From mboxrd@z Thu Jan 1 00:00:00 1970 From: jon To: development@lists.ipfire.org Subject: Re: [PATCH] RPZ: bug fix and code update Date: Fri, 23 Aug 2024 13:31:57 -0500 Message-ID: <4570CC13-037C-40C4-85AC-FCDC7055B706@ipfire.org> In-Reply-To: <88CABBB3-B76A-4AF7-9D65-0C7BB3545DEA@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9127156221507233876==" List-Id: --===============9127156221507233876== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Good day! >> Do I have your blessing to keep moving forward? >=20 > What do you want to move forward with?=20 To implement the first phase: An RPZ add-on that is currently shell based. = The release will be similar to the Patch way below but with the fixes you sug= gested. Plus a few bug fixes! I=E2=80=99ll make the current changes and sen= d a new Patch.=20 The main goal of this Phase is to measure user interest in RPZ. The metrics = will be feedback within the Community. > What are the next steps? >=20 If there is interest from the user Community, then: =E2=80=A2 Phase 2: Input WebGUI (image shown in previous post) =E2=80=A2 Phase 3: RPZ logs / metrics via WebGUI > Looking at that list, I am not sure what I would want to turn on in my home= /if I was a school/a generic office company. I could not decide what to use by reading the RPZ descriptions or looking at = the LONG rpz lists. That was the reason for creating the `rpz-metrics` script= . The output of the script helps me decide what to keep and what to disable.= =20 Right now my home (small office also) List will be: =E2=80=A2 Multi PRO or Multi PRO++ =E2=80=A2 Amazon Native Tracker =E2=80=A2 Apple Native Tracker =E2=80=A2 Windows Native Tracker =E2=80=A2 Encrypted DNS Servers (DoH server block) =E2=80=A2 Most Abused TLDs =E2=80=A2 plus one custom allow list and one custom block list This will bring down my daily RPZ downloads to ~25 MB per day. Much lower th= an the experimental 230 MB per day! The above are all Hagezi lists. Jon > On Aug 23, 2024, at 4:18=E2=80=AFAM, Michael Tremer wrote: >=20 > Morning, >=20 >> On 22 Aug 2024, at 16:37, jon wrote: >>=20 >> Hi Michael, >>=20 >>=20 >>> On Aug 21, 2024, at 5:03=E2=80=AFAM, Michael Tremer wrote: >>>=20 >>> Hello Jon, >>>=20 >>>> On 15 Aug 2024, at 23:22, jon wrote: >>>>=20 >>>> Comments below=E2=80=A6 >>>>=20 >>>>=20 >>>>> On Aug 15, 2024, at 1:33=E2=80=AFPM, Michael Tremer wrote: >>>>>=20 >>>>> Hello, >>>>>=20 >>>>>> On 15 Aug 2024, at 17:57, jon wrote: >>>>>>=20 >>>>>>=20 >>>>>> Comments below. >>>>>>=20 >>>>>> Jon >>>>>>=20 >>>>>>=20 >>>>>>> On Aug 15, 2024, at 10:33=E2=80=AFAM, Michael Tremer wrote: >>>>>>>=20 >>>>>>> Hello, >>>>>>>=20 >>>>>>>> On 14 Aug 2024, at 18:14, jon wrote: >>>>>>>>=20 >>>>>>>> Michael, >>>>>>>>=20 >>>>>>>> Sorry for putting you on the spot, but what do you want to do with t= his RPZ add-on? >>>>>>>=20 >>>>>>> I am not sure this is a question for only me. >>>>>>>=20 >>>>>>> I personally just don=E2=80=99t have any capacity to take on another = rather large project as I have a huge backlog of so many things and I feel li= ke a lonely fighter getting these all over the line. For my own sanity I need= to have a couple of those closed before thinking about the next ones. >>>>>>>=20 >>>>>>> A couple of months ago we have talked on the monthly call about RPZ a= nd the decision that was made by the people was to not look at this now, just= because there were other more pressing things. We could also not find answer= s to the questions that led us into RPZ: >>>>>>>=20 >>>>>>> * Are there any good lists out there that would allow us to replace t= he URL Filter? That thing is basically on its last leg because of the lack of= lists. We need to be able to block ads and pr0n and that very reliably. >>>>>>=20 >>>>>> I believe this exists with the Hagezi lists at https://github.com/hage= zi/dns-blocklists and/or the addition of a chosen "oisd NSFW" list at https:/= /oisd.nl/setup >>>>>>=20 >>>>>> I understand there is no time to review to see if this meet the needs.= So we can leave this as "I believe these exist" for now. >>>>>=20 >>>>> So, I am not sure what to think of all these things on GitHub. It seems= that there are many repositories that pop up and presumably disappear in the= same kind of way. We see this with the IP blocklists. >>>>>=20 >>>>> We want quality blocklists. I know that we don=E2=80=99t have too much = on the URL Filter front, but I would prefer to avoid putting so much work in = if we in the end stand where we started. >>>>=20 >>>> This makes perfect sense. Based on the comments I=E2=80=99ve seen it se= ems like Hagezi is growing in popularity and in offerings. =20 >>>>=20 >>>> Gerd (the owner) is very responsive, involved and I keep running into hi= s posts when searching for RPZ "things". Gerd quickly made changes per my re= quest: see https://github.com/hagezi/dns-blocklists/issues/2301. Now there = are two TLD RPZ lists. >>>>=20 >>>> Like everything else I cannot predict how long it might last. >>>=20 >>> If you have such a good connection, could you do me the favour and ask wh= y the prefer distributing those lists using HTTPS and not DNS?=20 >>=20 >> I=E2=80=99d be happy to ask Gerd, but I do not understand what you want me= to ask. >=20 > It sounded like you have a personal connection. That is all. >=20 >> I guessed it is related to this: >> https://www.ipfire.org/blog/ipfire-location-a-decentralised-signed-databas= e-in-dns >> https://www.ipfire.org/location/how-to-use/dns >>=20 >> I understand the APIs you had added, but I do not understand how this rela= ted to the DNS blocked lists. =20 >=20 > Yes, this is slightly related to this. I am just running a network of autho= ritative DNS servers scattered a little bit across the world. It is an essent= ial part of the IPFire infrastructure but also hosts a couple of other things= . And since it is there, it is a nice thing to bolt on more things. >=20 >> What might the query do? Look up a requested domain? >=20 > The relationship to RPZs is that we could use that service to host them. It= is a DNS-based technology after all. >=20 >>> Is it simply that GitHub is free and does not offer DNS? :) >>=20 >> I did not find GitHub DNS server(s) listed anywhere. Just lots of referen= ces on setting up DNS on other servers... >=20 > No, GitHub does not offer any DNS services. >=20 >> Let me know what you want asked, specifically, and I will pass it on to Ge= rd! >=20 > The question is only whether it was a conscious decision to distribute the = lists over HTTP instead of using DNS. Maybe it was just chosen because that i= s what was available to them. >=20 >>>=20 >>>>>=20 >>>>>>>=20 >>>>>>> * We need to look into privacy when RPZs are being realised over DNS = - I don=E2=80=99t even understand why we are suddenly starting to pull text f= iles over HTTP again. The IPS seems to have most of these lists already. >>>>>>=20 >>>>>> All of the lists that I am pull are HTTPS. And HTTPS only is currentl= y checked (validated) in the existing `rpz-config` code. >>>>>=20 >>>>> What a lost case. DNS is a globally distributed, cacheable protocol. We= could simply put all those blacklists into the DNS caches all around the wor= ld. They would respond fast, be local to so many people, but instead we downl= oad massive text files. That means that whenever something changes the entire= file needs to be transferred again. They are huge. We would want many fast u= pdates which are not possible that way=E2=80=A6 but I digress. >>>>=20 >>>> I came across one DNS service that offers the Hagezi lists as part of th= eir available DNS services. If interested I can find and post the details. >>>=20 >>> I run a global DNS system where we could easily add this all to. This wou= ld scale like hell. It would be a fun project. >>>=20 >>> Just for fun, I have imported "jpgpi250.github.io =E2=80=9D which you can pull from either dfw.lwldns.net or haj.lwldns.net . This would be so much bet= ter since DNS zone transfer checks the serial of the zone and does not retran= sfer it if it has not changed (and I suppose none of these lists change that = frequently). >>>=20 >>=20 >> Peter=E2=80=99s jpgpi250 DoH rpz list updates one per day near 04:00 CEST = (02:00 UTC). A handful of adds or deletes every night. >>=20 >> Gerd=E2=80=99s block DoH rpz list updates twice per day as needed. Someti= me once per day, sometimes twice per day. >=20 > Yeah, that is not a lot, so DNS would qualify to distribute the lists. >=20 >>> Sadly our DNS system does not support this,=20 >>=20 >> I do not know what "global DNS system" is support. Is it not unbound base= d? =20 >=20 > No those servers are running PowerDNS behind a load-balancer. Unbound is ju= st a recursor and not an authoritative DNS server. >=20 >> There are many different formats to feed to DNS system: >> https://github.com/hagezi/dns-blocklists?tab=3Dreadme-ov-file#outbox_tray-= encrypted-dns-servers-only- >>=20 >> Maybe one of these might help? >>=20 >>=20 >>> but there is also IXFR for incremental zone updates where you would only = load the changes. >>=20 >>=20 >>>=20 >>>>=20 >>>>=20 >>>>>=20 >>>>> How much traffic did you observe? >>>>=20 >>>>=20 >>>> I have 11 RPZ list (honestly too many but I am experimenting) and that e= at up about 230M bytes per day. >>>=20 >>> Oh wow that is huuuuuge. I assume that is repeat downloads? How large are= the zone files just downloaded once? >>=20 >> Here is the size of each file (grapped via `ls -lS /etc/unbound/zonefiles`= and snipped): >>=20 >> 10,655,321 MxProPlusHZ.rpz >> 90,909 dohJPG.rpz >> 76,591 HosterHZ.rpz >> 72,628 DOHblockHZ.rpz >> 37,411 urlhaus.rpz >> 27,863 WinTrkrHZ.rpz >> 12,333 NotSafeSearchHZ.rpz >> 7,573 AppleTrkrHZ1.rpz >> 7,308 tldAggHZ.rpz >> 2,631 tldHZ.rpz >> 966 allow.rpz >> 238 block.rpz >>=20 >>=20 >>>=20 >>>>> How is Unbound refreshing these? >>>>=20 >>>>=20 >>>> Unbound RPZ takes care of the updates automagically. There is no cron e= ntry. >>>>=20 >>>> Each RPZ list includes an SOA line similar to this: >>>> `@ SOA localhost. root.localhost. 1723093380 43200 3600 259200 300` >>>>=20 >>>> The 43200 is the refresh period in seconds. So this RPZ list auto updat= es every 12 hours. =20 >>>>=20 >>>>=20 >>>>> Is there a local cache? >>>>=20 >>>> Yes, it is part of unbound. (Nothing we need to setup) >>>=20 >>> Would it use the cache for zones transferred over DNS, too? >>=20 >> I do not know. >>=20 >>>=20 >>>>=20 >>>>=20 >>>>>=20 >>>>>>> Regarding your code, there are some issues with the coding style, but= I heavily appreciate the pioneering to bring this feature to life. >>>>>>=20 >>>>>> My style is camelCase, but if you prefer snake_case that is an easy ch= ange (please speak up). >>>>>>=20 >>>>>> As for as other style changes, that can wait until time is available b= y the core developers. >>>>>=20 >>>>> It is mainly that you make things very complicated for yourself. Call = =E2=80=9Ccat=E2=80=9D, not =E2=80=9C/bin/cat=E2=80=9D. There is no guarantee = that things will stay where they are now and the shell has lots of builtins t= hat execute a lot faster. >>>>=20 >>>> I will remove the executable paths. What builtin did you see that I mis= sed? Anything else? >>>=20 >>> A builtin is just a command that really isn=E2=80=99t one. So there is a = /bin/echo somewhere, but when you just write =E2=80=9Cecho=E2=80=9D in the sh= ell, it will simply output the string itself. That is a lot faster than forki= ng a new process. That is all. >>=20 >>=20 >> Got it! All changed to: >>=20 >> echo "multi line string" > "${rpzConfig}" >>=20 >>=20 >>>=20 >>>>>=20 >>>>> And this is all designed to work on the shell. We need something for th= e web UI. >>>>=20 >>>> For commands within the WegGUI there are `safe_system` commands on the `= .cgi` page. =20 >>>>=20 >>>> But I am guess you are referring to something else. >>>=20 >>> That was mainly for the metrics=E2=80=A6 We would want those to be shown = on the web UI and the tool that you currently have outputs it on the shell. T= hat is what that meant. >>=20 >> For short term the metrics will be via shell only. =20 >>=20 >> Long term, agree, metrics via the WebGUI! >>=20 >>=20 >>>=20 >>>>>=20 >>>>>>> What it would need to be finally merged would be a web UI though. So = I think we have a long way ahead of us. >>>>>>=20 >>>>>> The attachment is an early mock-up I made a few months ago (made with = Pixelmator Pro). The WebGUI is being worked on now. >>>>>>=20 >>>>>> >>>>>=20 >>>>> I think we might look for something that is very similar to the IPS rul= eset editor or the IP blocklists. >>>>>=20 >>>>> I am not even sure if we would require users to manage this or whether = we would curate a list like with the IPS and IP blocklists. >>>>=20 >>>> The first "DRAFT" of this was for the user/admin to manage the list. Fo= r the RPZ add-on, I=E2=80=99d prefer to keep it this way until we figure out = if RPZ is popular and used by the user/admins. >>>>=20 >>>> And yes, it could be changed to a set list like IPS. FYI - there are 34= different Hagezi list. So it will take some experiments to pick a "the" lis= t. >>>=20 >>> Well it doesn=E2=80=99t have to be just one. People might want to block d= ifferent things=E2=80=A6 >>=20 >> Agree! >>=20 >>>=20 >>> It just seems that they come as a package =E2=80=9CLight=E2=80=9D, =E2=80= =9CNormal=E2=80=9D, =E2=80=9CPro=E2=80=9D, =E2=80=9CPro++=E2=80=9D and it is = either that or nothing. >>=20 >> More than nothing - Here are the individual (non-package) lists for Hagezi: >>=20 >> =E2=80=A2 Fake - Protects against internet scams, traps & fakes! >> =E2=80=A2 Pop-Up Ads - Protects against annoying and malicious pop-up ads! >> =E2=80=A2 Threat Intelligence Feeds - Increases security significantly! (R= ecommended) : Full - Medium - Mini - IPs >> =E2=80=A2 Newly Registered Domains - Favoured by threat actors to launch m= alicious campaigns! : 14 days - 30 days >> =E2=80=A2 DoH/VPN/TOR/Proxy Bypass - Prevent methods to bypass your DNS! := Full - DoH only - DoH IPs >> =E2=80=A2 Safesearch not supported - Prevent the use of search engines tha= t do not support Safesearch! >> =E2=80=A2 Dynamic DNS - Protects against the malicious use of dynamic DNS = services! >> =E2=80=A2 Badware Hoster - Protects against the malicious use of free host= services! >> =E2=80=A2 Most Abused TLDs - Protects against known malicious Top Level Do= mains! >> =E2=80=A2 Anti Piracy - Protects against piracy! >> =E2=80=A2 Gambling - Protects against gambling content! : Full - Medium - = Mini >> =E2=80=A2 NSFW (external) - oisd NSFW - Protects against adult content! >> =E2=80=A2 Native Tracker - Broadband tracker of devices, services and oper= ating systems >>=20 >> And there are others out there also. >=20 > Others might exist, but as it seems they all mix and match their lists toge= ther. So there will a lot of overlap which becomes a waste of memory and data= transfer. >=20 > Looking at that list, I am not sure what I would want to turn on in my home= /if I was a school/a generic office company. >=20 >> Do I have your blessing to keep moving forward? >=20 > What do you want to move forward with? What are the next steps? >=20 > -Michael >=20 >> Jon >>=20 >>=20 >>=20 >> PS - Here is the current WebGUI for RPZ. >>=20 >> >>=20 >>=20 >>=20 >> And the EDIT pencil. >>=20 >>=20 >> >>=20 >>=20 >>=20 >>> -Michael >>>=20 >>>> Also, here is current DRAFT (first draft) of user/admin managed WebGUI. = See attachment. >>>>=20 >>>> >>>>=20 >>>>=20 >>>> Jon >>>>=20 >>>>=20 >>>>>=20 >>>>>> Does this help? >>>>>> Jon >>>>>>=20 >>>>>>=20 >>>>>>>=20 >>>>>>> -Michael >>>>>>>=20 >>>>>>>> I saw your comments in the Dev Mailing List of "generally being in f= avor of trying this path" (bad paraphrasing on my part) >>>>>>>>=20 >>>>>>>> I saw your comments in bugzilla at https://bugzilla.ipfire.org/show_= bug.cgi?id=3D13254#c171 >>>>>>>>> I am not interested in anything regarding the RPZs right now. They = have not been properly put on the agenda and looking at how much time we have= on our hands, this won't make it on the agenda for years. >>>>>>>>>=20 >>>>>>>>> I don't want to build blockers, but this ticket is about a differen= t problem which I want to solve first. >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> How do you want to go forward? >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Jon >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>> On Aug 12, 2024, at 2:11=E2=80=AFPM, jon = wrote: >>>>>>>>>=20 >>>>>>>>> More questions! >>>>>>>>>=20 >>>>>>>>> Currently RPZ config files are at `/etc/unbound/local.d` but this d= irectory seems like it is for user (admin) customizations. =20 >>>>>>>>>=20 >>>>>>>>> ``` >>>>>>>>> [root(a)ipfire ~] # ls -al /etc/unbound/local.d >>>>>>>>> total 68 >>>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Aug 12 13:41 . >>>>>>>>> drwxr-xr-x 4 root root 4096 Aug 12 00:52 .. >>>>>>>>> -rw-r--r-- 1 nobody nobody 436 Jul 12 15:45 00-rpz.conf >>>>>>>>> -rw-r--r-- 1 nobody nobody 285 Mar 1 22:12 AmazonTrkrHZ.rpz.conf >>>>>>>>> -rw-r--r-- 1 nobody nobody 281 Mar 1 22:02 AppleTrkrHZ.rpz.conf >>>>>>>>> -rw-r--r-- 1 nobody nobody 269 Mar 1 21:40 DOHblockHZ.rpz.conf >>>>>>>>> ... >>>>>>>>> -rw-r--r-- 1 nobody nobody 299 Aug 1 19:42 WinTrkrHZ.rpz.conf >>>>>>>>> [root(a)ipfire ~] #=20 >>>>>>>>> ``` >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> Each file is a config file per category (or one per RPZ file). Thi= s makes it easy to add or remove a category (or RPZ file). >>>>>>>>>=20 >>>>>>>>> Should I create a new unbound directory for RPZ config files? Mayb= e `/etc/unbound/rpz.d`? Or `/etc/unbound/rpz`? >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> Jon >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>>> On Aug 1, 2024, at 1:45=E2=80=AFPM, Jon Murphy wrote: >>>>>>>>>>=20 >>>>>>>>>> changed all paths from `/var/ipfire/rpz/` to `/var/ipfire/dns/rpz/` >>>>>>>>>> (thank you to Adolf!) >>>>>>>>>>=20 >>>>>>>>>> rpz-config: >>>>>>>>>> - bug: corrected "Type" test from block to allow >>>>>>>>>> - removed verbose parameter from various commands >>>>>>>>>>=20 >>>>>>>>>> rpz-metrics: >>>>>>>>>> - bug: corrected grep for rpz name count >>>>>>>>>> - bug: fixed divide by zero error (thank you Peppe!) >>>>>>>>>>=20 >>>>>>>>>> install/uninstall: >>>>>>>>>> - bug: corrected scripts (thank you Bernhard!) >>>>>>>>>>=20 >>>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>>> --- >>>>>>>>>> config/backup/includes/rpz | 4 ++-- >>>>>>>>>> config/rootfiles/packages/rpz | 6 +++--- >>>>>>>>>> config/rpz/rpz-config | 14 +++++++------- >>>>>>>>>> config/rpz/rpz-metrics | 9 +++++---- >>>>>>>>>> lfs/rpz | 6 +++--- >>>>>>>>>> src/paks/rpz/install.sh | 27 +++++++++++++++++++++++++++ >>>>>>>>>> src/paks/rpz/uninstall.sh | 31 +++++++++++++++++++++++++++++++ >>>>>>>>>> src/paks/rpz/update.sh | 25 +++++++++++++++++++++++++ >>>>>>>>>> 8 files changed, 103 insertions(+), 19 deletions(-) >>>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>>=20 >>>>>>>>>> diff --git a/config/backup/includes/rpz b/config/backup/includes/r= pz >>>>>>>>>> index 4d59bb40c..8c7410ebd 100644 >>>>>>>>>> --- a/config/backup/includes/rpz >>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>> @@ -1,5 +1,5 @@ >>>>>>>>>> -/var/ipfire/rpz/allowlist >>>>>>>>>> -/var/ipfire/rpz/blocklist >>>>>>>>>> +/var/ipfire/dns/rpz/allowlist >>>>>>>>>> +/var/ipfire/dns/rpz/blocklist >>>>>>>>>> /etc/unbound/zonefiles/allow.rpz >>>>>>>>>> /etc/unbound/zonefiles/block.rpz >>>>>>>>>> /etc/unbound/local.d/*rpz.conf >>>>>>>>>> diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/pack= ages/rpz >>>>>>>>>> index 2ffa715dd..183825362 100644 >>>>>>>>>> --- a/config/rootfiles/packages/rpz >>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>> @@ -6,6 +6,6 @@ usr/sbin/rpz-config >>>>>>>>>> usr/sbin/rpz-metrics >>>>>>>>>> usr/sbin/rpz-sleep >>>>>>>>>> var/ipfire/backup/addons/includes/rpz >>>>>>>>>> -var/ipfire/rpz >>>>>>>>>> -var/ipfire/rpz/allowlist >>>>>>>>>> -var/ipfire/rpz/blocklist >>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config >>>>>>>>>> index 98dc0a4ca..a24a5c132 100644 >>>>>>>>>> --- a/config/rpz/rpz-config >>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>> @@ -19,7 +19,7 @@ >>>>>>>>>> # = # >>>>>>>>>> ##################################################################= ############# >>>>>>>>>>=20 >>>>>>>>>> -# v22 - 2024-07-12 >>>>>>>>>> +# v23 - 2024-07-30 >>>>>>>>>>=20 >>>>>>>>>> ############### Functions ############### >>>>>>>>>>=20 >>>>>>>>>> @@ -54,11 +54,11 @@ check_unbound_conf () { >>>>>>>>>> make_rpz_file () { >>>>>>>>>> local theType=3D"${1}" # allow or block >>>>>>>>>>=20 >>>>>>>>>> - theList=3D"/var/ipfire/rpz/${theType}list" # input user list of = domains >>>>>>>>>> + theList=3D"/var/ipfire/dns/rpz/${theType}list" # input custom li= st of domains >>>>>>>>>> theZoneFile=3D"/etc/unbound/zonefiles/${theType}.rpz" # output fil= e for RPZ >>>>>>>>>>=20 >>>>>>>>>> theAction=3D'.' >>>>>>>>>> - if [[ "${theType}" =3D~ "block" ]] ; then >>>>>>>>>> + if [[ "${theType}" =3D~ "allow" ]] ; then >>>>>>>>>> theAction=3D'rpz-passthru.' >>>>>>>>>> fi >>>>>>>>>>=20 >>>>>>>>>> @@ -131,8 +131,8 @@ case "${theAction}" in >>>>>>>>>> # set-up zone file >>>>>>>>>> /usr/bin/touch "${rpzFile}" >>>>>>>>>> # unbound requires these settings for rpz files >>>>>>>>>> - /bin/chown --verbose nobody:nobody "${rpzFile}" >>>>>>>>>> - /bin/chmod --verbose 644 "${rpzFile}" >>>>>>>>>> + /bin/chown nobody:nobody "${rpzFile}" >>>>>>>>>> + /bin/chmod 644 "${rpzFile}" >>>>>>>>>> ;; >>>>>>>>>>=20 >>>>>>>>>> # trash config file & rpz file >>>>>>>>>> @@ -143,8 +143,8 @@ case "${theAction}" in >>>>>>>>>> fi >>>>>>>>>>=20 >>>>>>>>>> msg_log "info: rpz: remove config file & rpz file \"${theName}\"" >>>>>>>>>> - /bin/rm --verbose "${rpzConfig}" >>>>>>>>>> - /bin/rm --verbose "${rpzFile}" >>>>>>>>>> + /bin/rm "${rpzConfig}" >>>>>>>>>> + /bin/rm "${rpzFile}" >>>>>>>>>>=20 >>>>>>>>>> check_unbound_conf >>>>>>>>>> ;; >>>>>>>>>> diff --git a/config/rpz/rpz-metrics b/config/rpz/rpz-metrics >>>>>>>>>> index 0f97c7911..4d932726e 100644 >>>>>>>>>> --- a/config/rpz/rpz-metrics >>>>>>>>>> +++ b/config/rpz/rpz-metrics >>>>>>>>>> @@ -19,7 +19,7 @@ >>>>>>>>>> # = # >>>>>>>>>> ##################################################################= ############# >>>>>>>>>>=20 >>>>>>>>>> -# v18 on 2024-07-05 >>>>>>>>>> +# v19 on 2024-07-30 >>>>>>>>>>=20 >>>>>>>>>> ############### Main ############### >>>>>>>>>>=20 >>>>>>>>>> @@ -33,7 +33,7 @@ messageLogs=3D$( find /var/log/messages* -type f= | >>>>>>>>>>=20 >>>>>>>>>> # get the list of RPZ names & counts from the message log(s) >>>>>>>>>> rpzNameCount=3D$( for logf in ${messageLogs} ; do >>>>>>>>>> - /usr/bin/zgrep --text --fixed-strings 'info: rpz: applied' "${lo= gf}" | >>>>>>>>>> + /usr/bin/zgrep --text --extended-regexp 'info: rpz: applied.* A = IN$' "${logf}" | >>>>>>>>>> /usr/bin/awk '$10 ~ /\[\w*]/ { print $10 }' ; >>>>>>>>>> done | /usr/bin/sort | /usr/bin/uniq --count ) >>>>>>>>>>=20 >>>>>>>>>> @@ -107,8 +107,9 @@ do >>>>>>>>>> theLines=3D$( /bin/echo "${output}" | /usr/bin/awk '{ print $1 }' ) >>>>>>>>>> totalLines=3D$(( totalLines + theLines )) >>>>>>>>>>=20 >>>>>>>>>> - #hitsPerLine=3D$( echo "scale=3D0 ; $theHits / $theLines" | bc ) >>>>>>>>>> - hitsPerLine=3D$(( 100 * theHits / theLines )) >>>>>>>>>> + if [[ "${theLines}" -gt 2 ]] ; then >>>>>>>>>> + hitsPerLine=3D$(( 100 * theHits / theLines )) >>>>>>>>>> + fi >>>>>>>>>> fi >>>>>>>>>>=20 >>>>>>>>>> # get modification date >>>>>>>>>> diff --git a/lfs/rpz b/lfs/rpz >>>>>>>>>> index 319c10b7f..73f6f2b1b 100644 >>>>>>>>>> --- a/lfs/rpz >>>>>>>>>> +++ b/lfs/rpz >>>>>>>>>> @@ -67,9 +67,9 @@ $(TARGET) : >>>>>>>>>> $(DIR_CONF)/rpz/{rpz-config,rpz-metrics,rpz-sleep} -t /usr/sbin >>>>>>>>>>=20 >>>>>>>>>> # Install settings folder and two empty files >>>>>>>>>> - mkdir -pv /var/ipfire/rpz >>>>>>>>>> - touch /var/ipfire/rpz/allowlist >>>>>>>>>> - touch /var/ipfire/rpz/blocklist >>>>>>>>>> + mkdir -pv /var/ipfire/dns/rpz >>>>>>>>>> + touch /var/ipfire/dns/rpz/allowlist >>>>>>>>>> + touch /var/ipfire/dns/rpz/blocklist >>>>>>>>>>=20 >>>>>>>>>> # Add conf file to /etc directory >>>>>>>>>> cp -vf $(DIR_CONF)/rpz/00-rpz.conf /etc/unbound/local.d >>>>>>>>>> diff --git a/src/paks/rpz/install.sh b/src/paks/rpz/install.sh >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..0a797e158 >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/src/paks/rpz/install.sh >>>>>>>>>> @@ -0,0 +1,27 @@ >>>>>>>>>> +#!/bin/bash >>>>>>>>>> +#################################################################= ############## >>>>>>>>>> +# = # >>>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>>> +# Copyright (C) 2024 IPFire Team = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is free software: you can redistribute it and/or = modify # >>>>>>>>>> +# it under the terms of the GNU General Public License as publis= hed by # >>>>>>>>>> +# the Free Software Foundation, either version 3 of the License,= or # >>>>>>>>>> +# (at your option) any later version. = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is distributed in the hope that it will be useful= , # >>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of= # >>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>>> +# = # >>>>>>>>>> +# You should have received a copy of the GNU General Public Lice= nse # >>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>> +# = # >>>>>>>>>> +#################################################################= ############## >>>>>>>>>> +# >>>>>>>>>> +. /opt/pakfire/lib/functions.sh >>>>>>>>>> +extract_files >>>>>>>>>> +restore_backup ${NAME} >>>>>>>>>> + >>>>>>>>>> +# restart unbound to load config file >>>>>>>>>> +/etc/init.d/unbound restart >>>>>>>>>> diff --git a/src/paks/rpz/uninstall.sh b/src/paks/rpz/uninstall.sh >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..4fb20e127 >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/src/paks/rpz/uninstall.sh >>>>>>>>>> @@ -0,0 +1,31 @@ >>>>>>>>>> +#!/bin/bash >>>>>>>>>> +#################################################################= ############## >>>>>>>>>> +# = # >>>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>>> +# Copyright (C) 2024 IPFire Team = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is free software: you can redistribute it and/or = modify # >>>>>>>>>> +# it under the terms of the GNU General Public License as publis= hed by # >>>>>>>>>> +# the Free Software Foundation, either version 3 of the License,= or # >>>>>>>>>> +# (at your option) any later version. = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is distributed in the hope that it will be useful= , # >>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of= # >>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>>> +# = # >>>>>>>>>> +# You should have received a copy of the GNU General Public Lice= nse # >>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>> +# = # >>>>>>>>>> +#################################################################= ############## >>>>>>>>>> +# >>>>>>>>>> +. /opt/pakfire/lib/functions.sh >>>>>>>>>> + >>>>>>>>>> +# stop unbound to delete RPZ conf file >>>>>>>>>> +/etc/init.d/unbound stop >>>>>>>>>> + >>>>>>>>>> +make_backup ${NAME} >>>>>>>>>> +remove_files >>>>>>>>>> + >>>>>>>>>> +# start unbound to load unbound config file >>>>>>>>>> +/etc/init.d/unbound start >>>>>>>>>> diff --git a/src/paks/rpz/update.sh b/src/paks/rpz/update.sh >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000..938a93a40 >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/src/paks/rpz/update.sh >>>>>>>>>> @@ -0,0 +1,25 @@ >>>>>>>>>> +#!/bin/bash >>>>>>>>>> +#################################################################= ############## >>>>>>>>>> +# = # >>>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>>> +# Copyright (C) 2024 IPFire Team = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is free software: you can redistribute it and/or = modify # >>>>>>>>>> +# it under the terms of the GNU General Public License as publis= hed by # >>>>>>>>>> +# the Free Software Foundation, either version 3 of the License,= or # >>>>>>>>>> +# (at your option) any later version. = # >>>>>>>>>> +# = # >>>>>>>>>> +# This program is distributed in the hope that it will be useful= , # >>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of= # >>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>>> +# = # >>>>>>>>>> +# You should have received a copy of the GNU General Public Lice= nse # >>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>> +# = # >>>>>>>>>> +#################################################################= ############## >>>>>>>>>> +# >>>>>>>>>> +. /opt/pakfire/lib/functions.sh >>>>>>>>>> +extract_backup_includes >>>>>>>>>> +./uninstall.sh >>>>>>>>>> +./install.sh >>>>>>>>>> --=20 >>>>>>>>>> 2.30.2 >>=20 >>=20 >> Jon >>=20 >>=20 >> --=20 >> Jon Murphy >> jon.murphy(a)ipfire.org Jon --=20 Jon Murphy jon.murphy(a)ipfire.org --===============9127156221507233876==--