From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4byKl774FFz34Vx for ; Thu, 7 Aug 2025 08:17:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4byKl35N0pz335t for ; Thu, 7 Aug 2025 08:17:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4byKl31X2dz4k9; Thu, 7 Aug 2025 08:17:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1754554623; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P0gRgjpFpIxD11v+5bJvhgCWs9Q6eG5MOJMB7/l3Q4o=; b=RnU11K/hCzZN/JRbgFA04Vg5aFQpeChuQrDR3PM15srS/Rx0jF5qFrmgrts2RgG4Kt5ye9 ndKK+zYuwIiMs4DQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1754554623; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P0gRgjpFpIxD11v+5bJvhgCWs9Q6eG5MOJMB7/l3Q4o=; b=URtMkTQsGiPa+Ka17lh3x6I9rrMM2pieZeHrjoXHTa8dwvtgIjr597kwbnl42r2508GeQS Q+155gbpVmrtfpwR98h5Cv0KF7O4u30e3W4rWSSXPYdTqfLDkaH8webokR66AWDWbBb/JE KkQ7Keuz8as+7VGsh1ki1U/8nR/kJU534gT9z6XYYBQqj/2hUvAmAMNVxT36eZg1lXeu6k Ovc34ZQ0Clpo7gK0AmUK3vD53PXbcqZ8uDtPvlU7g8f3VhElG9tLwUkknddp56WFpo51Kn qCui1YkPzTlpzY6zVQHJPogtBKF4u1P2LyQ1CFox/4KGBGposYxd/gDHUe6YpA== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] RPZ: update code to include WEBGUI and additional languages From: Michael Tremer In-Reply-To: <4d7fda4f-0de9-4a77-99b1-6276b161f68a@ipfire.org> Date: Thu, 7 Aug 2025 09:17:02 +0100 Cc: development@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8703C3D8-C30C-4A56-9F30-7B90BB1E3027@ipfire.org> <502fa002-d6da-45d6-9b3e-d4130e59f50a@ipfire.org> <64617942-44E2-4E7B-A8AB-D5C22F94F68B@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> <9221F825-15BB-484C-A921-118C7F3266AC@ipfire.org> <0261B2EC-034E-4231-B105-DEFB8091BF07@ipfire.org> <79F36C8A-29DD-4964-A854-21AF104A41B8@ipfire.org> <4d7fda4f-0de9-4a77-99b1-6276b161f68a@ipfire.org> To: Bernhard Bitsch Hello Bernhard, > On 6 Aug 2025, at 13:32, Bernhard Bitsch wrote: >=20 >=20 >=20 > Am 05.08.2025 um 18:53 schrieb Jon Murphy: >> Q. * The problem are the sources and the quality of the blacklists. = Unless those are available to us and our users the entire technology is = becoming worthless. This is exactly what we have with the URL filter. >> A. To me this is similar to many other open source items. If the = head MFiC walks away, then the open source becomes toast. If the = projects is sold or transferred to a paid service, then the open source = project is toast. I don=E2=80=99t like it, but unless IPFire becomes = the mix-master of blocklists (collect, filter, publish, etc.) then there = is no way around this. >> =3D=3D >> Q. * Unbound itself is a whole mess and I hope we will be able to = launch our plans to replace it as soon as possible. >> A. This one I cannot answer since I don=E2=80=99t know the issues = others have experienced. I started near the time when IPFire went from = dnsmasq to unbound and to me unbound seems A-OK. But again I don=E2=80=99= t know the issues. >=20 > What alternative is planned for unbound? Does it support RPZ or = something alike? > I think it can be agreed, that such a sort of filtering is meaningful. I have a few candidates, but nothing has been confirmed. We talked about = this a few months ago on the video call and decided that we will = prioritise other things first. > Bernhard >=20 > EDIT: The case of controlled lists is in solution by Erik's work = (https://github.com/twitOne/RPZ-Blocklists/tree/main)> =3D=3D In all seriousness, how is *this* the solution? It embodies all problems = that we have raised before in one new GitHub repository. * It gathers many lists from various sources and merges them. That is = not a list, that is just a pile of other lists combined into one. What = is the benefit? The sources are already merging each other in circles. = Why not use the original lists? * This clearly breaks *all* the licensing of any of the upstream lists. = Most of those are using licenses that are not even possible to use for = anything else but software (MIT & GPL). Lists like this are not = software. One upstream list has a fairy tale license and the two that = actually chose a sensible license that mandate attribution have not been = credited for their work. There is no indication that a dual-licensing or = redistribution deal has been struck with any upstream providers. The = =E2=80=9Cnew=E2=80=9D compiled data in that repository does not state at = all under which terms it can be used. * It even tracks which lists have been abandoned = (https://github.com/twitOne/RPZ-Blocklists/issues/70). * It is coming from someone who is not even going to put their name to = it. Like most of the upstream data, too. Please tell me what has been tried to solve here. What was the goal of = creating this? Best, -Michael >> Specifically, what questions are remaining unanswered? >> ------ Original Message ------ >> =46rom "Michael Tremer" >> To "Jon Murphy" >> Cc "Bernhard Bitsch" ; "IPFire: Development-List" = >> Date 5/23/2025 5:35:58=E2=80=AFAM >> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional = languages >>> Hello Jon, >>>=20 >>> You need to be a little bit more precise with what you actually want = to know. >>>=20 >>> I think I have covered this before and can only refer to the = previous emails in this conversation. >>>=20 >>> * RPZ itself is fine as a feature. It is a powerful tool we could = leverage for a lot a of things. It would have the potential to allow = content filtering without the proxy. >>>=20 >>> * The problem are the sources and the quality of the blacklists. = Unless those are available to us and our users the entire technology is = becoming worthless. This is exactly what we have with the URL filter. >>>=20 >>> * Unbound itself is a whole mess and I hope we will be able to = launch our plans to replace it as soon as possible. >>>=20 >>> Best, >>> -Michael >>>=20 >>>> On 22 May 2025, at 20:45, Jon Murphy = wrote: >>>>=20 >>>>=20 >>>> I understand that "Unbound, RPZ and a blacklist" was unsuitable. = I am curious what was suitable. >>>>=20 >>>>=20 >>>>=20 >>>> ------ Original Message ------ >>>> =46rom "Michael Tremer" >>>> To "Jon Murphy" >>>> Cc "Bernhard Bitsch" ; "IPFire: Development- = List" >>>> Date 5/22/2025 10:46:25=E2=80=AFAM >>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>=20 >>>>> Unbound, RPZ and a blacklist that I deemed suitable. It isn=E2=80=99= t. >>>>>=20 >>>>>> On 22 May 2025, at 16:45, Jon Murphy = wrote: >>>>>>=20 >>>>>> Still curious=E2=80=A6 What are you using to block adult = websites? >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> ------ Original Message ------ >>>>>> =46rom "Michael Tremer" >>>>>> To "Jon Murphy" >>>>>> Cc "Bernhard Bitsch" ; "IPFire: Development- = List" >>>>>> Date 5/22/2025 10:43:55=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>=20 >>>>>>> I stated that before. I need to block adult websites. >>>>>>>=20 >>>>>>>> On 22 May 2025, at 16:42, Jon Murphy = wrote: >>>>>>>>=20 >>>>>>>> Now I am curious! What is your use-case? Tell me more... >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> ------ Original Message ------ >>>>>>>> =46rom "Michael Tremer" >>>>>>>> To "Jon Murphy" >>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development- List" >>>>>>>> Date 5/22/2025 10:40:38=E2=80=AFAM >>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>=20 >>>>>>>>> Hello Jon, >>>>>>>>>=20 >>>>>>>>> I have not been spending on time on this at all since we = talked last. >>>>>>>>>=20 >>>>>>>>> I don=E2=80=99t need Unbound to download any files for my = use-case either. >>>>>>>>>=20 >>>>>>>>> -Michael >>>>>>>>>=20 >>>>>>>>>> On 20 May 2025, at 17:30, Jon Murphy = wrote: >>>>>>>>>>=20 >>>>>>>>>> Michael, >>>>>>>>>>=20 >>>>>>>>>> Were you able to debug RPZ and get Unbound to download = `.rpz` files? >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> Jon >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> ------ Original Message ------ >>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>> To "Jon Murphy" >>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>> Date 3/24/2025 9:43:37=E2=80=AFAM >>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>>>=20 >>>>>>>>>>> Yes, I don=E2=80=99t need any debugging of this... >>>>>>>>>>>=20 >>>>>>>>>>>> On 24 Mar 2025, at 14:42, Jon Murphy = wrote: >>>>>>>>>>>>=20 >>>>>>>>>>>> Is there a: >>>>>>>>>>>>=20 >>>>>>>>>>>> server: >>>>>>>>>>>> module-config: "respip validator iterator" >>>>>>>>>>>>=20 >>>>>>>>>>>> In your RPZ set-up? >>>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>> Date 3/24/2025 9:40:15=E2=80=AFAM >>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and = additional languages >>>>>>>>>>>>=20 >>>>>>>>>>>>> Because it is not doing it on my system... >>>>>>>>>>>>>=20 >>>>>>>>>>>>>> On 24 Mar 2025, at 14:38, Jon Murphy = wrote: >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Actually it did. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Why do you think Unbound did not? >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: = Development-List" >>>>>>>>>>>>>> Date 3/24/2025 9:36:53=E2=80=AFAM >>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI = and additional languages >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Unbound did not put those there... >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> On 24 Mar 2025, at 14:33, Jon Murphy = wrote: >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> In `/etc/unbound/zonefiles`: >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >>>>>>>>>>>>>>>> total 20664 >>>>>>>>>>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >>>>>>>>>>>>>>>> drwxr-xr-x 4 root root 4096 Mar 19 16:24 .. >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 = adhocSB.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 = allow.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 = AmazonTrkrHZ.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 = AppleTrkrHZ.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 = block.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 = DOHblockHZ.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 = MxProPlusHZ.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 = tldHZ.rpz >>>>>>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 = WinTrkrHZ.rpz >>>>>>>>>>>>>>>> [root@ipfire ~] # >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>> =46rom "Michael Tremer" >>>>>>>>>>>>>>>> To "Bernhard Bitsch" >>>>>>>>>>>>>>>> Cc development@lists.ipfire.org >>>>>>>>>>>>>>>> Date 3/24/2025 9:25:40=E2=80=AFAM >>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI = and additional languages >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch = wrote: >>>>>>>>>>>>>>>>>> Am 24.03.2025 um 11:17 schrieb Michael Tremer: >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> On 24 Mar 2025, at 00:00, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>> FYI - I was wrong Unbound RPZ is _not_ watching = the serial number, it is watching the "refresh", the number after the = serial number. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Refresh just tells the client how often to check = for an update. >>>>>>>>>>>>>>>>>>> If that is actually being set by the list = publisher, then we have another problem here, because they could put = some insanely low value there and we would then DDoS their = infrastructure. I think we should keep it like we have it in other = places that we control how often we want to check or pull for updates. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> You are right. But an extra update process wastes = additional processor time. The update mechanism of unbound does the = check for update ( however it is realized ) nevertheless. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Yes, doing more things needs resources. But we are = not seriously considering whether an IPFire system has enough resources = to perform the download of a text file, or are we? >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but = you got the information from somewhere. Documentation maybe? Since that = is out of date very often I like to consult the code. >>>>>>>>>>>>>>>>>>>> =46rom testing. Downloading rpz files using rpz = unbound, and watching what happens. If the rpz file is setup for "once = per day" refresh, then it only downloads one time. >>>>>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem . = . . and having no cache. >>>>>>>>>>>>>>>>>>>> In `/etc/unbound/tuning.conf` there is = `rrset-cache- size: 128m`. Are you referring to a different cache. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Naturally unbound is loading the zone into its = memory which we generally call cache. >>>>>>>>>>>>>>>>>>> When I say cache I am thinking about persistent = data storage across multiple restarts of Unbound. If I am downloading = 100 MiB of RPZ lists (which is presumably still on the lower end) and I = reboot my firewall, I do not want to download the same data again. We = can only ever download a list *once* unless we are 100% certain that it = has changed. Then we can download it once again. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> The RPZ lists are stored in files in persistent = storage. Unbound creates the internal cache from these. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>>>>> Yes. There are very few AXFR list (I think only = four were found). And many more HTTPS rpz files. >>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>>>>>> =46rom "Michael Tremer" = >>>>>>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>>>>>> Cc "IPFire: Development-List" = >>>>>>>>>>>>>>>>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include = WEBGUI and additional languages >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I = cannot find anything like this: >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> Keep in mind I am not a "C" person. Maybe in = this section?: >>>>>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/ = unbound.git;a=3Dblob;f=3Dservices/ = authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l5875 >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> This where the AXFR response is being handled = when doing a DNS zone transfer. This code is not being called when = performing a HTTP download. >>>>>>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but = you got the information from somewhere. Documentation maybe? Since that = is out of date very often I like to consult the code. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> =E2=80=94 >>>>>>>>>>>>>>>>>>>>>> When I was just learning about RPZ I created a = separate RPZ file for testing. When I changed the SOA line with a new = serial number, the RPZ file download would happen in about 5 minutes. >>>>>>>>>>>>>>>>>>>>>> https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> It might well be that the file is not being = reloaded if the download matches the content that unbound already has. = That would of course save some resources. >>>>>>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem with = redundant downloads and having no cache. >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> That is how I found out the SOA line is watched = for a serial number change. >>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> The second reason is that we have a lot of = firewalls out there. Not all of them will enable this feature and all of = the lists, but even if it is a good chunk, we will generate terabytes of = traffic which put load on the infrastructure and will cost money. It = simply is not what we want to do, regardless of self-hosting those lists = and pulling them from somewhere else. >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> So I understand, are you thinking of hosting = RPZ AXFR (DNS zone transfer) on IPFire infrastructure? >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>> No, I don=E2=80=99t think that we can generally = do this. The biggest problem is licensing as we cannot take anyones = content and host it ourselves. We would re- distribute those lists and = that will only work with permission of the publishers. I assume that = would be too much work to actually get some useful content out there. We = might limit ourselves to only those lists that are under a very = permissive license. Nobody wants that. >>>>>>>>>>>>>>>>>>>>> =46rom a technical point of view, DNS over TCP = might not be very nice in terms of forging the transfer and so we would = need TLS as well=E2=80=A6 It should work, but even if we would be able = to encourage other people to publish their lists I doubt they would = implement DNS over TLS for authoritative DNS. That standard is in very = early stages as well. >>>>>>>>>>>>>>>>>>>>> As far as I can see, those vendors who offer a = list as a commercial product are using DNS to distribute it (e.g. = Spamhaus). Those people who have made this all a hobby are throwing the = lists onto GitHub and let them handle the traffic. >>>>>>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I cannot = find anything like this: >>>>>>>>>>>>>>>>>>>>>>> Unbound loads the entire file into memory and = then starts parsing it. The only special treatment there is is to check = whether the first line is a valid zone entry. It does not even have to = be a SOA record. >>>>>>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/ = unbound.git;a=3Dblob;f=3Dservices/ = authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l1188 >>>>>>>>>>>>>>>>>>>>>>> I am also concerned that Unbound will not be = able to support an upstream proxy for any downloads. The caching = situation is also unclear for me, so I believe that we will be looking = at writing a custom downloader that implements all these things. >>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads of = the same list. That is >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>>>>>>>>>>>>>>>> The Unbound RPZ code, as installed within = IPFire, watches for a change >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. = This is an example of the first few >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>>>>>>>>>>>>>>>> $TTL 300 >>>>>>>>>>>>>>>>>>>>>>>> @ SOA localhost. root.localhost. 1742298960 = 43200 3600 86400 300 >>>>>>>>>>>>>>>>>>>>>>>> NS localhost. >>>>>>>>>>>>>>>>>>>>>>>> ; >>>>>>>>>>>>>>>>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>>>>>>>>>>>>>>>> ; Description: Blocks annoying and malicious = pop-up ads. >>>>>>>>>>>>>>>>>>>>>>>> If the SOA serial number changes (e.g. the = 1742298960), then Unbound RPZ >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8Bcode does its thing and downloads. = Otherwise there is no download. >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that we = won=E2=80=99t download a list again >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> unless it has actually changed. >>>>>>>>>>>>>>>>>>>>>>>> This should do what you want but I may be = missing your point. >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. = It simply does the job >>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>> =E2=80=8B> for you. I was just wondering = whether that was not being used. >>>>>>>>>>>>>>>>>>>>>>>> I need to read about AXFR/IXFR and learn a = little more. >>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> Good Morning Jon, >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>> I was reading through you response again an = I want to understand this post: >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> I have also stated that we cannot download = any lists over HTTPS again and again and again. The implementation that = we have here seems to exactly do that and therefore I think that my = feedback has been dismissed entirely. >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it = using? I am missing a key point here. >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads of = the same list. That is what cannot happen. >>>>>>>>>>>>>>>>>>>>>>>>> Although it might not affect a lot of people = in our general user-base, there are some that have a metered connection = and will pay for data by volume. Some of the lists I looked at are just = under 20 MiB. Therefore we need to keep any traffic down to a minimum. = The second reason is that we have a lot of firewalls out there. Not all = of them will enable this feature and all of the lists, but even if it is = a good chunk, we will generate terabytes of traffic which put load on = the infrastructure and will cost money. It simply is not what we want to = do, regardless of self-hosting those lists and pulling them from = somewhere else. >>>>>>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that we = won=E2=80=99t download a list again unless it has actually changed. >>>>>>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. = It simply does the job for you. I was just wondering whether that was = not being used. >>>>>>>>>>>>>>>>>>>>>>>>> HTTPS is an option because that is simply = what we use elsewhere, but extra functionality will have to be built for = it. >>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve read through your comments a = few times and I ended up with many more questions. >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> What I rather mean is that it has never = been added as a topic on the agenda and it has not been pitched by = yourself. >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>> To me the efforts to get new code accepted = seem to have changed and it seemed easier in the past. In the past I = made the Core Team aware via the Dev Mailing List and wrote a simple two = or three paragraphs of "What is it? / What is the value? / Here is the = code" >>>>>>>>>>>>>>>>>>>>>>>>>>> So in an effort to move forward: How = exactly is something presented to the Core Team? >>>>>>>>>>>>>>>>>>>>>>>>>>> Is there an example of a recent effort that = was presented that I can see as a sample? (This type of info can also be = added to the Wiki) >>>>>>>>>>>>>>>>>>>>>>>>>>> I understand you want it this way, but I = don=E2=80=99t know what exactly is needed. Please be specific. >>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>> PS - I am not ignoring your other comments, = I am just trying to move forward and keep things simple. >>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, = Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>> Thanks for your reply. And good that you = are copying everyone into this conversation. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at = lengths before that this project has been started as a separate effort >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, this has been a separate effort (a = very public separate effort). Yes, as you pointed this out early on with = the "proof- of-concept" and then my request for people to help test RPZ. = Nothing was hidden. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> This was done because you (and maybe = others) did not have the time and I wanted to help and because I needed = assistance with RPZ. I tried my best to do this without bothering you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t that it is accurate that = nobody wanted to help on this. The list was always open - although not = every email has been replied to swiftly it is also your responsibility = to raise a question again if it was missed. People here have open ears. >>>>>>>>>>>>>>>>>>>>>>>>>>>> It was also stated on this very list on in = our documentation that working on something without involving the core = team is a risky undertaking. Of course IPFire is free software and so = everyone is free to fork if they wish to do so. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as far as I am aware none of the = other team members has been involved. This has not been discussed either = on this list, on our calls. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> You were aware many steps along the way. = See your email on July 28, 2024, August 15, 2024, September 30, 2024, = December 23, 2024, and January 16. My attempts to get the team involved = were met with "things are busy" and sometimes silence. (Yes, I get it, = people are busy.) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard = have been aware since the beginning. You mention you were aware of the = "proof-of-concept". If you include those beginning posts, since Sep = 2023. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept = that I have been running myself for a long time. I am also aware of the = efforts that you have been taking. >>>>>>>>>>>>>>>>>>>>>>>>>>>> Yet I don=E2=80=99t think there has ever = been any joint effort, or am I seeing that wrong? >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This has not been discussed . . . on our = calls. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> "We have talked about RPZ many times on = the monthly call since the URL filter feature is falling more and more = out of fashion. I think there is also many posts about this on the = forum." >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t insult me again by = stating "you know what I mean". >>>>>>>>>>>>>>>>>>>>>>>>>>>>> And it has been discussed but not = documented in the Monthly Meeting notes. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> I am not at all insulting you. I don=E2=80=99= t want to take this down to a personal level at all. This is a public = mailing list and people who read this don=E2=80=99t need to listen to an = argument we are having. They are here for the tech inside IPFire. >>>>>>>>>>>>>>>>>>>>>>>>>>>> When I wrote that it has not been = discussed that does not mean that we have not been touching on the = topic. We have been talking about lots of things on the calls, the = weather, politics, how our pets are. None of that makes it to the logs. = What I rather mean is that it has never been added as a topic on the = agenda and it has not been pitched by yourself. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Instead there has been a separate = conversation on the forum with the occasional dip here to the list. But = that was not a regular two-way conversation. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Regular conversation on the Dev Mailing = list is many times met with silence. I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> And regular two-way conversation = doesn=E2=80=99t happen on the list. At least not with me. I=E2=80=99d be = happy to point out the posts that were met with silence. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> And you think my emails are not being met = with silence? This has nothing to do with this specific topic. This has = something to do with how occupied people are and how engaged they are on = certain topics. Not everyone is involved in all the things and simply = will ignore emails simply based on their subject line. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> But the "dip here to the list" were my = attempts to get a conversation started. As I said, many time met with = silence. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The only place I was not met with silence = was on the Community. You have a great group of people in the Community. = It is a shame you don=E2=80=99t want to have others help. It would = reduce your workload. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> You should stop making statements that = are not true. Who doesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>>>>>>>>>>>>>>>> Not having this conversation on a Saturday = evening would reduce my workload. At least it would free up time for = something else. Helping with the things that are already on the go would = reduce the workload of the entire team. Starting one thing at a time and = finishing it is a lot better to manage than starting a hundred things = and not even finish one. I can tell you that I already have a hundred = things on the go. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Therefore, what am I supposed to do with = this email? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, then = guide me with how to do this the correct way. And be specific. I am = trying to help. I am trying to make things better. I am trying to do = things the right way. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet = another project that has been dumped to the list like so many before and = later on everyone has left to have the team deal with the rest. >>>>>>>>>>>>>>>>>>>>>>>>>>>> It is a huge patch set. You explained what = the vision is, but that is about it. There is no chance this will = continue if this disagreement isn=E2=80=99t solved first. I didn=E2=80=99t= even look at the code. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that = I don=E2=80=99t agree with. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I asked multiple times if you "agreed = with the concept" and again, met with silence. Yes I get it, people are = busy. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Having support for RPZ? Yes, it was = definitely on the roadmap. That I agree with. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> So many fundamental things that I have = been raising have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> You mentioned this a in the past, but = for some reason you do not disclose what I dismissed. Why do you = continue to make this harder, wouldn=E2=80=99t it not be easier to tell = me what I have dismissed? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I have sent multiple emails trying to = answer your concerns and comments. On July 28, Aug 14, Aug 22, Aug 23, = Sep 30, etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the = questions you asked and I cannot find a "dismissed" item. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Maybe I need to be *more clear*. I feel = humoured by this. >>>>>>>>>>>>>>>>>>>>>>>>>>>> It is late on a Saturday and I want my = dinner soon, but certainly I have stated that this should never be an = add-on considering it is supposed to replace URL Filter. We should never = allow people to add their own sources. I have also stated that we cannot = download any lists over HTTPS again and again and again. The = implementation that we have here seems to exactly do that and therefore = I think that my feedback has been dismissed entirely. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that = has no future inside IPFire as there is no constructive conversation = with the maintainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Hagezi list, the = threatfox list, the urlhaus list, etc.? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> What else? The maintainers or the RPZ = scripts? That is me. Let=E2=80=99s talk! >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> You. I don=E2=80=99t care much about the = providers of the lists. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> See, this is where it gets confusing. = There are hundreds of open source packages as part of IPFire. Pick the = last five years of items added to the IPFire build. You're telling me = you have "constructive conversation with the maintainers" of all of the = added packages? >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> They publish their software and they = don=E2=80=99t care whether I am pulling it or not. They publish it with = the commitment to maintain it - sometimes for better and sometimes for = worse. >>>>>>>>>>>>>>>>>>>>>>>>>>>> You care about me pulling your code and I = don=E2=80=99t know whether you would commit to maintain this. >>>>>>>>>>>>>>>>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., = 3CORESEC, ABUSECH, DSHIELD, SPAMHAUS, etc.) or the Suricata lists = (i.e.,Emergingthreats.net ,Abuse.ch = , etc.). So you=E2=80=99ve have "constructive = conversation with the maintainers"? >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Yes, occasionally I have phone calls with = a few of these providers. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to = make you aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning you = seemed interested as IPFire needed a replacement for URL Filter. You = asked good questions about the lists picked, asked for the value to the = users, etc. And I answered the best I could. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this = realised as an add-on and not part of the core system?=E2=80=9D from = your Jul 28, 2024 email. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Ah, so, why is the patch creating an add- = on? Not that I am saying that what I say is law, but it has not been = challenged either. If my input is being ignored, why should I put this = to the top of my list of priorities? I am not disappointed about this, = just trying to be very good with my time. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> And on January 16, 2025 I wrote a = message looking for help. And you were kind to respond quickly. So in = three weeks time, since the kind response, something has changed. You = went from supportive to "this". >>>>>>>>>>>>>>>>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Well, maybe I should not have replied to = that email. It was clear that you were on some path that was not right, = but you were not interested before in finding the right path from the = beginning. >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed = and if there is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Be more specific, what has to change? = What exactly did I dismiss? >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Dismissal is just my assumption. I = don=E2=80=99t know what you actually did with my feedback. I can only = see the end product that does not seem contain much of it. Repeatedly I = have been pointing out that we should think before we build. I am sure a = lot of hours have now gone into some code that simply does not satisfy = me. And I am not not talking about the code itself, what it does is what = I don=E2=80=99t think is right for us. >>>>>>>>>>>>>>>>>>>>>>>>>>>> The process is very clear for me that we = should first of all think whether we want a certain feature now. Then = there should be a clear roadmap for everyone to follow; tasks can be = split-up as we go and hopefully then have something that is = maintainable, interesting for our users and even would do us proud. This = is how this should work. >>>>>>>>>>>>>>>>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t = think with shouting at each other, throwing patches around and making me = generally unhappy is a good start. >>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, = Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Well, here we are again with another = patch regarding this feature. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I cannot quite see from your email what = the question is, but if this is a request to have this merged into = IPFire, I am once again sorry to disappoint you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at = lengths before that this project has been started as a separate effort = and as far as I am aware none of the other team members has been = involved. This has not been discussed either on this list, on our calls. = Instead there has been a separate conversation on the forum with the = occasional dip here to the list. But that was not a regular two- way = conversation. Therefore, what am I supposed to do with this email? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that = I don=E2=80=99t agree with. So many fundamental things that I have been = raising have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that = has no future inside IPFire as there is no constructive conversation = with the maintainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to = make you aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed = and if there is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy = wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a = mechanism to define local policies in a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> standardized way and load those = policies from external sources. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to = easily block access to websites via DNS lookup. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ can block websites via categories. = Examples include: fake websites, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> pop-up ads, newly registered domains, = DoH bypass sites, bad "host" services, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> maliscious top level domains (e.g., = *.zip, *.mov), piracy, gambling, pornography, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and more. RPZ lists come from various = RPZ providers and their available >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ = functionality by adding a couple lines in a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration file. This add-on simply = adds configuration files and adds >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) to = make RPZ easier for the admin to use. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The RPZ scripts include additional = languages: German, Spanish, French, Turkish, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and has = been part of the IPFire build since ~2015. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - The RPZ concept places this filtering = into IPFire, our internet access >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> gateway, which is (should be) solely = used as DNS source of the internal network. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes it = difficult to filter traffic with URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Filter without also properly = configuring conventional (non-transparent) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice = replacement for the URL Filter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - No need to install and maintain an = additional device like PiHole or AdBlock >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> browser extensions on multiple user = devices. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - This is an additional layer of = protection for users. Less worry someone will >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> click on something that gets them into = trouble. And, saying this with emphasis, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Blocked sites save on unneeded = traffic and can lessen the threat of malware >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Logging allows the admin to see the = site blocked and take actions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ will be used at the home, home- = office (work from home), schools, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ministerial, and at the office. Device = counts are small (2-6) to medium (~80) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ can block ads, popups, phishing, = scammers, spyware, malware, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, and = the usual internet trash. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - Build for approval & release as = IPFire add-on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added a mod key to force = a unbound restart >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added action for unbound = restart `rpz-config unbound-restart` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - rename far right column from "last = update" to "last download" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation regex = for wildcards like: `*.domain.com` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: updated validation regex >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: moved validation to = beginning of process. Now we validate before >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: use CSS color variables = of the main ipfire theme >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks were = stored as =E2=80=9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes the = first empty line in a custom list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file = for Turkish (thank you Peppe) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected empty allow/block = list issue. An empty allow/block list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> will now remove contents of allow/ = block.rpz files and remove unneeded >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow/block.conf file. (thank you = iptom) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: correct missing rpz = extension. `rpz-config list` displayed URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in language = files (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" = button when not enabled >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file = for French (thank you gw-ipfire) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file = for Italian (thank you umberto) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file = for Spanish (thank you Roberto) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation error = for a custom list entry (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user = created files >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user = created files (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file = for German (thank you Leo) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add missing "rpz exitcode = 110" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu = item at menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: includes beta version = numbers for pakfire package, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, = for each release. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new WebGUI at = `rpz.cgi` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann for = all of his work creating the webgui!! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu = item at menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: validate entries in = allowlist and blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: add "no-reload" option = for WebGUI >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: info can be sorted by = name, by hit count, by line count, by >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: include all files in `/var/ = ipfire/dns/rpz` directory in backup >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected ownership for = `/var/ ipfire/dns/rpz` directory during an >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and = `block.rpz` from build. Files to be created >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/configroot | 1 = + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/web-user- = interface | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 = ++++++++++++++ +++++++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 24 files changed, 2016 insertions(+), 1 = deletion(-) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/backup/ = includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rootfiles/ = packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = config/rpz/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 = config/rpz/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/install.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 = src/paks/rpz/update.sh >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/backup/includes/rpz = b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/cfgroot/manualpages = b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ = pakfire.cgi=3Dconfiguration/ipfire/pakfire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = logs.cgi/summary.dat=3Dconfiguration/logs/ summary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/menu/EX-rpz.menu b/ = config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/ = configroot b/config/rootfiles/common/ configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- = a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ = b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ = var/ipfire/menu.d/70- log.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git = a/config/rootfiles/common/web- user-interface b/config/rootfiles/common/ = web-user-interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/web-user- = interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/web-user- = interface >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ = srv/web/ipfire/cgi-bin/ proxy.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/packages/ = rpz b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/ = config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + module-config: "respip validator = iterator" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + zonefile: = /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config b/ = config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# IPFire.org - A linux based firewall = # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team = # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is free software: you = can redistribute it and/or modify # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# it under the terms of the GNU = General Public License as published by # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# the Free Software Foundation, either = version 3 of the License, or # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# (at your option) any later version. = # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is distributed in the = hope that it will be useful, # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; without = even the implied warranty of # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A = PARTICULAR PURPOSE. See the # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# GNU General Public License for more = details. # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# You should have received a copy of = the GNU General Public License # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# along with this program. If not, see = . # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> = +#########################################################################= ###### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Functions = ############### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Main ############### >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option = #1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option = #2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/ = ${rpzName}.rpz.conf" # output zone conf file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/ = ${rpzName}.rpz" # output for RPZ file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default is = yes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; = checkConf=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + shift # Shift after checking all the = cases to get next option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this a = valid name? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # does this config already exist? If = yes, then exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - = ${rpzConfig} already exists. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + regex=3D'^https://[-[:alnum:]\+&@#/%? = =3D~_|!:,.;]*[-[:alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; = then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is not = valid: \"${rpzURL}\". exit." >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # create an empty rpz file if it does = not exist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # unbound requires these settings for = rpz files >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" = "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot remove = ${rpzConfig}, does not exist. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config = file & rpz file \"${rpzName}\"" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/ = [[:blank:]]|\.rpz/, "",$2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; = print NAME"=3D"$2":"$3} ' \ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or = incorrect parameter" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0") =