From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bySwW0Zbbz32p7 for ; Thu, 7 Aug 2025 13:40:43 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bySwQ60W1z2xQT for ; Thu, 7 Aug 2025 13:40:38 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4bySwP5pHtzM7; Thu, 7 Aug 2025 13:40:37 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1754574038; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dbivGm07hZqXzQwCfenm4NyE2DlNEFzVOBGNUP4zyj4=; b=GS8NHchvIKNmTrVeGjIXLBCdJy8KsqtwU/ZOtsBHVfVhEv4orw4zijhpdjJ1SBdCwC0MGh +MybePd1AGWYqPBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1754574038; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dbivGm07hZqXzQwCfenm4NyE2DlNEFzVOBGNUP4zyj4=; b=lOJl/RO06R37uJnbQOfH8XYS4sSH19j3Y4L5yWAglLRgpDNn3hafJuciwXbhDUVMQslRIV WRY0Mv3srE2YxV8vM/Wsb66BYIYESv1Hl2n1dBEz4ylESYEj45Tpqg4s4TQa4kHJjqmTcr tKbdoT9l91CANcLRttk2NE3GG0I19JptlIRHYJlvsGuGXld8aJQy9hn5pHdbOpCIfTgUsZ qYWi9tcWKuP1RIdmOZeUwxm4pqaRXUG5Umj+HfoFUbHOps1RbWV/WK4uKfb/dQfi/HnEYq X/oZPp3bi1L/B+8EsqLs7U+vfSAFEwCZ693rnWSHRVsl6R/hT2dIFmxapRWcDw== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] RPZ: update code to include WEBGUI and additional languages From: Michael Tremer In-Reply-To: <97b94a4a-1dce-4bbb-a8ed-1e16c89dd866@ipfire.org> Date: Thu, 7 Aug 2025 14:40:37 +0100 Cc: development@lists.ipfire.org, erik.kapfer@ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: <80F533B6-B60E-40A8-AADD-900FC0AE2FA3@ipfire.org> References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <64617942-44E2-4E7B-A8AB-D5C22F94F68B@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> <9221F825-15BB-484C-A921-118C7F3266AC@ipfire.org> <0261B2EC-034E-4231-B105-DEFB8091BF07@ipfire.org> <79F36C8A-29DD-4964-A854-21AF104A41B8@ipfire.org> <4d7fda4f-0de9-4a77-99b1-6276b161f68a@ipfire.org> <97b94a4a-1dce-4bbb-a8ed-1e16c89dd866@ipfire.org> To: Bernhard Bitsch Hello Bernhard, > On 7 Aug 2025, at 10:18, Bernhard Bitsch wrote: >=20 > Hello Michael, >=20 > Erik's approach is to sample DNS block lists and convert them into RPZ = format. Where has any conversion been needed? Previously those lists have been = downloaded directly into Unbound. > I don't think Erik doesn't want to establish a new GitHub repository; = the work can be integrated into the IPFire infrastructure. *Precisely* my point. Nobody wants to run these things they are offering = there. Neither the upstream lists nor Erik. Why would we build on top of = this? If this were to move into the IPFire Infrastructure, who is going to = build that, maintain it, and pay for it? > The selection of sources can be done in the same way it is done with = IP Block Lists. > This involves selection based on licenses. >=20 > BTW, the discussion comes up now again just because of Erik's new = engagement. Okay, and since last March, when the last somewhat meaningful emails = have been exchanged about this, nothing else has happened? Nobody felt = that they are still pushing this project to go anywhere? > Nevertheless, I vote for some kind of DNS blocking. With unbound ( the = DNS resolver, we use now! ) the concept of RPZ implements this in a = acceptable manner. You can vote as much as you like. The forum people can also vote as much = as they like. That won=E2=80=99t move anything forward. We all want = things. Dreaming, praying or just =E2=80=9Cvoting=E2=80=9D won=E2=80=99t = change anything. You will have to build it. -Michael >=20 > Bernhard >=20 > Am 07.08.2025 um 10:17 schrieb Michael Tremer: >> Hello Bernhard, >>> On 6 Aug 2025, at 13:32, Bernhard Bitsch wrote: >>>=20 >>>=20 >>>=20 >>> Am 05.08.2025 um 18:53 schrieb Jon Murphy: >>>> Q. * The problem are the sources and the quality of the blacklists. = Unless those are available to us and our users the entire technology is = becoming worthless. This is exactly what we have with the URL filter. >>>> A. To me this is similar to many other open source items. If the = head MFiC walks away, then the open source becomes toast. If the = projects is sold or transferred to a paid service, then the open source = project is toast. I don=E2=80=99t like it, but unless IPFire becomes = the mix-master of blocklists (collect, filter, publish, etc.) then there = is no way around this. >>>> =3D=3D >>>> Q. * Unbound itself is a whole mess and I hope we will be able to = launch our plans to replace it as soon as possible. >>>> A. This one I cannot answer since I don=E2=80=99t know the issues = others have experienced. I started near the time when IPFire went from = dnsmasq to unbound and to me unbound seems A-OK. But again I don=E2=80=99= t know the issues. >>>=20 >>> What alternative is planned for unbound? Does it support RPZ or = something alike? >>> I think it can be agreed, that such a sort of filtering is = meaningful. >> I have a few candidates, but nothing has been confirmed. We talked = about this a few months ago on the video call and decided that we will = prioritise other things first. >>> Bernhard >>>=20 >>> EDIT: The case of controlled lists is in solution by Erik's work = (https://github.com/twitOne/RPZ-Blocklists/tree/main)> =3D=3D >> In all seriousness, how is *this* the solution? It embodies all = problems that we have raised before in one new GitHub repository. >> * It gathers many lists from various sources and merges them. That is = not a list, that is just a pile of other lists combined into one. What = is the benefit? The sources are already merging each other in circles. = Why not use the original lists? >> * This clearly breaks *all* the licensing of any of the upstream = lists. Most of those are using licenses that are not even possible to = use for anything else but software (MIT & GPL). Lists like this are not = software. One upstream list has a fairy tale license and the two that = actually chose a sensible license that mandate attribution have not been = credited for their work. There is no indication that a dual-licensing or = redistribution deal has been struck with any upstream providers. The = =E2=80=9Cnew=E2=80=9D compiled data in that repository does not state at = all under which terms it can be used. >> * It even tracks which lists have been abandoned = (https://github.com/twitOne/RPZ-Blocklists/issues/70). >> * It is coming from someone who is not even going to put their name = to it. Like most of the upstream data, too. >> Please tell me what has been tried to solve here. What was the goal = of creating this? >> Best, >> -Michael >>>> Specifically, what questions are remaining unanswered? >>>> ------ Original Message ------ >>>> =46rom "Michael Tremer" >>>> To "Jon Murphy" >>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>> Date 5/23/2025 5:35:58=E2=80=AFAM >>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>> Hello Jon, >>>>>=20 >>>>> You need to be a little bit more precise with what you actually = want to know. >>>>>=20 >>>>> I think I have covered this before and can only refer to the = previous emails in this conversation. >>>>>=20 >>>>> * RPZ itself is fine as a feature. It is a powerful tool we could = leverage for a lot a of things. It would have the potential to allow = content filtering without the proxy. >>>>>=20 >>>>> * The problem are the sources and the quality of the blacklists. = Unless those are available to us and our users the entire technology is = becoming worthless. This is exactly what we have with the URL filter. >>>>>=20 >>>>> * Unbound itself is a whole mess and I hope we will be able to = launch our plans to replace it as soon as possible. >>>>>=20 >>>>> Best, >>>>> -Michael >>>>>=20 >>>>>> On 22 May 2025, at 20:45, Jon Murphy = wrote: >>>>>>=20 >>>>>>=20 >>>>>> I understand that "Unbound, RPZ and a blacklist" was unsuitable. = I am curious what was suitable. >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> ------ Original Message ------ >>>>>> =46rom "Michael Tremer" >>>>>> To "Jon Murphy" >>>>>> Cc "Bernhard Bitsch" ; "IPFire: Development- = List" >>>>>> Date 5/22/2025 10:46:25=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>=20 >>>>>>> Unbound, RPZ and a blacklist that I deemed suitable. It = isn=E2=80=99t. >>>>>>>=20 >>>>>>>> On 22 May 2025, at 16:45, Jon Murphy = wrote: >>>>>>>>=20 >>>>>>>> Still curious=E2=80=A6 What are you using to block adult = websites? >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> ------ Original Message ------ >>>>>>>> =46rom "Michael Tremer" >>>>>>>> To "Jon Murphy" >>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development- List" >>>>>>>> Date 5/22/2025 10:43:55=E2=80=AFAM >>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>=20 >>>>>>>>> I stated that before. I need to block adult websites. >>>>>>>>>=20 >>>>>>>>>> On 22 May 2025, at 16:42, Jon Murphy = wrote: >>>>>>>>>>=20 >>>>>>>>>> Now I am curious! What is your use-case? Tell me more... >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> ------ Original Message ------ >>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>> To "Jon Murphy" >>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development- List" >>>>>>>>>> Date 5/22/2025 10:40:38=E2=80=AFAM >>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>>>=20 >>>>>>>>>>> Hello Jon, >>>>>>>>>>>=20 >>>>>>>>>>> I have not been spending on time on this at all since we = talked last. >>>>>>>>>>>=20 >>>>>>>>>>> I don=E2=80=99t need Unbound to download any files for my = use-case either. >>>>>>>>>>>=20 >>>>>>>>>>> -Michael >>>>>>>>>>>=20 >>>>>>>>>>>> On 20 May 2025, at 17:30, Jon Murphy = wrote: >>>>>>>>>>>>=20 >>>>>>>>>>>> Michael, >>>>>>>>>>>>=20 >>>>>>>>>>>> Were you able to debug RPZ and get Unbound to download = `.rpz` files? >>>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> Jon >>>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>> Date 3/24/2025 9:43:37=E2=80=AFAM >>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>>>>>=20 >>>>>>>>>>>>> Yes, I don=E2=80=99t need any debugging of this... >>>>>>>>>>>>>=20 >>>>>>>>>>>>>> On 24 Mar 2025, at 14:42, Jon Murphy = wrote: >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Is there a: >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> server: >>>>>>>>>>>>>> module-config: "respip validator iterator" >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> In your RPZ set-up? >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>>>> Date 3/24/2025 9:40:15=E2=80=AFAM >>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI = and additional languages >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Because it is not doing it on my system... >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> On 24 Mar 2025, at 14:38, Jon Murphy = wrote: >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> Actually it did. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> Why do you think Unbound did not? >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>>>>>> Date 3/24/2025 9:36:53=E2=80=AFAM >>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI = and additional languages >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Unbound did not put those there... >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 14:33, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> In `/etc/unbound/zonefiles`: >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >>>>>>>>>>>>>>>>>> total 20664 >>>>>>>>>>>>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >>>>>>>>>>>>>>>>>> drwxr-xr-x 4 root root 4096 Mar 19 16:24 .. >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 = adhocSB.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 = allow.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 = AmazonTrkrHZ.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 = AppleTrkrHZ.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 = block.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 = DOHblockHZ.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 = MxProPlusHZ.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 = tldHZ.rpz >>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 = WinTrkrHZ.rpz >>>>>>>>>>>>>>>>>> [root@ipfire ~] # >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>>>>>> To "Bernhard Bitsch" >>>>>>>>>>>>>>>>>> Cc development@lists.ipfire.org >>>>>>>>>>>>>>>>>> Date 3/24/2025 9:25:40=E2=80=AFAM >>>>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include = WEBGUI and additional languages >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch = wrote: >>>>>>>>>>>>>>>>>>>> Am 24.03.2025 um 11:17 schrieb Michael Tremer: >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 00:00, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>> FYI - I was wrong Unbound RPZ is _not_ watching = the serial number, it is watching the "refresh", the number after the = serial number. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> Refresh just tells the client how often to check = for an update. >>>>>>>>>>>>>>>>>>>>> If that is actually being set by the list = publisher, then we have another problem here, because they could put = some insanely low value there and we would then DDoS their = infrastructure. I think we should keep it like we have it in other = places that we control how often we want to check or pull for updates. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> You are right. But an extra update process wastes = additional processor time. The update mechanism of unbound does the = check for update ( however it is realized ) nevertheless. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Yes, doing more things needs resources. But we are = not seriously considering whether an IPFire system has enough resources = to perform the download of a text file, or are we? >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but = you got the information from somewhere. Documentation maybe? Since that = is out of date very often I like to consult the code. >>>>>>>>>>>>>>>>>>>>>> =46rom testing. Downloading rpz files using rpz = unbound, and watching what happens. If the rpz file is setup for "once = per day" refresh, then it only downloads one time. >>>>>>>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem = . . . and having no cache. >>>>>>>>>>>>>>>>>>>>>> In `/etc/unbound/tuning.conf` there is = `rrset-cache- size: 128m`. Are you referring to a different cache. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> Naturally unbound is loading the zone into its = memory which we generally call cache. >>>>>>>>>>>>>>>>>>>>> When I say cache I am thinking about persistent = data storage across multiple restarts of Unbound. If I am downloading = 100 MiB of RPZ lists (which is presumably still on the lower end) and I = reboot my firewall, I do not want to download the same data again. We = can only ever download a list *once* unless we are 100% certain that it = has changed. Then we can download it once again. >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> The RPZ lists are stored in files in persistent = storage. Unbound creates the internal cache from these. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>>>>>>> Yes. There are very few AXFR list (I think only = four were found). And many more HTTPS rpz files. >>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>>>>>>>> =46rom "Michael Tremer" = >>>>>>>>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>>>>>>>> Cc "IPFire: Development-List" = >>>>>>>>>>>>>>>>>>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>>>>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include = WEBGUI and additional languages >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I = cannot find anything like this: >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> Keep in mind I am not a "C" person. Maybe in = this section?: >>>>>>>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/ = unbound.git;a=3Dblob;f=3Dservices/ = authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l5875 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> This where the AXFR response is being handled = when doing a DNS zone transfer. This code is not being called when = performing a HTTP download. >>>>>>>>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, = but you got the information from somewhere. Documentation maybe? Since = that is out of date very often I like to consult the code. >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=94 >>>>>>>>>>>>>>>>>>>>>>>> When I was just learning about RPZ I created a = separate RPZ file for testing. When I changed the SOA line with a new = serial number, the RPZ file download would happen in about 5 minutes. >>>>>>>>>>>>>>>>>>>>>>>> = https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> It might well be that the file is not being = reloaded if the download matches the content that unbound already has. = That would of course save some resources. >>>>>>>>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem = with redundant downloads and having no cache. >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> That is how I found out the SOA line is = watched for a serial number change. >>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> The second reason is that we have a lot of = firewalls out there. Not all of them will enable this feature and all of = the lists, but even if it is a good chunk, we will generate terabytes of = traffic which put load on the infrastructure and will cost money. It = simply is not what we want to do, regardless of self-hosting those lists = and pulling them from somewhere else. >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> So I understand, are you thinking of hosting = RPZ AXFR (DNS zone transfer) on IPFire infrastructure? >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> No, I don=E2=80=99t think that we can = generally do this. The biggest problem is licensing as we cannot take = anyones content and host it ourselves. We would re- distribute those = lists and that will only work with permission of the publishers. I = assume that would be too much work to actually get some useful content = out there. We might limit ourselves to only those lists that are under a = very permissive license. Nobody wants that. >>>>>>>>>>>>>>>>>>>>>>> =46rom a technical point of view, DNS over TCP = might not be very nice in terms of forging the transfer and so we would = need TLS as well=E2=80=A6 It should work, but even if we would be able = to encourage other people to publish their lists I doubt they would = implement DNS over TLS for authoritative DNS. That standard is in very = early stages as well. >>>>>>>>>>>>>>>>>>>>>>> As far as I can see, those vendors who offer a = list as a commercial product are using DNS to distribute it (e.g. = Spamhaus). Those people who have made this all a hobby are throwing the = lists onto GitHub and let them handle the traffic. >>>>>>>>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I = cannot find anything like this: >>>>>>>>>>>>>>>>>>>>>>>>> Unbound loads the entire file into memory and = then starts parsing it. The only special treatment there is is to check = whether the first line is a valid zone entry. It does not even have to = be a SOA record. >>>>>>>>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/ = unbound.git;a=3Dblob;f=3Dservices/ = authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l1188 >>>>>>>>>>>>>>>>>>>>>>>>> I am also concerned that Unbound will not be = able to support an upstream proxy for any downloads. The caching = situation is also unclear for me, so I believe that we will be looking = at writing a custom downloader that implements all these things. >>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads = of the same list. That is >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>>>>>>>>>>>>>>>>>> The Unbound RPZ code, as installed within = IPFire, watches for a change >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. = This is an example of the first few >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>>>>>>>>>>>>>>>>>> $TTL 300 >>>>>>>>>>>>>>>>>>>>>>>>>> @ SOA localhost. root.localhost. 1742298960 = 43200 3600 86400 300 >>>>>>>>>>>>>>>>>>>>>>>>>> NS localhost. >>>>>>>>>>>>>>>>>>>>>>>>>> ; >>>>>>>>>>>>>>>>>>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>>>>>>>>>>>>>>>>>> ; Description: Blocks annoying and malicious = pop-up ads. >>>>>>>>>>>>>>>>>>>>>>>>>> If the SOA serial number changes (e.g. the = 1742298960), then Unbound RPZ >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Bcode does its thing and downloads. = Otherwise there is no download. >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that we = won=E2=80=99t download a list again >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> unless it has actually changed. >>>>>>>>>>>>>>>>>>>>>>>>>> This should do what you want but I may be = missing your point. >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called = AXFR. It simply does the job >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> for you. I was just wondering = whether that was not being used. >>>>>>>>>>>>>>>>>>>>>>>>>> I need to read about AXFR/IXFR and learn a = little more. >>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> Good Morning Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>> I was reading through you response again = an I want to understand this post: >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I have also stated that we cannot = download any lists over HTTPS again and again and again. The = implementation that we have here seems to exactly do that and therefore = I think that my feedback has been dismissed entirely. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it = using? I am missing a key point here. >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads = of the same list. That is what cannot happen. >>>>>>>>>>>>>>>>>>>>>>>>>>> Although it might not affect a lot of = people in our general user-base, there are some that have a metered = connection and will pay for data by volume. Some of the lists I looked = at are just under 20 MiB. Therefore we need to keep any traffic down to = a minimum. The second reason is that we have a lot of firewalls out = there. Not all of them will enable this feature and all of the lists, = but even if it is a good chunk, we will generate terabytes of traffic = which put load on the infrastructure and will cost money. It simply is = not what we want to do, regardless of self-hosting those lists and = pulling them from somewhere else. >>>>>>>>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that we = won=E2=80=99t download a list again unless it has actually changed. >>>>>>>>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called = AXFR. It simply does the job for you. I was just wondering whether that = was not being used. >>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPS is an option because that is simply = what we use elsewhere, but extra functionality will have to be built for = it. >>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve read through your comments a = few times and I ended up with many more questions. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What I rather mean is that it has never = been added as a topic on the agenda and it has not been pitched by = yourself. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me the efforts to get new code = accepted seem to have changed and it seemed easier in the past. In the = past I made the Core Team aware via the Dev Mailing List and wrote a = simple two or three paragraphs of "What is it? / What is the value? / = Here is the code" >>>>>>>>>>>>>>>>>>>>>>>>>>>>> So in an effort to move forward: How = exactly is something presented to the Core Team? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Is there an example of a recent effort = that was presented that I can see as a sample? (This type of info can = also be added to the Wiki) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I understand you want it this way, but I = don=E2=80=99t know what exactly is needed. Please be specific. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>>> PS - I am not ignoring your other = comments, I am just trying to move forward and keep things simple. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, = Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Thanks for your reply. And good that you = are copying everyone into this conversation. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at = lengths before that this project has been started as a separate effort >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, this has been a separate effort = (a very public separate effort). Yes, as you pointed this out early on = with the "proof- of-concept" and then my request for people to help test = RPZ. Nothing was hidden. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This was done because you (and maybe = others) did not have the time and I wanted to help and because I needed = assistance with RPZ. I tried my best to do this without bothering you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t that it is accurate = that nobody wanted to help on this. The list was always open - although = not every email has been replied to swiftly it is also your = responsibility to raise a question again if it was missed. People here = have open ears. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It was also stated on this very list on = in our documentation that working on something without involving the = core team is a risky undertaking. Of course IPFire is free software and = so everyone is free to fork if they wish to do so. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as far as I am aware none of the = other team members has been involved. This has not been discussed either = on this list, on our calls. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You were aware many steps along the = way. See your email on July 28, 2024, August 15, 2024, September 30, = 2024, December 23, 2024, and January 16. My attempts to get the team = involved were met with "things are busy" and sometimes silence. (Yes, I = get it, people are busy.) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard = have been aware since the beginning. You mention you were aware of the = "proof-of-concept". If you include those beginning posts, since Sep = 2023. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept = that I have been running myself for a long time. I am also aware of the = efforts that you have been taking. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yet I don=E2=80=99t think there has ever = been any joint effort, or am I seeing that wrong? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This has not been discussed . . . on = our calls. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "We have talked about RPZ many times on = the monthly call since the URL filter feature is falling more and more = out of fashion. I think there is also many posts about this on the = forum." >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t insult me again by = stating "you know what I mean". >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And it has been discussed but not = documented in the Monthly Meeting notes. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I am not at all insulting you. I = don=E2=80=99t want to take this down to a personal level at all. This is = a public mailing list and people who read this don=E2=80=99t need to = listen to an argument we are having. They are here for the tech inside = IPFire. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> When I wrote that it has not been = discussed that does not mean that we have not been touching on the = topic. We have been talking about lots of things on the calls, the = weather, politics, how our pets are. None of that makes it to the logs. = What I rather mean is that it has never been added as a topic on the = agenda and it has not been pitched by yourself. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Instead there has been a separate = conversation on the forum with the occasional dip here to the list. But = that was not a regular two-way conversation. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Regular conversation on the Dev = Mailing list is many times met with silence. I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And regular two-way conversation = doesn=E2=80=99t happen on the list. At least not with me. I=E2=80=99d be = happy to point out the posts that were met with silence. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And you think my emails are not being = met with silence? This has nothing to do with this specific topic. This = has something to do with how occupied people are and how engaged they = are on certain topics. Not everyone is involved in all the things and = simply will ignore emails simply based on their subject line. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> But the "dip here to the list" were my = attempts to get a conversation started. As I said, many time met with = silence. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The only place I was not met with = silence was on the Community. You have a great group of people in the = Community. It is a shame you don=E2=80=99t want to have others help. It = would reduce your workload. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You should stop making statements that = are not true. Who doesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Not having this conversation on a = Saturday evening would reduce my workload. At least it would free up = time for something else. Helping with the things that are already on the = go would reduce the workload of the entire team. Starting one thing at a = time and finishing it is a lot better to manage than starting a hundred = things and not even finish one. I can tell you that I already have a = hundred things on the go. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Therefore, what am I supposed to do = with this email? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, then = guide me with how to do this the correct way. And be specific. I am = trying to help. I am trying to make things better. I am trying to do = things the right way. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet = another project that has been dumped to the list like so many before and = later on everyone has left to have the team deal with the rest. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It is a huge patch set. You explained = what the vision is, but that is about it. There is no chance this will = continue if this disagreement isn=E2=80=99t solved first. I didn=E2=80=99t= even look at the code. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that I don=E2=80=99t agree with. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I asked multiple times if you "agreed = with the concept" and again, met with silence. Yes I get it, people are = busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having support for RPZ? Yes, it was = definitely on the roadmap. That I agree with. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So many fundamental things that I have = been raising have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You mentioned this a in the past, but = for some reason you do not disclose what I dismissed. Why do you = continue to make this harder, wouldn=E2=80=99t it not be easier to tell = me what I have dismissed? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I have sent multiple emails trying to = answer your concerns and comments. On July 28, Aug 14, Aug 22, Aug 23, = Sep 30, etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the = questions you asked and I cannot find a "dismissed" item. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Maybe I need to be *more clear*. I feel = humoured by this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It is late on a Saturday and I want my = dinner soon, but certainly I have stated that this should never be an = add-on considering it is supposed to replace URL Filter. We should never = allow people to add their own sources. I have also stated that we cannot = download any lists over HTTPS again and again and again. The = implementation that we have here seems to exactly do that and therefore = I think that my feedback has been dismissed entirely. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that has no future inside IPFire as there is no constructive = conversation with the maintainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Hagezi list, the = threatfox list, the urlhaus list, etc.? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What else? The maintainers or the RPZ = scripts? That is me. Let=E2=80=99s talk! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You. I don=E2=80=99t care much about = the providers of the lists. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> See, this is where it gets confusing. = There are hundreds of open source packages as part of IPFire. Pick the = last five years of items added to the IPFire build. You're telling me = you have "constructive conversation with the maintainers" of all of the = added packages? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> They publish their software and they = don=E2=80=99t care whether I am pulling it or not. They publish it with = the commitment to maintain it - sometimes for better and sometimes for = worse. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You care about me pulling your code and = I don=E2=80=99t know whether you would commit to maintain this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., = 3CORESEC, ABUSECH, DSHIELD, SPAMHAUS, etc.) or the Suricata lists = (i.e.,Emergingthreats.net ,Abuse.ch = , etc.). So you=E2=80=99ve have "constructive = conversation with the maintainers"? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, occasionally I have phone calls = with a few of these providers. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to = make you aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning = you seemed interested as IPFire needed a replacement for URL Filter. You = asked good questions about the lists picked, asked for the value to the = users, etc. And I answered the best I could. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this = realised as an add-on and not part of the core system?=E2=80=9D from = your Jul 28, 2024 email. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Ah, so, why is the patch creating an = add- on? Not that I am saying that what I say is law, but it has not = been challenged either. If my input is being ignored, why should I put = this to the top of my list of priorities? I am not disappointed about = this, just trying to be very good with my time. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And on January 16, 2025 I wrote a = message looking for help. And you were kind to respond quickly. So in = three weeks time, since the kind response, something has changed. You = went from supportive to "this". >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Well, maybe I should not have replied = to that email. It was clear that you were on some path that was not = right, but you were not interested before in finding the right path from = the beginning. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed = and if there is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Be more specific, what has to change? = What exactly did I dismiss? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dismissal is just my assumption. I = don=E2=80=99t know what you actually did with my feedback. I can only = see the end product that does not seem contain much of it. Repeatedly I = have been pointing out that we should think before we build. I am sure a = lot of hours have now gone into some code that simply does not satisfy = me. And I am not not talking about the code itself, what it does is what = I don=E2=80=99t think is right for us. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The process is very clear for me that we = should first of all think whether we want a certain feature now. Then = there should be a clear roadmap for everyone to follow; tasks can be = split-up as we go and hopefully then have something that is = maintainable, interesting for our users and even would do us proud. This = is how this should work. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t = think with shouting at each other, throwing patches around and making me = generally unhappy is a good start. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, = Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Well, here we are again with another = patch regarding this feature. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I cannot quite see from your email = what the question is, but if this is a request to have this merged into = IPFire, I am once again sorry to disappoint you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at = lengths before that this project has been started as a separate effort = and as far as I am aware none of the other team members has been = involved. This has not been discussed either on this list, on our calls. = Instead there has been a separate conversation on the forum with the = occasional dip here to the list. But that was not a regular two- way = conversation. Therefore, what am I supposed to do with this email? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that I don=E2=80=99t agree with. So many fundamental things that I have = been raising have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that has no future inside IPFire as there is no constructive = conversation with the maintainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to = make you aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed = and if there is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a = mechanism to define local policies in a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> standardized way and load those = policies from external sources. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to = easily block access to websites via DNS lookup. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ can block websites via = categories. Examples include: fake websites, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> pop-up ads, newly registered domains, = DoH bypass sites, bad "host" services, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> maliscious top level domains (e.g., = *.zip, *.mov), piracy, gambling, pornography, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and more. RPZ lists come from various = RPZ providers and their available >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ = functionality by adding a couple lines in a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration file. This add-on = simply adds configuration files and adds >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) = to make RPZ easier for the admin to use. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The RPZ scripts include additional = languages: German, Spanish, French, Turkish, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and = has been part of the IPFire build since ~2015. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - The RPZ concept places this = filtering into IPFire, our internet access >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> gateway, which is (should be) solely = used as DNS source of the internal network. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes it = difficult to filter traffic with URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Filter without also properly = configuring conventional (non-transparent) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice = replacement for the URL Filter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - No need to install and maintain an = additional device like PiHole or AdBlock >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> browser extensions on multiple user = devices. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - This is an additional layer of = protection for users. Less worry someone will >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> click on something that gets them = into trouble. And, saying this with emphasis, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Blocked sites save on unneeded = traffic and can lessen the threat of malware >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Logging allows the admin to see the = site blocked and take actions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ will be used at the home, home- = office (work from home), schools, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ministerial, and at the office. = Device counts are small (2-6) to medium (~80) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ can block ads, popups, = phishing, scammers, spyware, malware, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, and = the usual internet trash. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Build for approval & release as = IPFire add-on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on = 2025-02-01 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added a mod key to = force a unbound restart >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added action for = unbound restart `rpz-config unbound-restart` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - rename far right column from "last = update" to "last download" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on = 2024-12-09 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation regex = for wildcards like: `*.domain.com` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on = 2024-11-18 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: updated validation = regex >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: moved validation to = beginning of process. Now we validate before >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: use CSS color = variables of the main ipfire theme >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks = were stored as =E2=80=9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes the = first empty line in a custom list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on = 2024-11-04 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for Turkish (thank you Peppe) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected empty = allow/block list issue. An empty allow/block list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> will now remove contents of allow/ = block.rpz files and remove unneeded >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow/block.conf file. (thank you = iptom) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on = 2024-10-29 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: correct missing rpz = extension. `rpz-config list` displayed URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in = language files (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" = button when not enabled >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on = 2024-10-27 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on = 2024-10-21 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for French (thank you gw-ipfire) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on = 2024-10-18 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for Italian (thank you umberto) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for Spanish (thank you Roberto) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on = 2024-10-15 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation error = for a custom list entry (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user = created files >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user = created files (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for German (thank you Leo) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add missing "rpz exitcode = 110" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu = item at menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: includes beta version = numbers for pakfire package, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, = for each release. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new WebGUI at = `rpz.cgi` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann for = all of his work creating the webgui!! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu = item at menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: validate entries in = allowlist and blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: add "no-reload" option = for WebGUI >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: info can be sorted by = name, by hit count, by line count, by >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: include all files in = `/var/ ipfire/dns/rpz` directory in backup >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected ownership for = `/var/ ipfire/dns/rpz` directory during an >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and = `block.rpz` from build. Files to be created >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/configroot | = 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/web-user- = interface | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 = ++++++++++++++ +++++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 24 files changed, 2016 insertions(+), = 1 deletion(-) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/backup/ = includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rootfiles/ = packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 = config/rpz/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 = config/rpz/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/install.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/update.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/backup/includes/rpz b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/cfgroot/manualpages b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ = pakfire.cgi=3Dconfiguration/ipfire/pakfire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = logs.cgi/summary.dat=3Dconfiguration/logs/ summary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/menu/EX-rpz.menu = b/ config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/ = configroot b/config/rootfiles/common/ configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- = a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ = b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ = var/ipfire/menu.d/70- log.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/rootfiles/common/web- user-interface b/config/rootfiles/common/ = web-user-interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- = a/config/rootfiles/common/web-user- interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ = b/config/rootfiles/common/web-user- interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ = srv/web/ipfire/cgi-bin/ proxy.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/rootfiles/packages/ rpz b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf = b/ config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + module-config: "respip validator = iterator" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + zonefile: = /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config b/ = config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# IPFire.org - A linux based = firewall # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire = Team # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is free software: you = can redistribute it and/or modify # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# it under the terms of the GNU = General Public License as published by # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# the Free Software Foundation, = either version 3 of the License, or # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# (at your option) any later = version. # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is distributed in the = hope that it will be useful, # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; without = even the implied warranty of # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A = PARTICULAR PURPOSE. See the # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# GNU General Public License for = more details. # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# You should have received a copy of = the GNU General Public License # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# along with this program. If not, = see . # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Functions = ############### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Main ############### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ = action >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ = option #1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ = option #2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/ = ${rpzName}.rpz.conf" # output zone conf file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/ = ${rpzName}.rpz" # output for RPZ file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default is = yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; = checkConf=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + shift # Shift after checking all = the cases to get next option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this a = valid name? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # does this config already exist? = If yes, then exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - = ${rpzConfig} already exists. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + regex=3D'^https://[-[:alnum:]\+&@#/%?= =3D~_|!:,.;]*[-[:alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] = ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is not = valid: \"${rpzURL}\". exit." >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-action-override: = nxdomain" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # create an empty rpz file if it = does not exist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # unbound requires these settings = for rpz files >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" = "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot remove = ${rpzConfig}, does not exist. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config = file & rpz file \"${rpzName}\"" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/ = [[:blank:]]|\.rpz/, "",$2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") = ; print NAME"=3D"$2":"$3} ' \ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or = incorrect parameter" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0") =