &_rpz_needs_reload();
+
+	# Immediately clear flag to prevent multiple restarts
+	if(-f $RPZ_RELOAD_FLAG) {
+		unlink($RPZ_RELOAD_FLAG) or die "Can't remove $RPZ_RELOAD_FLAG: $!";
+	}
+
+	# Perform restart, unboundctrl always exits zero
+	&General::system('/usr/local/bin/unboundctrl', 'restart');
+
+	return 1;
+}
+
+
+###--- Internal rpz-config functions ---###
+
+# Translate rpz-config exitcodes and messages
+# 100-199: rpz-config, 200-299: webgui
+sub _rpz_error_tr {
+	my ($error, $append) =3D @_;
+	$append //=3D '';
+
+	# Translate numeric exit codes
+	if(looks_like_number($error)) {
+		if(defined $Lang::tr{"rpz exitcode $error"}) {
+			$error =3D $Lang::tr{"rpz exitcode $error"};
+		}
+	}
+
+	return "RPZ $Lang::tr{'error'}: $error" . &Header::escape($append);
+}
+
+# Check result of rpz-config system call, request reload on success
+sub _rpz_check_result {
+	my ($result, $request_reload) =3D @_;
+	$request_reload //=3D 0;
+
+	# exitcode 0 =3D success
+	if($result !=3D 0) {
+		$errormessage =3D &_rpz_error_tr($result);
+		return;
+	}
+
+	# Set reload flag
+	if($request_reload) {
+		&General::system('touch', "$RPZ_RELOAD_FLAG");
+	}
+
+	return 1;
+}
+
+# Test whether reload flag is set
+sub _rpz_needs_reload {
+	return (-f $RPZ_RELOAD_FLAG);
+}
+
+# Validate a zonefile entry, returns rpz-config exitcode on failure. Use _rp=
z_check_result to verify.
+# unique =3D check for unique name
+sub _rpz_validate_zonefile {
+	my ($name, $url, $remark, $unique) =3D @_;
+	$unique //=3D 1;
+
+	unless($name =3D~ /^[a-zA-Z0-9_]{1,32}$/) {
+		return 101;
+	}
+	unless($url =3D~ /^[\w+\.:;\/\\&@#%?=3D\-~|!]{1,128}$/) {
+		return 105;
+	}
+	unless($remark =3D~ /^[\w \-()\.:;*\/\\?!&=3D]{0,32}$/) {
+		return 201;
+	}
+
+	# Check against already existing names
+	if($unique) {
+		foreach my $existing (keys %zonefiles) {
+			if(lc($name) eq lc($existing)) {
+				return 104;
+			}
+		}
+	}
+
+	return 0;
+}
+
+# Validate a custom list, returns number of rejected line on failure. Check =
for non-zero results.
+# listref =3D array reference, cleanup =3D remove invalid entries instead of=
 returning an error
+sub _rpz_validate_customlist {
+	my ($listref, $cleanup) =3D @_;
+	$cleanup //=3D 0;
+
+	foreach my $index (reverse 0..$#{$listref}) {
+		my $row =3D @$listref[$index];
+		next unless($row); # Skip/allow empty lines
+
+		# Reject/remove everything besides wildcard domains and remarks
+		if((not &General::validwildcarddomainname($row)) && (not $row =3D~ /^;[\w =
\-()\.:;*\/\\?!&=3D]*$/)) {
+			unless($cleanup) {
+				# +1 for user friendly line number and to ensure non-zero exitcode
+				return $index + 1;
+			}
+
+			# Remove current row
+			splice(@$listref, $index, 1);
+		}
+	}
+
+	return 0;
+}
+
+
+###--- Internal misc functions ---###
+
+# Send HTTP 303 redirect headers for post/request/get pattern
+# (Must be sent before calling &Header::showhttpheaders())
+sub _http_prg_redirect {
+	my $location =3D "https://$ENV{'SERVER_NAME'}:$ENV{'SERVER_PORT'}$ENV{'SCRI=
PT_NAME'}";
+	print "Status: 303 See Other\n";
+	print "Location: $location\n";
+}
diff --git a/lfs/rpz b/lfs/rpz
new file mode 100644
index 000000000..7ddbc38e5
--- /dev/null
+++ b/lfs/rpz
@@ -0,0 +1,96 @@
+############################################################################=
###
+#                                                                           =
  #
+# IPFire.org - A linux based firewall                                       =
  #
+# Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                      =
    #
+#                                                                           =
  #
+# This program is free software: you can redistribute it and/or modify      =
  #
+# it under the terms of the GNU General Public License as published by      =
  #
+# the Free Software Foundation, either version 3 of the License, or         =
  #
+# (at your option) any later version.                                       =
  #
+#                                                                           =
  #
+# This program is distributed in the hope that it will be useful,           =
  #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of            =
  #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             =
  #
+# GNU General Public License for more details.                              =
  #
+#                                                                           =
  #
+# You should have received a copy of the GNU General Public License         =
  #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.     =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+############################################################################=
###
+#  Definitions
+############################################################################=
###
+
+include Config
+
+SUMMARY    =3D response policy zone - RPZ reputation system for unbound DNS
+
+VER        =3D 1.0.0
+
+THISAPP    =3D rpz-$(VER)
+DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
+TARGET     =3D $(DIR_INFO)/$(THISAPP)
+
+PROG       =3D rpz
+PAK_VER    =3D 18
+
+DEPS       =3D
+
+SERVICES   =3D
+
+############################################################################=
###
+# Top-level Rules
+############################################################################=
###
+
+install : $(TARGET)
+
+check :
+
+download :
+
+b2 :
+
+dist:
+	@$(PAK)
+
+############################################################################=
###
+# Installation Details
+############################################################################=
###
+
+$(TARGET) :
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP)
+
+	#  RPZ scripts
+	install --verbose --mode=3D755 \
+	  $(DIR_CONF)/rpz/{rpz-config,rpz-metrics,rpz-sleep,rpz-make,rpz-functions}=
 \
+	  --target-directory=3D/usr/sbin
+
+	#  RPZ config files
+	mkdir -pv /etc/unbound/local.d
+	install --verbose --mode=3D644 --owner=3Dnobody --group=3Dnobody \
+	  $(DIR_CONF)/rpz/00-rpz.conf \
+	  --target-directory=3D/etc/unbound/local.d
+	chown --verbose --recursive nobody:nobody /etc/unbound/local.d
+
+	#  RPZ custom list files for allow and block
+	mkdir -pv /var/ipfire/dns/rpz
+	touch /var/ipfire/dns/rpz/{allowlist,blocklist}
+	chown --verbose --recursive nobody:nobody /var/ipfire/dns/rpz
+
+	#  RPZ zone files
+	#   create empty RPZ config file to avoid a unbound config error
+	mkdir -pv /etc/unbound/zonefiles
+	touch /etc/unbound/zonefiles/allow.rpz
+	chown --verbose --recursive nobody:nobody /etc/unbound/zonefiles
+
+	# Install addon-specific language-files
+	install --verbose --mode=3D004 $(DIR_CONF)/rpz/rpz.*.pl \
+	  --target-directory=3D/var/ipfire/addon-lang
+
+	# Install backup definition
+	cp -vf $(DIR_CONF)/backup/includes/rpz /var/ipfire/backup/addons/includes/r=
pz
+
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 827ea9e77..a77535b13 100755
--- a/make.sh
+++ b/make.sh
@@ -390,7 +390,7 @@ prepareenv() {
 		if [ "${free_space}" -lt "${required_space}" ]; then
 			# Add any consumed space
 			while read -r consumed_space path; do
-				(( free_space +=3D consumed_space / 1024 / 1024 ))=20
+				(( free_space +=3D consumed_space / 1024 / 1024 ))
 			done <<< "$(du --summarize --bytes "${BUILD_DIR}" "${IMAGES_DIR}" "${LOG_=
DIR}" 2>/dev/null)"
 		fi
=20
@@ -2087,6 +2087,7 @@ build_system() {
 	lfsmake2 btrfs-progs
 	lfsmake2 inotify-tools
 	lfsmake2 grub-btrfs
+	lfsmake2 rpz
=20
 	lfsmake2 linux
 	lfsmake2 rtl8812au
diff --git a/src/paks/rpz/install.sh b/src/paks/rpz/install.sh
new file mode 100644
index 000000000..ef99bf742
--- /dev/null
+++ b/src/paks/rpz/install.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                     =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+#
+. /opt/pakfire/lib/functions.sh
+extract_files
+restore_backup ${NAME}
+
+#	fix user created files
+chown --verbose --recursive nobody:nobody \
+	/var/ipfire/dns/rpz    \
+	/etc/unbound/zonefiles \
+	/etc/unbound/local.d
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+#  restart unbound to load config file
+/etc/init.d/unbound restart
diff --git a/src/paks/rpz/uninstall.sh b/src/paks/rpz/uninstall.sh
new file mode 100644
index 000000000..e11427df3
--- /dev/null
+++ b/src/paks/rpz/uninstall.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                     =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+#
+. /opt/pakfire/lib/functions.sh
+
+#  stop unbound to delete RPZ conf file
+/etc/init.d/unbound stop
+
+make_backup ${NAME}
+remove_files
+
+#  delete rpz config files.  Otherwise unbound will throw error:
+#    "[1723428668] unbound-control[17117:0] error: connect: Connection refus=
ed for 127.0.0.1 port 8953"
+/bin/rm --verbose --force /etc/unbound/local.d/*.rpz.conf
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+#  start unbound to load unbound config file
+/etc/init.d/unbound start
diff --git a/src/paks/rpz/update.sh b/src/paks/rpz/update.sh
new file mode 100644
index 000000000..9bc340bc6
--- /dev/null
+++ b/src/paks/rpz/update.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+#  IPFire.org - A linux based firewall                                      =
  #
+#  Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                     =
    #
+#                                                                           =
  #
+#  This program is free software: you can redistribute it and/or modify     =
  #
+#  it under the terms of the GNU General Public License as published by     =
  #
+#  the Free Software Foundation, either version 3 of the License, or        =
  #
+#  (at your option) any later version.                                      =
  #
+#                                                                           =
  #
+#  This program is distributed in the hope that it will be useful,          =
  #
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of           =
  #
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            =
  #
+#  GNU General Public License for more details.                             =
  #
+#                                                                           =
  #
+#  You should have received a copy of the GNU General Public License        =
  #
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
  #
+#                                                                           =
  #
+############################################################################=
###
+#
+. /opt/pakfire/lib/functions.sh
+
+#  from update.sh
+extract_backup_includes
+
+#  stop unbound to delete RPZ conf file
+/etc/init.d/unbound stop
+
+#  from uninstall.sh
+make_backup ${NAME}
+remove_files
+
+#  delete rpz config files.  Otherwise unbound will throw error:
+#    "unbound-control[nn:0] error: connect: Connection refused for 127.0.0.1=
 port 8953"
+/bin/rm --verbose --force /etc/unbound/local.d/*.rpz.conf
+
+#  from install.sh
+extract_files
+restore_backup ${NAME}
+
+#	fix user created files
+chown --verbose --recursive nobody:nobody \
+	/var/ipfire/dns/rpz    \
+	/etc/unbound/zonefiles \
+	/etc/unbound/local.d
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+#  restart unbound to load config files
+/etc/init.d/unbound start
--=20
2.39.5


--===============0030393767620402246==--