From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] RPZ: bug fix and code update Date: Fri, 23 Aug 2024 10:18:27 +0100 Message-ID: <88CABBB3-B76A-4AF7-9D65-0C7BB3545DEA@ipfire.org> In-Reply-To: <65FA8AD8-467A-4385-923F-F3A778D3F450@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2219891729224394629==" List-Id: --===============2219891729224394629== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Morning, > On 22 Aug 2024, at 16:37, jon wrote: >=20 > Hi Michael, >=20 >=20 >> On Aug 21, 2024, at 5:03=E2=80=AFAM, Michael Tremer wrote: >>=20 >> Hello Jon, >>=20 >>> On 15 Aug 2024, at 23:22, jon wrote: >>>=20 >>> Comments below=E2=80=A6 >>>=20 >>>=20 >>>> On Aug 15, 2024, at 1:33=E2=80=AFPM, Michael Tremer wrote: >>>>=20 >>>> Hello, >>>>=20 >>>>> On 15 Aug 2024, at 17:57, jon wrote: >>>>>=20 >>>>>=20 >>>>> Comments below. >>>>>=20 >>>>> Jon >>>>>=20 >>>>>=20 >>>>>> On Aug 15, 2024, at 10:33=E2=80=AFAM, Michael Tremer wrote: >>>>>>=20 >>>>>> Hello, >>>>>>=20 >>>>>>> On 14 Aug 2024, at 18:14, jon wrote: >>>>>>>=20 >>>>>>> Michael, >>>>>>>=20 >>>>>>> Sorry for putting you on the spot, but what do you want to do with th= is RPZ add-on? >>>>>>=20 >>>>>> I am not sure this is a question for only me. >>>>>>=20 >>>>>> I personally just don=E2=80=99t have any capacity to take on another r= ather large project as I have a huge backlog of so many things and I feel lik= e a lonely fighter getting these all over the line. For my own sanity I need = to have a couple of those closed before thinking about the next ones. >>>>>>=20 >>>>>> A couple of months ago we have talked on the monthly call about RPZ an= d the decision that was made by the people was to not look at this now, just = because there were other more pressing things. We could also not find answers= to the questions that led us into RPZ: >>>>>>=20 >>>>>> * Are there any good lists out there that would allow us to replace th= e URL Filter? That thing is basically on its last leg because of the lack of = lists. We need to be able to block ads and pr0n and that very reliably. >>>>>=20 >>>>> I believe this exists with the Hagezi lists at https://github.com/hagez= i/dns-blocklists and/or the addition of a chosen "oisd NSFW" list at https://= oisd.nl/setup >>>>>=20 >>>>> I understand there is no time to review to see if this meet the needs. = So we can leave this as "I believe these exist" for now. >>>>=20 >>>> So, I am not sure what to think of all these things on GitHub. It seems = that there are many repositories that pop up and presumably disappear in the = same kind of way. We see this with the IP blocklists. >>>>=20 >>>> We want quality blocklists. I know that we don=E2=80=99t have too much o= n the URL Filter front, but I would prefer to avoid putting so much work in i= f we in the end stand where we started. >>>=20 >>> This makes perfect sense. Based on the comments I=E2=80=99ve seen it see= ms like Hagezi is growing in popularity and in offerings. =20 >>>=20 >>> Gerd (the owner) is very responsive, involved and I keep running into his= posts when searching for RPZ "things". Gerd quickly made changes per my req= uest: see https://github.com/hagezi/dns-blocklists/issues/2301. Now there a= re two TLD RPZ lists. >>>=20 >>> Like everything else I cannot predict how long it might last. >>=20 >> If you have such a good connection, could you do me the favour and ask why= the prefer distributing those lists using HTTPS and not DNS?=20 >=20 > I=E2=80=99d be happy to ask Gerd, but I do not understand what you want me = to ask. It sounded like you have a personal connection. That is all. > I guessed it is related to this: > https://www.ipfire.org/blog/ipfire-location-a-decentralised-signed-database= -in-dns > https://www.ipfire.org/location/how-to-use/dns >=20 > I understand the APIs you had added, but I do not understand how this relat= ed to the DNS blocked lists. =20 Yes, this is slightly related to this. I am just running a network of authori= tative DNS servers scattered a little bit across the world. It is an essentia= l part of the IPFire infrastructure but also hosts a couple of other things. = And since it is there, it is a nice thing to bolt on more things. > What might the query do? Look up a requested domain? The relationship to RPZs is that we could use that service to host them. It i= s a DNS-based technology after all. >> Is it simply that GitHub is free and does not offer DNS? :) >=20 > I did not find GitHub DNS server(s) listed anywhere. Just lots of referenc= es on setting up DNS on other servers... No, GitHub does not offer any DNS services. > Let me know what you want asked, specifically, and I will pass it on to Ger= d! The question is only whether it was a conscious decision to distribute the li= sts over HTTP instead of using DNS. Maybe it was just chosen because that is = what was available to them. >>=20 >>>>=20 >>>>>>=20 >>>>>> * We need to look into privacy when RPZs are being realised over DNS -= I don=E2=80=99t even understand why we are suddenly starting to pull text fi= les over HTTP again. The IPS seems to have most of these lists already. >>>>>=20 >>>>> All of the lists that I am pull are HTTPS. And HTTPS only is currently= checked (validated) in the existing `rpz-config` code. >>>>=20 >>>> What a lost case. DNS is a globally distributed, cacheable protocol. We = could simply put all those blacklists into the DNS caches all around the worl= d. They would respond fast, be local to so many people, but instead we downlo= ad massive text files. That means that whenever something changes the entire = file needs to be transferred again. They are huge. We would want many fast up= dates which are not possible that way=E2=80=A6 but I digress. >>>=20 >>> I came across one DNS service that offers the Hagezi lists as part of the= ir available DNS services. If interested I can find and post the details. >>=20 >> I run a global DNS system where we could easily add this all to. This woul= d scale like hell. It would be a fun project. >>=20 >> Just for fun, I have imported "jpgpi250.github.io =E2=80=9D which you can pull from either dfw.lwldns.net or haj.lwldns.net . This would be so much bett= er since DNS zone transfer checks the serial of the zone and does not retrans= fer it if it has not changed (and I suppose none of these lists change that f= requently). >>=20 >=20 > Peter=E2=80=99s jpgpi250 DoH rpz list updates one per day near 04:00 CEST (= 02:00 UTC). A handful of adds or deletes every night. >=20 > Gerd=E2=80=99s block DoH rpz list updates twice per day as needed. Sometim= e once per day, sometimes twice per day. Yeah, that is not a lot, so DNS would qualify to distribute the lists. >> Sadly our DNS system does not support this,=20 >=20 > I do not know what "global DNS system" is support. Is it not unbound based= ? =20 No those servers are running PowerDNS behind a load-balancer. Unbound is just= a recursor and not an authoritative DNS server. > There are many different formats to feed to DNS system: > https://github.com/hagezi/dns-blocklists?tab=3Dreadme-ov-file#outbox_tray-e= ncrypted-dns-servers-only- >=20 > Maybe one of these might help? >=20 >=20 >> but there is also IXFR for incremental zone updates where you would only l= oad the changes. >=20 >=20 >>=20 >>>=20 >>>=20 >>>>=20 >>>> How much traffic did you observe? >>>=20 >>>=20 >>> I have 11 RPZ list (honestly too many but I am experimenting) and that ea= t up about 230M bytes per day. >>=20 >> Oh wow that is huuuuuge. I assume that is repeat downloads? How large are = the zone files just downloaded once? >=20 > Here is the size of each file (grapped via `ls -lS /etc/unbound/zonefiles` = and snipped): >=20 > 10,655,321 MxProPlusHZ.rpz > 90,909 dohJPG.rpz > 76,591 HosterHZ.rpz > 72,628 DOHblockHZ.rpz > 37,411 urlhaus.rpz > 27,863 WinTrkrHZ.rpz > 12,333 NotSafeSearchHZ.rpz > 7,573 AppleTrkrHZ1.rpz > 7,308 tldAggHZ.rpz > 2,631 tldHZ.rpz > 966 allow.rpz > 238 block.rpz >=20 >=20 >>=20 >>>> How is Unbound refreshing these? >>>=20 >>>=20 >>> Unbound RPZ takes care of the updates automagically. There is no cron en= try. >>>=20 >>> Each RPZ list includes an SOA line similar to this: >>> `@ SOA localhost. root.localhost. 1723093380 43200 3600 259200 300` >>>=20 >>> The 43200 is the refresh period in seconds. So this RPZ list auto update= s every 12 hours. =20 >>>=20 >>>=20 >>>> Is there a local cache? >>>=20 >>> Yes, it is part of unbound. (Nothing we need to setup) >>=20 >> Would it use the cache for zones transferred over DNS, too? >=20 > I do not know. >=20 >>=20 >>>=20 >>>=20 >>>>=20 >>>>>> Regarding your code, there are some issues with the coding style, but = I heavily appreciate the pioneering to bring this feature to life. >>>>>=20 >>>>> My style is camelCase, but if you prefer snake_case that is an easy cha= nge (please speak up). >>>>>=20 >>>>> As for as other style changes, that can wait until time is available by= the core developers. >>>>=20 >>>> It is mainly that you make things very complicated for yourself. Call = =E2=80=9Ccat=E2=80=9D, not =E2=80=9C/bin/cat=E2=80=9D. There is no guarantee = that things will stay where they are now and the shell has lots of builtins t= hat execute a lot faster. >>>=20 >>> I will remove the executable paths. What builtin did you see that I miss= ed? Anything else? >>=20 >> A builtin is just a command that really isn=E2=80=99t one. So there is a /= bin/echo somewhere, but when you just write =E2=80=9Cecho=E2=80=9D in the she= ll, it will simply output the string itself. That is a lot faster than forkin= g a new process. That is all. >=20 >=20 > Got it! All changed to: >=20 > echo "multi line string" > "${rpzConfig}" >=20 >=20 >>=20 >>>>=20 >>>> And this is all designed to work on the shell. We need something for the= web UI. >>>=20 >>> For commands within the WegGUI there are `safe_system` commands on the `.= cgi` page. =20 >>>=20 >>> But I am guess you are referring to something else. >>=20 >> That was mainly for the metrics=E2=80=A6 We would want those to be shown o= n the web UI and the tool that you currently have outputs it on the shell. Th= at is what that meant. >=20 > For short term the metrics will be via shell only. =20 >=20 > Long term, agree, metrics via the WebGUI! >=20 >=20 >>=20 >>>>=20 >>>>>> What it would need to be finally merged would be a web UI though. So I= think we have a long way ahead of us. >>>>>=20 >>>>> The attachment is an early mock-up I made a few months ago (made with P= ixelmator Pro). The WebGUI is being worked on now. >>>>>=20 >>>>> >>>>=20 >>>> I think we might look for something that is very similar to the IPS rule= set editor or the IP blocklists. >>>>=20 >>>> I am not even sure if we would require users to manage this or whether w= e would curate a list like with the IPS and IP blocklists. >>>=20 >>> The first "DRAFT" of this was for the user/admin to manage the list. For= the RPZ add-on, I=E2=80=99d prefer to keep it this way until we figure out i= f RPZ is popular and used by the user/admins. >>>=20 >>> And yes, it could be changed to a set list like IPS. FYI - there are 34 = different Hagezi list. So it will take some experiments to pick a "the" list. >>=20 >> Well it doesn=E2=80=99t have to be just one. People might want to block di= fferent things=E2=80=A6 >=20 > Agree! >=20 >>=20 >> It just seems that they come as a package =E2=80=9CLight=E2=80=9D, =E2=80= =9CNormal=E2=80=9D, =E2=80=9CPro=E2=80=9D, =E2=80=9CPro++=E2=80=9D and it is = either that or nothing. >=20 > More than nothing - Here are the individual (non-package) lists for Hagezi: >=20 > =E2=80=A2 Fake - Protects against internet scams, traps & fakes! > =E2=80=A2 Pop-Up Ads - Protects against annoying and malicious pop-up ads! > =E2=80=A2 Threat Intelligence Feeds - Increases security significantly! (Re= commended) : Full - Medium - Mini - IPs > =E2=80=A2 Newly Registered Domains - Favoured by threat actors to launch ma= licious campaigns! : 14 days - 30 days > =E2=80=A2 DoH/VPN/TOR/Proxy Bypass - Prevent methods to bypass your DNS! : = Full - DoH only - DoH IPs > =E2=80=A2 Safesearch not supported - Prevent the use of search engines that= do not support Safesearch! > =E2=80=A2 Dynamic DNS - Protects against the malicious use of dynamic DNS s= ervices! > =E2=80=A2 Badware Hoster - Protects against the malicious use of free host = services! > =E2=80=A2 Most Abused TLDs - Protects against known malicious Top Level Dom= ains! > =E2=80=A2 Anti Piracy - Protects against piracy! > =E2=80=A2 Gambling - Protects against gambling content! : Full - Medium - M= ini > =E2=80=A2 NSFW (external) - oisd NSFW - Protects against adult content! > =E2=80=A2 Native Tracker - Broadband tracker of devices, services and opera= ting systems >=20 > And there are others out there also. Others might exist, but as it seems they all mix and match their lists togeth= er. So there will a lot of overlap which becomes a waste of memory and data t= ransfer. Looking at that list, I am not sure what I would want to turn on in my home/i= f I was a school/a generic office company. > Do I have your blessing to keep moving forward? What do you want to move forward with? What are the next steps? -Michael > Jon >=20 >=20 >=20 > PS - Here is the current WebGUI for RPZ. >=20 > >=20 >=20 >=20 > And the EDIT pencil. >=20 >=20 > >=20 >=20 >=20 >> -Michael >>=20 >>> Also, here is current DRAFT (first draft) of user/admin managed WebGUI. = See attachment. >>>=20 >>> >>>=20 >>>=20 >>> Jon >>>=20 >>>=20 >>>>=20 >>>>> Does this help? >>>>> Jon >>>>>=20 >>>>>=20 >>>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>> I saw your comments in the Dev Mailing List of "generally being in fa= vor of trying this path" (bad paraphrasing on my part) >>>>>>>=20 >>>>>>> I saw your comments in bugzilla at https://bugzilla.ipfire.org/show_b= ug.cgi?id=3D13254#c171 >>>>>>>> I am not interested in anything regarding the RPZs right now. They h= ave not been properly put on the agenda and looking at how much time we have = on our hands, this won't make it on the agenda for years. >>>>>>>>=20 >>>>>>>> I don't want to build blockers, but this ticket is about a different= problem which I want to solve first. >>>>>>>=20 >>>>>>>=20 >>>>>>> How do you want to go forward? >>>>>>>=20 >>>>>>>=20 >>>>>>> Jon >>>>>>>=20 >>>>>>>=20 >>>>>>>> On Aug 12, 2024, at 2:11=E2=80=AFPM, jon w= rote: >>>>>>>>=20 >>>>>>>> More questions! >>>>>>>>=20 >>>>>>>> Currently RPZ config files are at `/etc/unbound/local.d` but this di= rectory seems like it is for user (admin) customizations. =20 >>>>>>>>=20 >>>>>>>> ``` >>>>>>>> [root(a)ipfire ~] # ls -al /etc/unbound/local.d >>>>>>>> total 68 >>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Aug 12 13:41 . >>>>>>>> drwxr-xr-x 4 root root 4096 Aug 12 00:52 .. >>>>>>>> -rw-r--r-- 1 nobody nobody 436 Jul 12 15:45 00-rpz.conf >>>>>>>> -rw-r--r-- 1 nobody nobody 285 Mar 1 22:12 AmazonTrkrHZ.rpz.conf >>>>>>>> -rw-r--r-- 1 nobody nobody 281 Mar 1 22:02 AppleTrkrHZ.rpz.conf >>>>>>>> -rw-r--r-- 1 nobody nobody 269 Mar 1 21:40 DOHblockHZ.rpz.conf >>>>>>>> ... >>>>>>>> -rw-r--r-- 1 nobody nobody 299 Aug 1 19:42 WinTrkrHZ.rpz.conf >>>>>>>> [root(a)ipfire ~] #=20 >>>>>>>> ``` >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Each file is a config file per category (or one per RPZ file). This= makes it easy to add or remove a category (or RPZ file). >>>>>>>>=20 >>>>>>>> Should I create a new unbound directory for RPZ config files? Maybe= `/etc/unbound/rpz.d`? Or `/etc/unbound/rpz`? >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Jon >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>> On Aug 1, 2024, at 1:45=E2=80=AFPM, Jon Murphy wrote: >>>>>>>>>=20 >>>>>>>>> changed all paths from `/var/ipfire/rpz/` to `/var/ipfire/dns/rpz/` >>>>>>>>> (thank you to Adolf!) >>>>>>>>>=20 >>>>>>>>> rpz-config: >>>>>>>>> - bug: corrected "Type" test from block to allow >>>>>>>>> - removed verbose parameter from various commands >>>>>>>>>=20 >>>>>>>>> rpz-metrics: >>>>>>>>> - bug: corrected grep for rpz name count >>>>>>>>> - bug: fixed divide by zero error (thank you Peppe!) >>>>>>>>>=20 >>>>>>>>> install/uninstall: >>>>>>>>> - bug: corrected scripts (thank you Bernhard!) >>>>>>>>>=20 >>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>> --- >>>>>>>>> config/backup/includes/rpz | 4 ++-- >>>>>>>>> config/rootfiles/packages/rpz | 6 +++--- >>>>>>>>> config/rpz/rpz-config | 14 +++++++------- >>>>>>>>> config/rpz/rpz-metrics | 9 +++++---- >>>>>>>>> lfs/rpz | 6 +++--- >>>>>>>>> src/paks/rpz/install.sh | 27 +++++++++++++++++++++++++++ >>>>>>>>> src/paks/rpz/uninstall.sh | 31 +++++++++++++++++++++++++++++++ >>>>>>>>> src/paks/rpz/update.sh | 25 +++++++++++++++++++++++++ >>>>>>>>> 8 files changed, 103 insertions(+), 19 deletions(-) >>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>=20 >>>>>>>>> diff --git a/config/backup/includes/rpz b/config/backup/includes/rpz >>>>>>>>> index 4d59bb40c..8c7410ebd 100644 >>>>>>>>> --- a/config/backup/includes/rpz >>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>> @@ -1,5 +1,5 @@ >>>>>>>>> -/var/ipfire/rpz/allowlist >>>>>>>>> -/var/ipfire/rpz/blocklist >>>>>>>>> +/var/ipfire/dns/rpz/allowlist >>>>>>>>> +/var/ipfire/dns/rpz/blocklist >>>>>>>>> /etc/unbound/zonefiles/allow.rpz >>>>>>>>> /etc/unbound/zonefiles/block.rpz >>>>>>>>> /etc/unbound/local.d/*rpz.conf >>>>>>>>> diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/packa= ges/rpz >>>>>>>>> index 2ffa715dd..183825362 100644 >>>>>>>>> --- a/config/rootfiles/packages/rpz >>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>> @@ -6,6 +6,6 @@ usr/sbin/rpz-config >>>>>>>>> usr/sbin/rpz-metrics >>>>>>>>> usr/sbin/rpz-sleep >>>>>>>>> var/ipfire/backup/addons/includes/rpz >>>>>>>>> -var/ipfire/rpz >>>>>>>>> -var/ipfire/rpz/allowlist >>>>>>>>> -var/ipfire/rpz/blocklist >>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config >>>>>>>>> index 98dc0a4ca..a24a5c132 100644 >>>>>>>>> --- a/config/rpz/rpz-config >>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>> @@ -19,7 +19,7 @@ >>>>>>>>> # = # >>>>>>>>> ###################################################################= ############ >>>>>>>>>=20 >>>>>>>>> -# v22 - 2024-07-12 >>>>>>>>> +# v23 - 2024-07-30 >>>>>>>>>=20 >>>>>>>>> ############### Functions ############### >>>>>>>>>=20 >>>>>>>>> @@ -54,11 +54,11 @@ check_unbound_conf () { >>>>>>>>> make_rpz_file () { >>>>>>>>> local theType=3D"${1}" # allow or block >>>>>>>>>=20 >>>>>>>>> - theList=3D"/var/ipfire/rpz/${theType}list" # input user list of d= omains >>>>>>>>> + theList=3D"/var/ipfire/dns/rpz/${theType}list" # input custom lis= t of domains >>>>>>>>> theZoneFile=3D"/etc/unbound/zonefiles/${theType}.rpz" # output file= for RPZ >>>>>>>>>=20 >>>>>>>>> theAction=3D'.' >>>>>>>>> - if [[ "${theType}" =3D~ "block" ]] ; then >>>>>>>>> + if [[ "${theType}" =3D~ "allow" ]] ; then >>>>>>>>> theAction=3D'rpz-passthru.' >>>>>>>>> fi >>>>>>>>>=20 >>>>>>>>> @@ -131,8 +131,8 @@ case "${theAction}" in >>>>>>>>> # set-up zone file >>>>>>>>> /usr/bin/touch "${rpzFile}" >>>>>>>>> # unbound requires these settings for rpz files >>>>>>>>> - /bin/chown --verbose nobody:nobody "${rpzFile}" >>>>>>>>> - /bin/chmod --verbose 644 "${rpzFile}" >>>>>>>>> + /bin/chown nobody:nobody "${rpzFile}" >>>>>>>>> + /bin/chmod 644 "${rpzFile}" >>>>>>>>> ;; >>>>>>>>>=20 >>>>>>>>> # trash config file & rpz file >>>>>>>>> @@ -143,8 +143,8 @@ case "${theAction}" in >>>>>>>>> fi >>>>>>>>>=20 >>>>>>>>> msg_log "info: rpz: remove config file & rpz file \"${theName}\"" >>>>>>>>> - /bin/rm --verbose "${rpzConfig}" >>>>>>>>> - /bin/rm --verbose "${rpzFile}" >>>>>>>>> + /bin/rm "${rpzConfig}" >>>>>>>>> + /bin/rm "${rpzFile}" >>>>>>>>>=20 >>>>>>>>> check_unbound_conf >>>>>>>>> ;; >>>>>>>>> diff --git a/config/rpz/rpz-metrics b/config/rpz/rpz-metrics >>>>>>>>> index 0f97c7911..4d932726e 100644 >>>>>>>>> --- a/config/rpz/rpz-metrics >>>>>>>>> +++ b/config/rpz/rpz-metrics >>>>>>>>> @@ -19,7 +19,7 @@ >>>>>>>>> # = # >>>>>>>>> ###################################################################= ############ >>>>>>>>>=20 >>>>>>>>> -# v18 on 2024-07-05 >>>>>>>>> +# v19 on 2024-07-30 >>>>>>>>>=20 >>>>>>>>> ############### Main ############### >>>>>>>>>=20 >>>>>>>>> @@ -33,7 +33,7 @@ messageLogs=3D$( find /var/log/messages* -type f | >>>>>>>>>=20 >>>>>>>>> # get the list of RPZ names & counts from the message log(s) >>>>>>>>> rpzNameCount=3D$( for logf in ${messageLogs} ; do >>>>>>>>> - /usr/bin/zgrep --text --fixed-strings 'info: rpz: applied' "${log= f}" | >>>>>>>>> + /usr/bin/zgrep --text --extended-regexp 'info: rpz: applied.* A I= N$' "${logf}" | >>>>>>>>> /usr/bin/awk '$10 ~ /\[\w*]/ { print $10 }' ; >>>>>>>>> done | /usr/bin/sort | /usr/bin/uniq --count ) >>>>>>>>>=20 >>>>>>>>> @@ -107,8 +107,9 @@ do >>>>>>>>> theLines=3D$( /bin/echo "${output}" | /usr/bin/awk '{ print $1 }' ) >>>>>>>>> totalLines=3D$(( totalLines + theLines )) >>>>>>>>>=20 >>>>>>>>> - #hitsPerLine=3D$( echo "scale=3D0 ; $theHits / $theLines" | bc ) >>>>>>>>> - hitsPerLine=3D$(( 100 * theHits / theLines )) >>>>>>>>> + if [[ "${theLines}" -gt 2 ]] ; then >>>>>>>>> + hitsPerLine=3D$(( 100 * theHits / theLines )) >>>>>>>>> + fi >>>>>>>>> fi >>>>>>>>>=20 >>>>>>>>> # get modification date >>>>>>>>> diff --git a/lfs/rpz b/lfs/rpz >>>>>>>>> index 319c10b7f..73f6f2b1b 100644 >>>>>>>>> --- a/lfs/rpz >>>>>>>>> +++ b/lfs/rpz >>>>>>>>> @@ -67,9 +67,9 @@ $(TARGET) : >>>>>>>>> $(DIR_CONF)/rpz/{rpz-config,rpz-metrics,rpz-sleep} -t /usr/sbin >>>>>>>>>=20 >>>>>>>>> # Install settings folder and two empty files >>>>>>>>> - mkdir -pv /var/ipfire/rpz >>>>>>>>> - touch /var/ipfire/rpz/allowlist >>>>>>>>> - touch /var/ipfire/rpz/blocklist >>>>>>>>> + mkdir -pv /var/ipfire/dns/rpz >>>>>>>>> + touch /var/ipfire/dns/rpz/allowlist >>>>>>>>> + touch /var/ipfire/dns/rpz/blocklist >>>>>>>>>=20 >>>>>>>>> # Add conf file to /etc directory >>>>>>>>> cp -vf $(DIR_CONF)/rpz/00-rpz.conf /etc/unbound/local.d >>>>>>>>> diff --git a/src/paks/rpz/install.sh b/src/paks/rpz/install.sh >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..0a797e158 >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/src/paks/rpz/install.sh >>>>>>>>> @@ -0,0 +1,27 @@ >>>>>>>>> +#!/bin/bash >>>>>>>>> +##################################################################= ############# >>>>>>>>> +# = # >>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>> +# Copyright (C) 2024 IPFire Team = # >>>>>>>>> +# = # >>>>>>>>> +# This program is free software: you can redistribute it and/or m= odify # >>>>>>>>> +# it under the terms of the GNU General Public License as publish= ed by # >>>>>>>>> +# the Free Software Foundation, either version 3 of the License, = or # >>>>>>>>> +# (at your option) any later version. = # >>>>>>>>> +# = # >>>>>>>>> +# This program is distributed in the hope that it will be useful,= # >>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # >>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>> +# = # >>>>>>>>> +# You should have received a copy of the GNU General Public Licen= se # >>>>>>>>> +# along with this program. If not, see . # >>>>>>>>> +# = # >>>>>>>>> +##################################################################= ############# >>>>>>>>> +# >>>>>>>>> +. /opt/pakfire/lib/functions.sh >>>>>>>>> +extract_files >>>>>>>>> +restore_backup ${NAME} >>>>>>>>> + >>>>>>>>> +# restart unbound to load config file >>>>>>>>> +/etc/init.d/unbound restart >>>>>>>>> diff --git a/src/paks/rpz/uninstall.sh b/src/paks/rpz/uninstall.sh >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..4fb20e127 >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/src/paks/rpz/uninstall.sh >>>>>>>>> @@ -0,0 +1,31 @@ >>>>>>>>> +#!/bin/bash >>>>>>>>> +##################################################################= ############# >>>>>>>>> +# = # >>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>> +# Copyright (C) 2024 IPFire Team = # >>>>>>>>> +# = # >>>>>>>>> +# This program is free software: you can redistribute it and/or m= odify # >>>>>>>>> +# it under the terms of the GNU General Public License as publish= ed by # >>>>>>>>> +# the Free Software Foundation, either version 3 of the License, = or # >>>>>>>>> +# (at your option) any later version. = # >>>>>>>>> +# = # >>>>>>>>> +# This program is distributed in the hope that it will be useful,= # >>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # >>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>> +# = # >>>>>>>>> +# You should have received a copy of the GNU General Public Licen= se # >>>>>>>>> +# along with this program. If not, see . # >>>>>>>>> +# = # >>>>>>>>> +##################################################################= ############# >>>>>>>>> +# >>>>>>>>> +. /opt/pakfire/lib/functions.sh >>>>>>>>> + >>>>>>>>> +# stop unbound to delete RPZ conf file >>>>>>>>> +/etc/init.d/unbound stop >>>>>>>>> + >>>>>>>>> +make_backup ${NAME} >>>>>>>>> +remove_files >>>>>>>>> + >>>>>>>>> +# start unbound to load unbound config file >>>>>>>>> +/etc/init.d/unbound start >>>>>>>>> diff --git a/src/paks/rpz/update.sh b/src/paks/rpz/update.sh >>>>>>>>> new file mode 100644 >>>>>>>>> index 000000000..938a93a40 >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/src/paks/rpz/update.sh >>>>>>>>> @@ -0,0 +1,25 @@ >>>>>>>>> +#!/bin/bash >>>>>>>>> +##################################################################= ############# >>>>>>>>> +# = # >>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>> +# Copyright (C) 2024 IPFire Team = # >>>>>>>>> +# = # >>>>>>>>> +# This program is free software: you can redistribute it and/or m= odify # >>>>>>>>> +# it under the terms of the GNU General Public License as publish= ed by # >>>>>>>>> +# the Free Software Foundation, either version 3 of the License, = or # >>>>>>>>> +# (at your option) any later version. = # >>>>>>>>> +# = # >>>>>>>>> +# This program is distributed in the hope that it will be useful,= # >>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # >>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>>>>>>>> +# GNU General Public License for more details. = # >>>>>>>>> +# = # >>>>>>>>> +# You should have received a copy of the GNU General Public Licen= se # >>>>>>>>> +# along with this program. If not, see . # >>>>>>>>> +# = # >>>>>>>>> +##################################################################= ############# >>>>>>>>> +# >>>>>>>>> +. /opt/pakfire/lib/functions.sh >>>>>>>>> +extract_backup_includes >>>>>>>>> +./uninstall.sh >>>>>>>>> +./install.sh >>>>>>>>> --=20 >>>>>>>>> 2.30.2 >=20 >=20 > Jon >=20 >=20 > --=20 > Jon Murphy > jon.murphy(a)ipfire.org --===============2219891729224394629==--