From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fghTp0Kvwz340j for ; Wed, 25 Mar 2026 09:30:38 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fghTk48kmz2xLm; Wed, 25 Mar 2026 09:30:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fghTj2rVlzBn; Wed, 25 Mar 2026 09:30:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1774431033; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vuEHmArwcqXGGy3M7hcB43vzdYo6ioP+//c0MGfSnOs=; b=uxmosD4mmwzWk6xVQWGqAliQOE0gw9hExQf1Q/jBnEdMP3kzPRfHkXUKhxA5a1nG23q2/i UIlGhDp8Zxf5jp0d4K093YwmAWvNDpTDdQGTKhnedtlgLFs9xEZoLHuQjDg9nUnGJhj8X6 uLIwsOEdLCWUKMpJgYmlv58Z1P4BqcVttu2+S+ADKqInqVP2YErGjeKCPjFZIJCgiZmcvN D5F4cuXxldlJVHF8jhBuite3GtUS6vPQyVs8lBZMoN0QB3YVzhC98eywEDFIb8C3L+Oc5Q IKBjoCCUi3JE9aLrlHFpLqYUYDRBrVN1uaWLPTEmsLWwYvOY7btQfxRU83CFzw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1774431033; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vuEHmArwcqXGGy3M7hcB43vzdYo6ioP+//c0MGfSnOs=; b=Zp2G2zWZXRSo2yN+0e6/37FzH4E1RPpiK/PMddWzd04RojOd3HlJErw0Qgn8k8ydC7RtNk qjHofswD/DUStWDQ== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: Feedback on issues with DNSFW in CU201 Testing From: Michael Tremer In-Reply-To: Date: Wed, 25 Mar 2026 09:30:32 +0000 Cc: Adolf Belka , "IPFire: Development-List" , dbl@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <9786EB04-D529-48D2-9BB6-AEF37B246714@ipfire.org> <99E8DC3B-30D7-43D5-AEBE-34B01E2953A0@ipfire.org> <12445407-95ac-457d-b0fe-0f74a3d2eb21@ipfire.org> <8A994F8C-FB85-487E-9799-98CED1881E1F@ipfire.org> To: Jon Murphy Hello Jon, Why would it be necessary to manually change the configuration? Can you explain to us what you are thinking? > On 24 Mar 2026, at 21:03, Jon Murphy wrote: >=20 > Try this in the dnsbl.conf file. >=20 > server: > define-tag: "ads.rpz.ipfire.org dating.rpz.ipfire.org" >=20 > server: > access-control-tag: 192.168.74.0/24 "ads.rpz.ipfire.org = dating.rpz.ipfire.org" >=20 >=20 > Separate "access-control-tag" don=E2=80=99t seem to work. What is this supposed to mean? -Michael >=20 > The above changes allows RPZ to work as expected. >=20 >=20 >=20 > ------ Original Message ------ > =46rom "Michael Tremer" > To "Adolf Belka" > Cc development@lists.ipfire.org; dbl@lists.ipfire.org > Date 3/23/2026 9:41:07=E2=80=AFAM > Subject Re: Feedback on issues with DNSFW in CU201 Testing >=20 >> Hello, >>=20 >> So this looks good. The list has been properly loaded into Unbound. >>=20 >> I don=E2=80=99t quite know what could be going wrong now. >>=20 >> -Michael >>=20 >>> On 23 Mar 2026, at 12:22, Adolf Belka = wrote: >>>=20 >>> Hi Michael, >>>=20 >>> On 23/03/2026 12:10, Michael Tremer wrote: >>>> Hello Adolf, >>>> What is the output of unbound-control list_auth_zones? >>>=20 >>> porn.rpz.ipfire.org. serial 1773964805 since 1774267487 = 2026-03-23T13:04:47 >>> gambling.rpz.ipfire.org serial 1773997205 since = 1774267487 2026-03-23T13:04:47 >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>>> -Michael >>>>> On 20 Mar 2026, at 16:59, Adolf Belka = wrote: >>>>>=20 >>>>> Hi Michael, >>>>>=20 >>>>> On 20/03/2026 16:56, Michael Tremer wrote: >>>>>> Hello Adolf, >>>>>> I am copying the DBL list, too. >>>>>=20 >>>>> Good idea. I was just thinking of it being related to Testing = issue. >>>>>> So this is obviously not normal, but we can debug this step by = step: >>>>>> First of all, we should check if Unbound was able to successfully = fetch the DNS zones. Gambling has clearly been downloaded, but it seems = that the Porn list might not. You can check in /var/cache/unbound if = there is the zone file. If yes, then you can try to resolve a couple of = things on the console and check if they are being blocked: >>>>>=20 >>>>> I should have already mentioned this but forgot. It was one of the = first things I checked and I have just re-confirmed now. The porn zone = file is present. It was updated at 11:40 CET and the Gambling zone was = updated at 12:53 CET. >>>>>=20 >>>>> I also checked that the zone file contained the url's being used = and it did and does. >>>>>=20 >>>>>> # dig @localhost some.porn.website.com = >>>>>> You should see NXDOMAIN if the domain exists and has been blocked = and you should see the log entries just like gambling. >>>>>=20 >>>>> Got >>>>>=20 >>>>> ;; Got answer: >>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54293 >>>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, = ADDITIONAL: 1 >>>>>=20 >>>>> So NXDOMAIN is in the answer but there was nothing additional in = the unbound log. The last entry in it was from 12:58:50 when I did the = tests with the gambling sites and if there was an entry it should have a = timestamp for around 17:45 >>>>>=20 >>>>>> This rules out anything that is going wrong between the browser = and Unbound. >>>>>> In case of the URL filter, it simply seems that squidguard is not = seeing the requests. You might as well try something like: >>>>>=20 >>>>> With the URL Filter enabled and DNSFW disabled then the URL Filter = blocks and logs both the Gambling and Porn site accesses. Sorry if that = came across as differently in my mail. The URL Filter works fine for me = with both CU200 and CU201 Testing. >>>>>=20 >>>>>> # http_proxy=3Dhttp://1.2.3.4:800 = https_proxy=3Dhttp://1.2.3.4:800 wget -d = http://some.porn.website.com >>>>>> The squidguard.log should also contain some interesting = information if something didn=E2=80=99t go as planned. >>>>>> -Michael >>>>>>> On 20 Mar 2026, at 12:30, Adolf Belka = wrote: >>>>>>>=20 >>>>>>> Hi All, >>>>>>>=20 >>>>>>> I am having issues with getting DNSFW to work properly, it fails = in many conditions to block things from the list. >>>>>>>=20 >>>>>>> The dbl list works fine for me in the URL Filter for both CU200 = and CU201 Testing. >>>>>>>=20 >>>>>>> For my testing I created a new install of CU201 Testing and just = went straight to DNSFW and enabled the Gambling and Pornography = categories and Saved. >>>>>>>=20 >>>>>>> Then selected the Green network for both categories using the = pencil edit option. >>>>>>>=20 >>>>>>> In this setup I had no Web Proxy enabled. >>>>>>>=20 >>>>>>> I then cleared the browser cache and set the Browser to No = Proxy. >>>>>>>=20 >>>>>>> I then tested out nl.onecasino.com and www.xnxx.com in Firefox = and in Netsurf >>>>>>>=20 >>>>>>> The gambling site was blocked and gave the message >>>>>>>=20 >>>>>>> Unable to connect >>>>>>> Firefox can=E2=80=99t establish a connection to the server at = nl.onecasino.com. >>>>>>>=20 >>>>>>> For the porn site it was not blocked but opened up. >>>>>>> I tried with two other gambling and porn sites. All three = gambling sites were blocked. All three porn sites were allowed through. >>>>>>>=20 >>>>>>> In the DND: Unbound System Logs I found >>>>>>>=20 >>>>>>> 12:52:26 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain = 192.168.200.11@44247 www.postcodeloterij.nl. A IN >>>>>>> 12:52:26 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain = 192.168.200.11@44356 www.postcodeloterij.nl. HTTPS IN >>>>>>> 12:51:32 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain = 192.168.200.11@55955 nl.onecasino.com. A IN >>>>>>> 12:51:32 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain = 192.168.200.11@49136 nl.onecasino.com. HTTPS IN >>>>>>> 12:50:41 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain = 192.168.200.11@47229 welkom.hollandcasino.nl. A IN >>>>>>> 12:50:41 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain = 192.168.200.11@43346 welkom.hollandcasino.nl. HTTPS IN >>>>>>>=20 >>>>>>> So the blocked gambling sites were in the logs but not any of = the pornography sites had tested. >>>>>>>=20 >>>>>>> Then tried the browser with the Network Settings set to Use = system proxy settings and the same result occurred. >>>>>>>=20 >>>>>>> I then turned on the Web Proxy with conventional connection on = port 800. Saved and restarted and then Cleared the web proxy cache. >>>>>>> Then I cleared the browser cache and set the Network Settings to = Manual proxy configuration with the IP of my IPFire system being tested. >>>>>>>=20 >>>>>>> I then tested the same three gambling URL's and Porn URL's. >>>>>>> All of the sites were opened up. >>>>>>> In the DNS: Unbound system log there were no new entries. >>>>>>> In the Proxy Logs there were entries for the gambling and porn = sites. >>>>>>>=20 >>>>>>> I have also tested the browser out using the web proxy with the = Automatic proxy configuration URL accessing the wpad file via dhcp and = that also had the same results as using the Manual proxy configuration = option. >>>>>>>=20 >>>>>>> I have repeated a lot of my tests multiple times, also with = repeated new installs and for me, as long as I ensured I had cleared the = web proxy and browser caches, always came up with the same results as I = have described above. >>>>>>>=20 >>>>>>> It would be good to know if any of you also experience the same = effect or if it works without problems for yourselves. >>>>>>>=20 >>>>>>> Regards, >>>>>>>=20 >>>>>>> Adolf. >>>>>>>=20 >>>>>>>=20 >>>>>=20 >>>>>=20 >>>=20 >>>=20 >>=20 >>=20