From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4byZly0hfcz349h for ; Thu, 7 Aug 2025 18:03:42 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4byZls6T1Rz2yn4 for ; Thu, 7 Aug 2025 18:03:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4byZll0Dbcz33R; Thu, 7 Aug 2025 18:03:30 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1754589811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WMhQCCi4WuPGD5g0VLSUgcLR7c2bKT7oYTDssPvB/So=; b=pWU55Y9V1bUujsiUR+HR68VQRx4gDjWsaxqJzP9zDyyssB1hlP2VBmqAV8+MOGyQa/cDQ5 DV9/DRKiDwxAYCBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1754589811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WMhQCCi4WuPGD5g0VLSUgcLR7c2bKT7oYTDssPvB/So=; b=k6g7DitJKn2gwlTQoUEszEGOvrPqH0P72xaAeLsycTx6ia5pHQmuIjlf9zkymafdq30tKk 9izT2AYv+iZjIJlrIyuH36WFMUyTqCeJAcraxH2f9xmjIQilhmm8l5dQ0GwBCFuWe3UCzW EFc7JLHhz3ErRdKJsbsB2wfJgiEIck1lh+K0xaGfWsH7BKPADGnBOwwdIBtVNpawIivNWg VocvkJvDjZpcZ6y/AkiiIGtVT/sw+iqmdBtFV07fDzbE2Ob4/PMouJaMKYR3K9xgY5SjTN k+60wxMwnfyjiPuWlp1J/4umolhb0q0yxF4WL6YbwKBhaZ6/+Md+YY8SPZCY/g== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] RPZ: update code to include WEBGUI and additional languages From: Michael Tremer In-Reply-To: Date: Thu, 7 Aug 2025 19:03:29 +0100 Cc: development@lists.ipfire.org, Jon Murphy , erik.kapfer@ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> <9221F825-15BB-484C-A921-118C7F3266AC@ipfire.org> <0261B2EC-034E-4231-B105-DEFB8091BF07@ipfire.org> <79F36C8A-29DD-4964-A854-21AF104A41B8@ipfire.org> <4d7fda4f-0de9-4a77-99b1-6276b161f68a@ipfire.org> <97b94a4a-1dce-4bbb-a8ed-1e16c89dd866@ipfire.org> <80F533B6-B60E-40A8-AADD-900FC0AE2FA3@ipfire.org> To: Bernhard Bitsch Hello Bernhard, > On 7 Aug 2025, at 15:55, Bernhard Bitsch wrote: >=20 > Hi, >=20 > the arguments are reasonable. This means, we should talk about some = topics > - Is it preferable to have a DNS blocking mechanism? I think we covered that already. > - If yes, how do we do it? Why is that a question? > - There is Jon's idea to use RPZ and Erik's work on sampling lists. = Does it realize the task? I don=E2=80=99t know what the goal is. To convert stuff from one format = to the other is not really something we need to do on GitHub. We can run = scripts on the firewall. > - If we use RPZ, where to get the lists? ( Update mechanism is = contained in unbound ) Where to get the lists is precisely the question. I have outlined a = couple of must haves a while ago and I asked the question whether we can = replace all of the URL Filter feature with this. If not, then that will = massively change how we will approach this project. The lists that I have deployed in the wild have been causing problems = with large amounts of false-positives and have only *very* little scope = of what they actually want to filter. =E2=80=9CSecure=E2=80=9D, = =E2=80=9CSecure Plus=E2=80=9D and =E2=80=9CSecure Plus+=E2=80=9D is = nothing I think makes any of this obvious to use in IPFire. > - How reach the lists the end user? Do we need a server for self = compiled lists? Why is this conversation constantly getting lost in tiny technical = details that are not a problem at all? We have not even made it to a = point where it is clear to everyone who wants to be involved what this = feature actually is. Why are we talking about some scripts? We have several groups that have conversations amongst themselves, some = people seem to be talking to themselves just on their own. We are very = far from being on the same page. And we are nowhere to think about = implementation details. > - Who is eager to maintain this part of the IPFire system? Integration = into the DNS resolver, list generation, sampling, .... It is not me. And if I can relay this from a recent call, nobody of the = other people who has been on that call is interested in spending time on = this. Here is a page that someone has created on the wiki. If that information = is still up to date, it should answer a couple of your questions: https://www.ipfire.org/docs/roadmap/rpz -Michael > Am 07.08.2025 um 15:40 schrieb Michael Tremer: >> Hello Bernhard, >>> On 7 Aug 2025, at 10:18, Bernhard Bitsch wrote: >>>=20 >>> Hello Michael, >>>=20 >>> Erik's approach is to sample DNS block lists and convert them into = RPZ format. >> Where has any conversion been needed? Previously those lists have = been downloaded directly into Unbound. >=20 > Conversion is needed, because there are not so many free real RPZ = lists. >=20 >>> I don't think Erik doesn't want to establish a new GitHub = repository; the work can be integrated into the IPFire infrastructure. >> *Precisely* my point. Nobody wants to run these things they are = offering there. Neither the upstream lists nor Erik. Why would we build = on top of this? >> If this were to move into the IPFire Infrastructure, who is going to = build that, maintain it, and pay for it? >=20 > See discussion points above. >=20 >>> The selection of sources can be done in the same way it is done with = IP Block Lists. >>> This involves selection based on licenses. >>>=20 >>> BTW, the discussion comes up now again just because of Erik's new = engagement. >> Okay, and since last March, when the last somewhat meaningful emails = have been exchanged about this, nothing else has happened? Nobody felt = that they are still pushing this project to go anywhere? >>> Nevertheless, I vote for some kind of DNS blocking. With unbound ( = the DNS resolver, we use now! ) the concept of RPZ implements this in a = acceptable manner. >> You can vote as much as you like. The forum people can also vote as = much as they like. That won=E2=80=99t move anything forward. We all want = things. Dreaming, praying or just =E2=80=9Cvoting=E2=80=9D won=E2=80=99t = change anything. You will have to build it. >> -Michael >=20 > I do not know our discussion about this entirely. But I know, there = were several postings about interest in the community. > Because the main problem is getting reasonable free lists, I suppose = Erik started his project. >=20 > BR, > Bernhard >=20 >>>=20 >>> Bernhard >>>=20 >>> Am 07.08.2025 um 10:17 schrieb Michael Tremer: >>>> Hello Bernhard, >>>>> On 6 Aug 2025, at 13:32, Bernhard Bitsch = wrote: >>>>>=20 >>>>>=20 >>>>>=20 >>>>> Am 05.08.2025 um 18:53 schrieb Jon Murphy: >>>>>> Q. * The problem are the sources and the quality of the = blacklists. Unless those are available to us and our users the entire = technology is becoming worthless. This is exactly what we have with the = URL filter. >>>>>> A. To me this is similar to many other open source items. If the = head MFiC walks away, then the open source becomes toast. If the = projects is sold or transferred to a paid service, then the open source = project is toast. I don=E2=80=99t like it, but unless IPFire becomes = the mix-master of blocklists (collect, filter, publish, etc.) then there = is no way around this. >>>>>> =3D=3D >>>>>> Q. * Unbound itself is a whole mess and I hope we will be able to = launch our plans to replace it as soon as possible. >>>>>> A. This one I cannot answer since I don=E2=80=99t know the issues = others have experienced. I started near the time when IPFire went from = dnsmasq to unbound and to me unbound seems A-OK. But again I don=E2=80=99= t know the issues. >>>>>=20 >>>>> What alternative is planned for unbound? Does it support RPZ or = something alike? >>>>> I think it can be agreed, that such a sort of filtering is = meaningful. >>>> I have a few candidates, but nothing has been confirmed. We talked = about this a few months ago on the video call and decided that we will = prioritise other things first. >>>>> Bernhard >>>>>=20 >>>>> EDIT: The case of controlled lists is in solution by Erik's work = (https://github.com/twitOne/RPZ-Blocklists/tree/main)> =3D=3D >>>> In all seriousness, how is *this* the solution? It embodies all = problems that we have raised before in one new GitHub repository. >>>> * It gathers many lists from various sources and merges them. That = is not a list, that is just a pile of other lists combined into one. = What is the benefit? The sources are already merging each other in = circles. Why not use the original lists? >>>> * This clearly breaks *all* the licensing of any of the upstream = lists. Most of those are using licenses that are not even possible to = use for anything else but software (MIT & GPL). Lists like this are not = software. One upstream list has a fairy tale license and the two that = actually chose a sensible license that mandate attribution have not been = credited for their work. There is no indication that a dual-licensing or = redistribution deal has been struck with any upstream providers. The = =E2=80=9Cnew=E2=80=9D compiled data in that repository does not state at = all under which terms it can be used. >>>> * It even tracks which lists have been abandoned = (https://github.com/twitOne/RPZ-Blocklists/issues/70). >>>> * It is coming from someone who is not even going to put their name = to it. Like most of the upstream data, too. >>>> Please tell me what has been tried to solve here. What was the goal = of creating this? >>>> Best, >>>> -Michael >>>>>> Specifically, what questions are remaining unanswered? >>>>>> ------ Original Message ------ >>>>>> =46rom "Michael Tremer" >>>>>> To "Jon Murphy" >>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>> Date 5/23/2025 5:35:58=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>> Hello Jon, >>>>>>>=20 >>>>>>> You need to be a little bit more precise with what you actually = want to know. >>>>>>>=20 >>>>>>> I think I have covered this before and can only refer to the = previous emails in this conversation. >>>>>>>=20 >>>>>>> * RPZ itself is fine as a feature. It is a powerful tool we = could leverage for a lot a of things. It would have the potential to = allow content filtering without the proxy. >>>>>>>=20 >>>>>>> * The problem are the sources and the quality of the blacklists. = Unless those are available to us and our users the entire technology is = becoming worthless. This is exactly what we have with the URL filter. >>>>>>>=20 >>>>>>> * Unbound itself is a whole mess and I hope we will be able to = launch our plans to replace it as soon as possible. >>>>>>>=20 >>>>>>> Best, >>>>>>> -Michael >>>>>>>=20 >>>>>>>> On 22 May 2025, at 20:45, Jon Murphy = wrote: >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> I understand that "Unbound, RPZ and a blacklist" was = unsuitable. I am curious what was suitable. >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> ------ Original Message ------ >>>>>>>> =46rom "Michael Tremer" >>>>>>>> To "Jon Murphy" >>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development- List" >>>>>>>> Date 5/22/2025 10:46:25=E2=80=AFAM >>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>=20 >>>>>>>>> Unbound, RPZ and a blacklist that I deemed suitable. It = isn=E2=80=99t. >>>>>>>>>=20 >>>>>>>>>> On 22 May 2025, at 16:45, Jon Murphy = wrote: >>>>>>>>>>=20 >>>>>>>>>> Still curious=E2=80=A6 What are you using to block adult = websites? >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> ------ Original Message ------ >>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>> To "Jon Murphy" >>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development- List" >>>>>>>>>> Date 5/22/2025 10:43:55=E2=80=AFAM >>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>>>=20 >>>>>>>>>>> I stated that before. I need to block adult websites. >>>>>>>>>>>=20 >>>>>>>>>>>> On 22 May 2025, at 16:42, Jon Murphy = wrote: >>>>>>>>>>>>=20 >>>>>>>>>>>> Now I am curious! What is your use-case? Tell me more... >>>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development- List" >>>>>>>>>>>> Date 5/22/2025 10:40:38=E2=80=AFAM >>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>>>>>=20 >>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I have not been spending on time on this at all since we = talked last. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I don=E2=80=99t need Unbound to download any files for my = use-case either. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> -Michael >>>>>>>>>>>>>=20 >>>>>>>>>>>>>> On 20 May 2025, at 17:30, Jon Murphy = wrote: >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Were you able to debug RPZ and get Unbound to download = `.rpz` files? >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>>>> Date 3/24/2025 9:43:37=E2=80=AFAM >>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI = and additional languages >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Yes, I don=E2=80=99t need any debugging of this... >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> On 24 Mar 2025, at 14:42, Jon Murphy = wrote: >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> Is there a: >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> server: >>>>>>>>>>>>>>>> module-config: "respip validator iterator" >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> In your RPZ set-up? >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>>>>>> Date 3/24/2025 9:40:15=E2=80=AFAM >>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI = and additional languages >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Because it is not doing it on my system... >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 14:38, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> Actually it did. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> Why do you think Unbound did not? >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>>>>>>>> Date 3/24/2025 9:36:53=E2=80=AFAM >>>>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include = WEBGUI and additional languages >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Unbound did not put those there... >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 14:33, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> In `/etc/unbound/zonefiles`: >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>> total 20664 >>>>>>>>>>>>>>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >>>>>>>>>>>>>>>>>>>> drwxr-xr-x 4 root root 4096 Mar 19 16:24 = .. >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 = adhocSB.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 = allow.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 = AmazonTrkrHZ.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 = AppleTrkrHZ.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 = block.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 = DOHblockHZ.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 = MxProPlusHZ.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 = tldHZ.rpz >>>>>>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 = WinTrkrHZ.rpz >>>>>>>>>>>>>>>>>>>> [root@ipfire ~] # >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>>>>>> =46rom "Michael Tremer" = >>>>>>>>>>>>>>>>>>>> To "Bernhard Bitsch" >>>>>>>>>>>>>>>>>>>> Cc development@lists.ipfire.org >>>>>>>>>>>>>>>>>>>> Date 3/24/2025 9:25:40=E2=80=AFAM >>>>>>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include = WEBGUI and additional languages >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch = wrote: >>>>>>>>>>>>>>>>>>>>>> Am 24.03.2025 um 11:17 schrieb Michael = Tremer: >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 00:00, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>> FYI - I was wrong Unbound RPZ is _not_ = watching the serial number, it is watching the "refresh", the number = after the serial number. >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> Refresh just tells the client how often to = check for an update. >>>>>>>>>>>>>>>>>>>>>>> If that is actually being set by the list = publisher, then we have another problem here, because they could put = some insanely low value there and we would then DDoS their = infrastructure. I think we should keep it like we have it in other = places that we control how often we want to check or pull for updates. >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> You are right. But an extra update process = wastes additional processor time. The update mechanism of unbound does = the check for update ( however it is realized ) nevertheless. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> Yes, doing more things needs resources. But we = are not seriously considering whether an IPFire system has enough = resources to perform the download of a text file, or are we? >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, = but you got the information from somewhere. Documentation maybe? Since = that is out of date very often I like to consult the code. >>>>>>>>>>>>>>>>>>>>>>>> =46rom testing. Downloading rpz files using = rpz unbound, and watching what happens. If the rpz file is setup for = "once per day" refresh, then it only downloads one time. >>>>>>>>>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our = problem . . . and having no cache. >>>>>>>>>>>>>>>>>>>>>>>> In `/etc/unbound/tuning.conf` there is = `rrset-cache- size: 128m`. Are you referring to a different cache. >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> Naturally unbound is loading the zone into its = memory which we generally call cache. >>>>>>>>>>>>>>>>>>>>>>> When I say cache I am thinking about persistent = data storage across multiple restarts of Unbound. If I am downloading = 100 MiB of RPZ lists (which is presumably still on the lower end) and I = reboot my firewall, I do not want to download the same data again. We = can only ever download a list *once* unless we are 100% certain that it = has changed. Then we can download it once again. >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> The RPZ lists are stored in files in persistent = storage. Unbound creates the internal cache from these. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>>>>>>>>> Yes. There are very few AXFR list (I think = only four were found). And many more HTTPS rpz files. >>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>>>>>>>>>> =46rom "Michael Tremer" = >>>>>>>>>>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>>>>>>>>>> Cc "IPFire: Development-List" = >>>>>>>>>>>>>>>>>>>>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>>>>>>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to = include WEBGUI and additional languages >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I = cannot find anything like this: >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> Keep in mind I am not a "C" person. Maybe = in this section?: >>>>>>>>>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/ = unbound.git;a=3Dblob;f=3Dservices/ = authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l5875 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> This where the AXFR response is being = handled when doing a DNS zone transfer. This code is not being called = when performing a HTTP download. >>>>>>>>>>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, = but you got the information from somewhere. Documentation maybe? Since = that is out of date very often I like to consult the code. >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=94 >>>>>>>>>>>>>>>>>>>>>>>>>> When I was just learning about RPZ I created = a separate RPZ file for testing. When I changed the SOA line with a new = serial number, the RPZ file download would happen in about 5 minutes. >>>>>>>>>>>>>>>>>>>>>>>>>> = https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> It might well be that the file is not being = reloaded if the download matches the content that unbound already has. = That would of course save some resources. >>>>>>>>>>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem = with redundant downloads and having no cache. >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> That is how I found out the SOA line is = watched for a serial number change. >>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The second reason is that we have a lot = of firewalls out there. Not all of them will enable this feature and all = of the lists, but even if it is a good chunk, we will generate terabytes = of traffic which put load on the infrastructure and will cost money. It = simply is not what we want to do, regardless of self-hosting those lists = and pulling them from somewhere else. >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> So I understand, are you thinking of = hosting RPZ AXFR (DNS zone transfer) on IPFire infrastructure? >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> No, I don=E2=80=99t think that we can = generally do this. The biggest problem is licensing as we cannot take = anyones content and host it ourselves. We would re- distribute those = lists and that will only work with permission of the publishers. I = assume that would be too much work to actually get some useful content = out there. We might limit ourselves to only those lists that are under a = very permissive license. Nobody wants that. >>>>>>>>>>>>>>>>>>>>>>>>> =46rom a technical point of view, DNS over = TCP might not be very nice in terms of forging the transfer and so we = would need TLS as well=E2=80=A6 It should work, but even if we would be = able to encourage other people to publish their lists I doubt they would = implement DNS over TLS for authoritative DNS. That standard is in very = early stages as well. >>>>>>>>>>>>>>>>>>>>>>>>> As far as I can see, those vendors who offer = a list as a commercial product are using DNS to distribute it (e.g. = Spamhaus). Those people who have made this all a hobby are throwing the = lists onto GitHub and let them handle the traffic. >>>>>>>>>>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I = cannot find anything like this: >>>>>>>>>>>>>>>>>>>>>>>>>>> Unbound loads the entire file into memory = and then starts parsing it. The only special treatment there is is to = check whether the first line is a valid zone entry. It does not even = have to be a SOA record. >>>>>>>>>>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/ = unbound.git;a=3Dblob;f=3Dservices/ = authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l1188 >>>>>>>>>>>>>>>>>>>>>>>>>>> I am also concerned that Unbound will not = be able to support an upstream proxy for any downloads. The caching = situation is also unclear for me, so I believe that we will be looking = at writing a custom downloader that implements all these things. >>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated = downloads of the same list. That is >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>>>>>>>>>>>>>>>>>>>> The Unbound RPZ code, as installed within = IPFire, watches for a change >>>>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. = This is an example of the first few >>>>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>>>>>>>>>>>>>>>>>>>> $TTL 300 >>>>>>>>>>>>>>>>>>>>>>>>>>>> @ SOA localhost. root.localhost. = 1742298960 43200 3600 86400 300 >>>>>>>>>>>>>>>>>>>>>>>>>>>> NS localhost. >>>>>>>>>>>>>>>>>>>>>>>>>>>> ; >>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Description: Blocks annoying and = malicious pop-up ads. >>>>>>>>>>>>>>>>>>>>>>>>>>>> If the SOA serial number changes (e.g. the = 1742298960), then Unbound RPZ >>>>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Bcode does its thing and = downloads. Otherwise there is no download. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that = we won=E2=80=99t download a list again >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> unless it has actually = changed. >>>>>>>>>>>>>>>>>>>>>>>>>>>> This should do what you want but I may be = missing your point. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called = AXFR. It simply does the job >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> for you. I was just wondering = whether that was not being used. >>>>>>>>>>>>>>>>>>>>>>>>>>>> I need to read about AXFR/IXFR and learn a = little more. >>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Good Morning Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I was reading through you response again = an I want to understand this post: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I have also stated that we cannot = download any lists over HTTPS again and again and again. The = implementation that we have here seems to exactly do that and therefore = I think that my feedback has been dismissed entirely. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it = using? I am missing a key point here. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated = downloads of the same list. That is what cannot happen. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Although it might not affect a lot of = people in our general user-base, there are some that have a metered = connection and will pay for data by volume. Some of the lists I looked = at are just under 20 MiB. Therefore we need to keep any traffic down to = a minimum. The second reason is that we have a lot of firewalls out = there. Not all of them will enable this feature and all of the lists, = but even if it is a good chunk, we will generate terabytes of traffic = which put load on the infrastructure and will cost money. It simply is = not what we want to do, regardless of self-hosting those lists and = pulling them from somewhere else. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that = we won=E2=80=99t download a list again unless it has actually changed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called = AXFR. It simply does the job for you. I was just wondering whether that = was not being used. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> HTTPS is an option because that is simply = what we use elsewhere, but extra functionality will have to be built for = it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve read through your comments = a few times and I ended up with many more questions. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What I rather mean is that it has = never been added as a topic on the agenda and it has not been pitched by = yourself. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me the efforts to get new code = accepted seem to have changed and it seemed easier in the past. In the = past I made the Core Team aware via the Dev Mailing List and wrote a = simple two or three paragraphs of "What is it? / What is the value? / = Here is the code" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So in an effort to move forward: How = exactly is something presented to the Core Team? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Is there an example of a recent effort = that was presented that I can see as a sample? (This type of info can = also be added to the Wiki) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I understand you want it this way, but = I don=E2=80=99t know what exactly is needed. Please be specific. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PS - I am not ignoring your other = comments, I am just trying to move forward and keep things simple. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, = Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Thanks for your reply. And good that = you are copying everyone into this conversation. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at = lengths before that this project has been started as a separate effort >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, this has been a separate effort = (a very public separate effort). Yes, as you pointed this out early on = with the "proof- of-concept" and then my request for people to help test = RPZ. Nothing was hidden. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This was done because you (and maybe = others) did not have the time and I wanted to help and because I needed = assistance with RPZ. I tried my best to do this without bothering you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t that it is accurate = that nobody wanted to help on this. The list was always open - although = not every email has been replied to swiftly it is also your = responsibility to raise a question again if it was missed. People here = have open ears. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It was also stated on this very list = on in our documentation that working on something without involving the = core team is a risky undertaking. Of course IPFire is free software and = so everyone is free to fork if they wish to do so. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as far as I am aware none of the = other team members has been involved. This has not been discussed either = on this list, on our calls. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You were aware many steps along the = way. See your email on July 28, 2024, August 15, 2024, September 30, = 2024, December 23, 2024, and January 16. My attempts to get the team = involved were met with "things are busy" and sometimes silence. (Yes, I = get it, people are busy.) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard = have been aware since the beginning. You mention you were aware of the = "proof-of-concept". If you include those beginning posts, since Sep = 2023. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept = that I have been running myself for a long time. I am also aware of the = efforts that you have been taking. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yet I don=E2=80=99t think there has = ever been any joint effort, or am I seeing that wrong? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This has not been discussed . . . on = our calls. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "We have talked about RPZ many times = on the monthly call since the URL filter feature is falling more and = more out of fashion. I think there is also many posts about this on the = forum." >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t insult me again = by stating "you know what I mean". >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And it has been discussed but not = documented in the Monthly Meeting notes. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I am not at all insulting you. I = don=E2=80=99t want to take this down to a personal level at all. This is = a public mailing list and people who read this don=E2=80=99t need to = listen to an argument we are having. They are here for the tech inside = IPFire. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> When I wrote that it has not been = discussed that does not mean that we have not been touching on the = topic. We have been talking about lots of things on the calls, the = weather, politics, how our pets are. None of that makes it to the logs. = What I rather mean is that it has never been added as a topic on the = agenda and it has not been pitched by yourself. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Instead there has been a separate = conversation on the forum with the occasional dip here to the list. But = that was not a regular two-way conversation. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Regular conversation on the Dev = Mailing list is many times met with silence. I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And regular two-way conversation = doesn=E2=80=99t happen on the list. At least not with me. I=E2=80=99d be = happy to point out the posts that were met with silence. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And you think my emails are not being = met with silence? This has nothing to do with this specific topic. This = has something to do with how occupied people are and how engaged they = are on certain topics. Not everyone is involved in all the things and = simply will ignore emails simply based on their subject line. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> But the "dip here to the list" were = my attempts to get a conversation started. As I said, many time met with = silence. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The only place I was not met with = silence was on the Community. You have a great group of people in the = Community. It is a shame you don=E2=80=99t want to have others help. It = would reduce your workload. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You should stop making statements = that are not true. Who doesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Not having this conversation on a = Saturday evening would reduce my workload. At least it would free up = time for something else. Helping with the things that are already on the = go would reduce the workload of the entire team. Starting one thing at a = time and finishing it is a lot better to manage than starting a hundred = things and not even finish one. I can tell you that I already have a = hundred things on the go. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Therefore, what am I supposed to do = with this email? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, = then guide me with how to do this the correct way. And be specific. I am = trying to help. I am trying to make things better. I am trying to do = things the right way. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet = another project that has been dumped to the list like so many before and = later on everyone has left to have the team deal with the rest. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It is a huge patch set. You explained = what the vision is, but that is about it. There is no chance this will = continue if this disagreement isn=E2=80=99t solved first. I didn=E2=80=99t= even look at the code. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that I don=E2=80=99t agree with. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I asked multiple times if you = "agreed with the concept" and again, met with silence. Yes I get it, = people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having support for RPZ? Yes, it was = definitely on the roadmap. That I agree with. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So many fundamental things that I = have been raising have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You mentioned this a in the past, = but for some reason you do not disclose what I dismissed. Why do you = continue to make this harder, wouldn=E2=80=99t it not be easier to tell = me what I have dismissed? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I have sent multiple emails trying to = answer your concerns and comments. On July 28, Aug 14, Aug 22, Aug 23, = Sep 30, etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the = questions you asked and I cannot find a "dismissed" item. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Maybe I need to be *more clear*. I = feel humoured by this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It is late on a Saturday and I want my = dinner soon, but certainly I have stated that this should never be an = add-on considering it is supposed to replace URL Filter. We should never = allow people to add their own sources. I have also stated that we cannot = download any lists over HTTPS again and again and again. The = implementation that we have here seems to exactly do that and therefore = I think that my feedback has been dismissed entirely. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that has no future inside IPFire as there is no constructive = conversation with the maintainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Unbound and/or = RPZ? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Hagezi list, the = threatfox list, the urlhaus list, etc.? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What else? The maintainers or the RPZ = scripts? That is me. Let=E2=80=99s talk! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You. I don=E2=80=99t care much about = the providers of the lists. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> See, this is where it gets = confusing. There are hundreds of open source packages as part of IPFire. = Pick the last five years of items added to the IPFire build. You're = telling me you have "constructive conversation with the maintainers" of = all of the added packages? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> They publish their software and they = don=E2=80=99t care whether I am pulling it or not. They publish it with = the commitment to maintain it - sometimes for better and sometimes for = worse. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You care about me pulling your code = and I don=E2=80=99t know whether you would commit to maintain this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., = 3CORESEC, ABUSECH, DSHIELD, SPAMHAUS, etc.) or the Suricata lists = (i.e.,Emergingthreats.net ,Abuse.ch = , etc.). So you=E2=80=99ve have "constructive = conversation with the maintainers"? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, occasionally I have phone calls = with a few of these providers. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time = to make you aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning = you seemed interested as IPFire needed a replacement for URL Filter. You = asked good questions about the lists picked, asked for the value to the = users, etc. And I answered the best I could. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this = realised as an add-on and not part of the core system?=E2=80=9D from = your Jul 28, 2024 email. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Ah, so, why is the patch creating an = add- on? Not that I am saying that what I say is law, but it has not = been challenged either. If my input is being ignored, why should I put = this to the top of my list of priorities? I am not disappointed about = this, just trying to be very good with my time. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And on January 16, 2025 I wrote a = message looking for help. And you were kind to respond quickly. So in = three weeks time, since the kind response, something has changed. You = went from supportive to "this". >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Well, maybe I should not have replied = to that email. It was clear that you were on some path that was not = right, but you were not interested before in finding the right path from = the beginning. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be = changed and if there is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Be more specific, what has to = change? What exactly did I dismiss? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dismissal is just my assumption. I = don=E2=80=99t know what you actually did with my feedback. I can only = see the end product that does not seem contain much of it. Repeatedly I = have been pointing out that we should think before we build. I am sure a = lot of hours have now gone into some code that simply does not satisfy = me. And I am not not talking about the code itself, what it does is what = I don=E2=80=99t think is right for us. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The process is very clear for me that = we should first of all think whether we want a certain feature now. Then = there should be a clear roadmap for everyone to follow; tasks can be = split-up as we go and hopefully then have something that is = maintainable, interesting for our users and even would do us proud. This = is how this should work. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t = think with shouting at each other, throwing patches around and making me = generally unhappy is a good start. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, = Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Well, here we are again with another = patch regarding this feature. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I cannot quite see from your email = what the question is, but if this is a request to have this merged into = IPFire, I am once again sorry to disappoint you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at = lengths before that this project has been started as a separate effort = and as far as I am aware none of the other team members has been = involved. This has not been discussed either on this list, on our calls. = Instead there has been a separate conversation on the forum with the = occasional dip here to the list. But that was not a regular two- way = conversation. Therefore, what am I supposed to do with this email? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that I don=E2=80=99t agree with. So many fundamental things that I have = been raising have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code = that has no future inside IPFire as there is no constructive = conversation with the maintainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time = to make you aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be = changed and if there is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon = Murphy wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a = mechanism to define local policies in a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> standardized way and load those = policies from external sources. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to = easily block access to websites via DNS lookup. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ can block websites via = categories. Examples include: fake websites, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> pop-up ads, newly registered = domains, DoH bypass sites, bad "host" services, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> maliscious top level domains (e.g., = *.zip, *.mov), piracy, gambling, pornography, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and more. RPZ lists come from = various RPZ providers and their available >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ = functionality by adding a couple lines in a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration file. This add-on = simply adds configuration files and adds >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) = to make RPZ easier for the admin to use. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The RPZ scripts include additional = languages: German, Spanish, French, Turkish, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and = has been part of the IPFire build since ~2015. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why is it needed? What is its = value? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - The RPZ concept places this = filtering into IPFire, our internet access >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> gateway, which is (should be) = solely used as DNS source of the internal network. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes = it difficult to filter traffic with URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Filter without also properly = configuring conventional (non-transparent) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice = replacement for the URL Filter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - No need to install and maintain = an additional device like PiHole or AdBlock >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> browser extensions on multiple user = devices. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - This is an additional layer of = protection for users. Less worry someone will >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> click on something that gets them = into trouble. And, saying this with emphasis, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Blocked sites save on unneeded = traffic and can lessen the threat of malware >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Logging allows the admin to see = the site blocked and take actions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ will be used at the home, = home- office (work from home), schools, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ministerial, and at the office. = Device counts are small (2-6) to medium (~80) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ can block ads, popups, = phishing, scammers, spyware, malware, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, = and the usual internet trash. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Build for approval & release as = IPFire add-on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on = 2025-02-01 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added a mod key to = force a unbound restart >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added action for = unbound restart `rpz-config unbound-restart` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - rename far right column from = "last update" to "last download" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on = 2024-12-09 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation = regex for wildcards like: `*.domain.com` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on = 2024-11-18 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: updated validation = regex >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: moved validation to = beginning of process. Now we validate before >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: use CSS color = variables of the main ipfire theme >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks = were stored as =E2=80=9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes = the first empty line in a custom list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on = 2024-11-04 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for Turkish (thank you Peppe) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected empty = allow/block list issue. An empty allow/block list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> will now remove contents of allow/ = block.rpz files and remove unneeded >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow/block.conf file. (thank you = iptom) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on = 2024-10-29 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: correct missing rpz = extension. `rpz-config list` displayed URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in = language files (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" = button when not enabled >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on = 2024-10-27 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on = 2024-10-21 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for French (thank you gw-ipfire) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on = 2024-10-18 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for Italian (thank you umberto) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for Spanish (thank you Roberto) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on = 2024-10-15 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation = error for a custom list entry (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct = user created files >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct = user created files (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on = 2024-10-08 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language = file for German (thank you Leo) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add missing "rpz = exitcode 110" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ = menu item at menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on = 2024-10-04 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on = 2024-10-03 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: includes beta = version numbers for pakfire package, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of only = `rpz-1.0.0-1.ipfire`, for each release. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new WebGUI at = `rpz.cgi` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann = for all of his work creating the webgui!! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ = menu item at menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: validate entries in = allowlist and blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: add "no-reload" = option for WebGUI >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: info can be sorted = by name, by hit count, by line count, by >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: include all files in = `/var/ ipfire/dns/rpz` directory in backup >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected ownership for = `/var/ ipfire/dns/rpz` directory during an >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and = `block.rpz` from build. Files to be created >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/configroot = | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/web-user- = interface | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 = + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 = ++++++++++++++ +++++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 24 files changed, 2016 = insertions(+), 1 deletion(-) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/backup/ = includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rootfiles/ packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 = config/rpz/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 = config/rpz/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/install.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/update.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/backup/includes/rpz b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/cfgroot/manualpages b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ = pakfire.cgi=3Dconfiguration/ipfire/pakfire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = logs.cgi/summary.dat=3Dconfiguration/logs/ summary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/menu/EX-rpz.menu b/ config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/rootfiles/common/ configroot b/config/rootfiles/common/ = configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- = a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ = b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ = var/ipfire/menu.d/70- log.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/rootfiles/common/web- user-interface b/config/rootfiles/common/ = web-user-interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- = a/config/rootfiles/common/web-user- interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ = b/config/rootfiles/common/web-user- interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ = srv/web/ipfire/cgi-bin/ proxy.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/rootfiles/packages/ rpz b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf = b/ config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + module-config: "respip validator = iterator" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + zonefile: = /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config = b/ config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# IPFire.org - A linux based = firewall # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire = Team # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is free software: = you can redistribute it and/or modify # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# it under the terms of the GNU = General Public License as published by # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# the Free Software Foundation, = either version 3 of the License, or # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# (at your option) any later = version. # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is distributed in = the hope that it will be useful, # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; = without even the implied warranty of # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A = PARTICULAR PURPOSE. See the # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# GNU General Public License for = more details. # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# You should have received a copy = of the GNU General Public License # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# along with this program. If not, = see . # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Functions = ############### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Main = ############### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ = action >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ = option #1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ = option #2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/ = ${rpzName}.rpz.conf" # output zone conf file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/ = ${rpzName}.rpz" # output for RPZ file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is = yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default = is yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; = checkConf=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + shift # Shift after checking all = the cases to get next option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this = a valid name? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # does this config already exist? = If yes, then exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - = ${rpzConfig} already exists. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + = regex=3D'^https://[-[:alnum:]\+&@#/%? = =3D~_|!:,.;]*[-[:alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex = ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is = not valid: \"${rpzURL}\". exit." >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-action-override: = nxdomain" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: = yes" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # create an empty rpz file if it = does not exist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # unbound requires these settings = for rpz files >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" = "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; = then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot = remove ${rpzConfig}, does not exist. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config = file & rpz file \"${rpzName}\"" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/ = [[:blank:]]|\.rpz/, "",$2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, = "") ; print NAME"=3D"$2":"$3} ' \ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or = incorrect parameter" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0") =