From: jon <jon.murphy@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] RPZ: bug fix and code update
Date: Wed, 14 Aug 2024 12:14:47 -0500 [thread overview]
Message-ID: <DB39C27C-27AF-4A0C-B28C-F3F30E247432@ipfire.org> (raw)
In-Reply-To: <315FEBF5-995D-4FB5-BF0B-08C331DAD35F@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 13586 bytes --]
Michael,
Sorry for putting you on the spot, but what do you want to do with this RPZ add-on?
I saw your comments in the Dev Mailing List of "generally being in favor of trying this path" (bad paraphrasing on my part)
I saw your comments in bugzilla at https://bugzilla.ipfire.org/show_bug.cgi?id=13254#c171
> I am not interested in anything regarding the RPZs right now. They have not been properly put on the agenda and looking at how much time we have on our hands, this won't make it on the agenda for years.
>
> I don't want to build blockers, but this ticket is about a different problem which I want to solve first.
How do you want to go forward?
Jon
> On Aug 12, 2024, at 2:11 PM, jon <jon.murphy(a)ipfire.org> wrote:
>
> More questions!
>
> Currently RPZ config files are at `/etc/unbound/local.d` but this directory seems like it is for user (admin) customizations.
>
> ```
> [root(a)ipfire ~] # ls -al /etc/unbound/local.d
> total 68
> drwxr-xr-x 2 nobody nobody 4096 Aug 12 13:41 .
> drwxr-xr-x 4 root root 4096 Aug 12 00:52 ..
> -rw-r--r-- 1 nobody nobody 436 Jul 12 15:45 00-rpz.conf
> -rw-r--r-- 1 nobody nobody 285 Mar 1 22:12 AmazonTrkrHZ.rpz.conf
> -rw-r--r-- 1 nobody nobody 281 Mar 1 22:02 AppleTrkrHZ.rpz.conf
> -rw-r--r-- 1 nobody nobody 269 Mar 1 21:40 DOHblockHZ.rpz.conf
> ...
> -rw-r--r-- 1 nobody nobody 299 Aug 1 19:42 WinTrkrHZ.rpz.conf
> [root(a)ipfire ~] #
> ```
>
>
> Each file is a config file per category (or one per RPZ file). This makes it easy to add or remove a category (or RPZ file).
>
> Should I create a new unbound directory for RPZ config files? Maybe `/etc/unbound/rpz.d`? Or `/etc/unbound/rpz`?
>
>
> Jon
>
>
>> On Aug 1, 2024, at 1:45 PM, Jon Murphy <jon.murphy(a)ipfire.org> wrote:
>>
>> changed all paths from `/var/ipfire/rpz/` to `/var/ipfire/dns/rpz/`
>> (thank you to Adolf!)
>>
>> rpz-config:
>> - bug: corrected "Type" test from block to allow
>> - removed verbose parameter from various commands
>>
>> rpz-metrics:
>> - bug: corrected grep for rpz name count
>> - bug: fixed divide by zero error (thank you Peppe!)
>>
>> install/uninstall:
>> - bug: corrected scripts (thank you Bernhard!)
>>
>> Signed-off-by: Jon Murphy <jon.murphy(a)ipfire.org>
>> ---
>> config/backup/includes/rpz | 4 ++--
>> config/rootfiles/packages/rpz | 6 +++---
>> config/rpz/rpz-config | 14 +++++++-------
>> config/rpz/rpz-metrics | 9 +++++----
>> lfs/rpz | 6 +++---
>> src/paks/rpz/install.sh | 27 +++++++++++++++++++++++++++
>> src/paks/rpz/uninstall.sh | 31 +++++++++++++++++++++++++++++++
>> src/paks/rpz/update.sh | 25 +++++++++++++++++++++++++
>> 8 files changed, 103 insertions(+), 19 deletions(-)
>> create mode 100644 src/paks/rpz/install.sh
>> create mode 100644 src/paks/rpz/uninstall.sh
>> create mode 100644 src/paks/rpz/update.sh
>>
>> diff --git a/config/backup/includes/rpz b/config/backup/includes/rpz
>> index 4d59bb40c..8c7410ebd 100644
>> --- a/config/backup/includes/rpz
>> +++ b/config/backup/includes/rpz
>> @@ -1,5 +1,5 @@
>> -/var/ipfire/rpz/allowlist
>> -/var/ipfire/rpz/blocklist
>> +/var/ipfire/dns/rpz/allowlist
>> +/var/ipfire/dns/rpz/blocklist
>> /etc/unbound/zonefiles/allow.rpz
>> /etc/unbound/zonefiles/block.rpz
>> /etc/unbound/local.d/*rpz.conf
>> diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/packages/rpz
>> index 2ffa715dd..183825362 100644
>> --- a/config/rootfiles/packages/rpz
>> +++ b/config/rootfiles/packages/rpz
>> @@ -6,6 +6,6 @@ usr/sbin/rpz-config
>> usr/sbin/rpz-metrics
>> usr/sbin/rpz-sleep
>> var/ipfire/backup/addons/includes/rpz
>> -var/ipfire/rpz
>> -var/ipfire/rpz/allowlist
>> -var/ipfire/rpz/blocklist
>> +var/ipfire/dns/rpz
>> +var/ipfire/dns/rpz/allowlist
>> +var/ipfire/dns/rpz/blocklist
>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config
>> index 98dc0a4ca..a24a5c132 100644
>> --- a/config/rpz/rpz-config
>> +++ b/config/rpz/rpz-config
>> @@ -19,7 +19,7 @@
>> # #
>> ###############################################################################
>>
>> -# v22 - 2024-07-12
>> +# v23 - 2024-07-30
>>
>> ############### Functions ###############
>>
>> @@ -54,11 +54,11 @@ check_unbound_conf () {
>> make_rpz_file () {
>> local theType="${1}" # allow or block
>>
>> - theList="/var/ipfire/rpz/${theType}list" # input user list of domains
>> + theList="/var/ipfire/dns/rpz/${theType}list" # input custom list of domains
>> theZoneFile="/etc/unbound/zonefiles/${theType}.rpz" # output file for RPZ
>>
>> theAction='.'
>> - if [[ "${theType}" =~ "block" ]] ; then
>> + if [[ "${theType}" =~ "allow" ]] ; then
>> theAction='rpz-passthru.'
>> fi
>>
>> @@ -131,8 +131,8 @@ case "${theAction}" in
>> # set-up zone file
>> /usr/bin/touch "${rpzFile}"
>> # unbound requires these settings for rpz files
>> - /bin/chown --verbose nobody:nobody "${rpzFile}"
>> - /bin/chmod --verbose 644 "${rpzFile}"
>> + /bin/chown nobody:nobody "${rpzFile}"
>> + /bin/chmod 644 "${rpzFile}"
>> ;;
>>
>> # trash config file & rpz file
>> @@ -143,8 +143,8 @@ case "${theAction}" in
>> fi
>>
>> msg_log "info: rpz: remove config file & rpz file \"${theName}\""
>> - /bin/rm --verbose "${rpzConfig}"
>> - /bin/rm --verbose "${rpzFile}"
>> + /bin/rm "${rpzConfig}"
>> + /bin/rm "${rpzFile}"
>>
>> check_unbound_conf
>> ;;
>> diff --git a/config/rpz/rpz-metrics b/config/rpz/rpz-metrics
>> index 0f97c7911..4d932726e 100644
>> --- a/config/rpz/rpz-metrics
>> +++ b/config/rpz/rpz-metrics
>> @@ -19,7 +19,7 @@
>> # #
>> ###############################################################################
>>
>> -# v18 on 2024-07-05
>> +# v19 on 2024-07-30
>>
>> ############### Main ###############
>>
>> @@ -33,7 +33,7 @@ messageLogs=$( find /var/log/messages* -type f |
>>
>> # get the list of RPZ names & counts from the message log(s)
>> rpzNameCount=$( for logf in ${messageLogs} ; do
>> - /usr/bin/zgrep --text --fixed-strings 'info: rpz: applied' "${logf}" |
>> + /usr/bin/zgrep --text --extended-regexp 'info: rpz: applied.* A IN$' "${logf}" |
>> /usr/bin/awk '$10 ~ /\[\w*]/ { print $10 }' ;
>> done | /usr/bin/sort | /usr/bin/uniq --count )
>>
>> @@ -107,8 +107,9 @@ do
>> theLines=$( /bin/echo "${output}" | /usr/bin/awk '{ print $1 }' )
>> totalLines=$(( totalLines + theLines ))
>>
>> - #hitsPerLine=$( echo "scale=0 ; $theHits / $theLines" | bc )
>> - hitsPerLine=$(( 100 * theHits / theLines ))
>> + if [[ "${theLines}" -gt 2 ]] ; then
>> + hitsPerLine=$(( 100 * theHits / theLines ))
>> + fi
>> fi
>>
>> # get modification date
>> diff --git a/lfs/rpz b/lfs/rpz
>> index 319c10b7f..73f6f2b1b 100644
>> --- a/lfs/rpz
>> +++ b/lfs/rpz
>> @@ -67,9 +67,9 @@ $(TARGET) :
>> $(DIR_CONF)/rpz/{rpz-config,rpz-metrics,rpz-sleep} -t /usr/sbin
>>
>> # Install settings folder and two empty files
>> - mkdir -pv /var/ipfire/rpz
>> - touch /var/ipfire/rpz/allowlist
>> - touch /var/ipfire/rpz/blocklist
>> + mkdir -pv /var/ipfire/dns/rpz
>> + touch /var/ipfire/dns/rpz/allowlist
>> + touch /var/ipfire/dns/rpz/blocklist
>>
>> # Add conf file to /etc directory
>> cp -vf $(DIR_CONF)/rpz/00-rpz.conf /etc/unbound/local.d
>> diff --git a/src/paks/rpz/install.sh b/src/paks/rpz/install.sh
>> new file mode 100644
>> index 000000000..0a797e158
>> --- /dev/null
>> +++ b/src/paks/rpz/install.sh
>> @@ -0,0 +1,27 @@
>> +#!/bin/bash
>> +###############################################################################
>> +# #
>> +# IPFire.org - A linux based firewall #
>> +# Copyright (C) 2024 IPFire Team <info(a)ipfire.org> #
>> +# #
>> +# This program is free software: you can redistribute it and/or modify #
>> +# it under the terms of the GNU General Public License as published by #
>> +# the Free Software Foundation, either version 3 of the License, or #
>> +# (at your option) any later version. #
>> +# #
>> +# This program is distributed in the hope that it will be useful, #
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
>> +# GNU General Public License for more details. #
>> +# #
>> +# You should have received a copy of the GNU General Public License #
>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
>> +# #
>> +###############################################################################
>> +#
>> +. /opt/pakfire/lib/functions.sh
>> +extract_files
>> +restore_backup ${NAME}
>> +
>> +# restart unbound to load config file
>> +/etc/init.d/unbound restart
>> diff --git a/src/paks/rpz/uninstall.sh b/src/paks/rpz/uninstall.sh
>> new file mode 100644
>> index 000000000..4fb20e127
>> --- /dev/null
>> +++ b/src/paks/rpz/uninstall.sh
>> @@ -0,0 +1,31 @@
>> +#!/bin/bash
>> +###############################################################################
>> +# #
>> +# IPFire.org - A linux based firewall #
>> +# Copyright (C) 2024 IPFire Team <info(a)ipfire.org> #
>> +# #
>> +# This program is free software: you can redistribute it and/or modify #
>> +# it under the terms of the GNU General Public License as published by #
>> +# the Free Software Foundation, either version 3 of the License, or #
>> +# (at your option) any later version. #
>> +# #
>> +# This program is distributed in the hope that it will be useful, #
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
>> +# GNU General Public License for more details. #
>> +# #
>> +# You should have received a copy of the GNU General Public License #
>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
>> +# #
>> +###############################################################################
>> +#
>> +. /opt/pakfire/lib/functions.sh
>> +
>> +# stop unbound to delete RPZ conf file
>> +/etc/init.d/unbound stop
>> +
>> +make_backup ${NAME}
>> +remove_files
>> +
>> +# start unbound to load unbound config file
>> +/etc/init.d/unbound start
>> diff --git a/src/paks/rpz/update.sh b/src/paks/rpz/update.sh
>> new file mode 100644
>> index 000000000..938a93a40
>> --- /dev/null
>> +++ b/src/paks/rpz/update.sh
>> @@ -0,0 +1,25 @@
>> +#!/bin/bash
>> +###############################################################################
>> +# #
>> +# IPFire.org - A linux based firewall #
>> +# Copyright (C) 2024 IPFire Team <info(a)ipfire.org> #
>> +# #
>> +# This program is free software: you can redistribute it and/or modify #
>> +# it under the terms of the GNU General Public License as published by #
>> +# the Free Software Foundation, either version 3 of the License, or #
>> +# (at your option) any later version. #
>> +# #
>> +# This program is distributed in the hope that it will be useful, #
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
>> +# GNU General Public License for more details. #
>> +# #
>> +# You should have received a copy of the GNU General Public License #
>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
>> +# #
>> +###############################################################################
>> +#
>> +. /opt/pakfire/lib/functions.sh
>> +extract_backup_includes
>> +./uninstall.sh
>> +./install.sh
>> --
>> 2.30.2
>>
>
next prev parent reply other threads:[~2024-08-14 17:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 18:45 Jon Murphy
2024-08-04 17:01 ` Bernhard Bitsch
2024-08-12 19:11 ` jon
2024-08-14 17:14 ` jon [this message]
2024-08-15 15:33 ` Michael Tremer
[not found] <0CC66649-F5ED-4E87-80F8-A979BB877DA7@ipfire.org>
2024-08-15 18:33 ` Michael Tremer
[not found] <1CBFDF9B-915B-499F-853D-135926EC1683@ipfire.org>
2024-08-21 10:03 ` Michael Tremer
[not found] <65FA8AD8-467A-4385-923F-F3A778D3F450@ipfire.org>
2024-08-23 9:18 ` Michael Tremer
2024-08-23 18:31 ` jon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DB39C27C-27AF-4A0C-B28C-F3F30E247432@ipfire.org \
--to=jon.murphy@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox