From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] RPZ: update code to include WEBGUI and additional languages Date: Sat, 08 Feb 2025 19:27:12 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6185028493660814973==" List-Id: --===============6185028493660814973== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Jon, Thanks for your reply. And good that you are copying everyone into this conve= rsation. > On 8 Feb 2025, at 18:41, jon wrote: >=20 > Michael, >=20 >> I think I have covered this all at lengths before that this project has be= en started as a separate effort >=20 > Yes, this has been a separate effort (a very public separate effort). Yes,= as you pointed this out early on with the "proof-of-concept" and then my req= uest for people to help test RPZ. Nothing was hidden. =20 >=20 > This was done because you (and maybe others) did not have the time and I wa= nted to help and because I needed assistance with RPZ. I tried my best to do= this without bothering you. I don=E2=80=99t that it is accurate that nobody wanted to help on this. The l= ist was always open - although not every email has been replied to swiftly it= is also your responsibility to raise a question again if it was missed. Peop= le here have open ears. It was also stated on this very list on in our documentation that working on = something without involving the core team is a risky undertaking. Of course I= PFire is free software and so everyone is free to fork if they wish to do so. >> and as far as I am aware none of the other team members has been involved.= This has not been discussed either on this list, on our calls. >=20 > You were aware many steps along the way. See your email on July 28, 2024, = August 15, 2024, September 30, 2024, December 23, 2024, and January 16. My a= ttempts to get the team involved were met with "things are busy" and sometime= s silence. (Yes, I get it, people are busy.) >=20 > You and Adolf, Leo, Erik and Bernhard have been aware since the beginning. = You mention you were aware of the "proof-of-concept". If you include those = beginning posts, since Sep 2023. Yes, I am aware of a proof-of-concept that I have been running myself for a l= ong time. I am also aware of the efforts that you have been taking. Yet I don=E2=80=99t think there has ever been any joint effort, or am I seein= g that wrong? >> This has not been discussed . . . on our calls. >=20 > On the July 28th you stated: > "We have talked about RPZ many times on the monthly call since the URL filt= er feature is falling more and more out of fashion. I think there is also man= y posts about this on the forum." >=20 > Please don=E2=80=99t insult me again by stating "you know what I mean". >=20 > And it has been discussed but not documented in the Monthly Meeting notes. I am not at all insulting you. I don=E2=80=99t want to take this down to a pe= rsonal level at all. This is a public mailing list and people who read this d= on=E2=80=99t need to listen to an argument we are having. They are here for t= he tech inside IPFire. When I wrote that it has not been discussed that does not mean that we have n= ot been touching on the topic. We have been talking about lots of things on t= he calls, the weather, politics, how our pets are. None of that makes it to t= he logs. What I rather mean is that it has never been added as a topic on the= agenda and it has not been pitched by yourself. >> Instead there has been a separate conversation on the forum with the occas= ional dip here to the list. But that was not a regular two-way conversation. >=20 > Regular conversation on the Dev Mailing list is many times met with silence= . I get it, people are busy. =20 >=20 > And regular two-way conversation doesn=E2=80=99t happen on the list. At le= ast not with me. I=E2=80=99d be happy to point out the posts that were met w= ith silence. =20 > Again, I get it, people are busy. =20 And you think my emails are not being met with silence? This has nothing to d= o with this specific topic. This has something to do with how occupied people= are and how engaged they are on certain topics. Not everyone is involved in = all the things and simply will ignore emails simply based on their subject li= ne. > But the "dip here to the list" were my attempts to get a conversation start= ed. As I said, many time met with silence. >=20 > The only place I was not met with silence was on the Community. You have a= great group of people in the Community. It is a shame you don=E2=80=99t wan= t to have others help. It would reduce your workload. You should stop making statements that are not true. Who doesn=E2=80=99t want= anyone to help? Not having this conversation on a Saturday evening would reduce my workload. = At least it would free up time for something else. Helping with the things th= at are already on the go would reduce the workload of the entire team. Starti= ng one thing at a time and finishing it is a lot better to manage than starti= ng a hundred things and not even finish one. I can tell you that I already ha= ve a hundred things on the go. >> Therefore, what am I supposed to do with this email? >=20 > To me it is beyond obvious=E2=80=A6 =20 >=20 > If it isn=E2=80=99t what you want, then guide me with how to do this the c= orrect way. And be specific. I am trying to help. I am trying to make thin= gs better. I am trying to do things the right way. To me it isn=E2=80=99t. This is yet another project that has been dumped to t= he list like so many before and later on everyone has left to have the team d= eal with the rest. It is a huge patch set. You explained what the vision is, but that is about i= t. There is no chance this will continue if this disagreement isn=E2=80=99t s= olved first. I didn=E2=80=99t even look at the code. >> I don=E2=80=99t want to merge code that I don=E2=80=99t agree with. >=20 > I asked multiple times if you "agreed with the concept" and again, met with= silence. Yes I get it, people are busy. Having support for RPZ? Yes, it was definitely on the roadmap. That I agree w= ith. >> So many fundamental things that I have been raising have either not been d= iscussed or outright dismissed. >=20 > You mentioned this a in the past, but for some reason you do not disclose w= hat I dismissed. Why do you continue to make this harder, wouldn=E2=80=99t i= t not be easier to tell me what I have dismissed? >=20 > I have sent multiple emails trying to answer your concerns and comments. O= n July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >=20 > I=E2=80=99ve gone through all of the questions you asked and I cannot find = a "dismissed" item. Maybe I need to be *more clear*. I feel humoured by this. It is late on a Saturday and I want my dinner soon, but certainly I have stat= ed that this should never be an add-on considering it is supposed to replace = URL Filter. We should never allow people to add their own sources. I have als= o stated that we cannot download any lists over HTTPS again and again and aga= in. The implementation that we have here seems to exactly do that and therefo= re I think that my feedback has been dismissed entirely. >> I don=E2=80=99t want to merge code that has no future inside IPFire as the= re is no constructive conversation with the maintainers of it. >=20 > The maintainers of Unbound and/or RPZ? =20 >=20 > The maintainers of Hagezi list, the threatfox list, the urlhaus list, etc.? >=20 > What else? The maintainers or the RPZ scripts? That is me. Let=E2=80=99s= talk! You. I don=E2=80=99t care much about the providers of the lists. > See, this is where it gets confusing. There are hundreds of open source pa= ckages as part of IPFire. Pick the last five years of items added to the IPF= ire build. You're telling me you have "constructive conversation with the ma= intainers" of all of the added packages? They publish their software and they don=E2=80=99t care whether I am pulling = it or not. They publish it with the commitment to maintain it - sometimes for= better and sometimes for worse. You care about me pulling your code and I don=E2=80=99t know whether you woul= d commit to maintain this. These two are very different cases. > Pick the IP Blocklists list (i.e., 3CORESEC, ABUSECH, DSHIELD, SPAMHAUS, et= c.) or the Suricata lists (i.e., Emergingthreats.net, Abuse.ch, etc.). So y= ou=E2=80=99ve have "constructive conversation with the maintainers"? Yes, occasionally I have phone calls with a few of these providers. >> Having been trying for a long time to make you aware of this, nothing of t= his should come as a surprise. >=20 > Ha! Yes a surprise. In the beginning you seemed interested as IPFire need= ed a replacement for URL Filter. You asked good questions about the lists pi= cked, asked for the value to the users, etc. And I answered the best I could. >=20 > You even asked: =E2=80=9CWhy is this realised as an add-on and not part of = the core system?=E2=80=9D from your Jul 28, 2024 email. Ah, so, why is the patch creating an add-on? Not that I am saying that what I= say is law, but it has not been challenged either. If my input is being igno= red, why should I put this to the top of my list of priorities? I am not disa= ppointed about this, just trying to be very good with my time. > And on January 16, 2025 I wrote a message looking for help. And you were k= ind to respond quickly. So in three weeks time, since the kind response, som= ething has changed. You went from supportive to "this". >=20 > So yes, I am surprised. Well, maybe I should not have replied to that email. It was clear that you we= re on some path that was not right, but you were not interested before in fin= ding the right path from the beginning. >> Please consider if that can be changed and if there is a path forward with= this. >=20 > Be more specific, what has to change? What exactly did I dismiss? Dismissal is just my assumption. I don=E2=80=99t know what you actually did w= ith my feedback. I can only see the end product that does not seem contain mu= ch of it. Repeatedly I have been pointing out that we should think before we = build. I am sure a lot of hours have now gone into some code that simply does= not satisfy me. And I am not not talking about the code itself, what it does= is what I don=E2=80=99t think is right for us. The process is very clear for me that we should first of all think whether we= want a certain feature now. Then there should be a clear roadmap for everyon= e to follow; tasks can be split-up as we go and hopefully then have something= that is maintainable, interesting for our users and even would do us proud. = This is how this should work. So, what has to change? I don=E2=80=99t think with shouting at each other, th= rowing patches around and making me generally unhappy is a good start. -Michael > Jon >=20 >=20 >=20 >> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer wrote: >>=20 >> Hello Jon, >>=20 >> Well, here we are again with another patch regarding this feature. >>=20 >> I cannot quite see from your email what the question is, but if this is a = request to have this merged into IPFire, I am once again sorry to disappoint = you. >>=20 >> I think I have covered this all at lengths before that this project has be= en started as a separate effort and as far as I am aware none of the other te= am members has been involved. This has not been discussed either on this list= , on our calls. Instead there has been a separate conversation on the forum w= ith the occasional dip here to the list. But that was not a regular two-way c= onversation. Therefore, what am I supposed to do with this email? >>=20 >> I don=E2=80=99t want to merge code that I don=E2=80=99t agree with. So man= y fundamental things that I have been raising have either not been discussed = or outright dismissed. >>=20 >> I don=E2=80=99t want to merge code that has no future inside IPFire as the= re is no constructive conversation with the maintainers of it. >>=20 >> Having been trying for a long time to make you aware of this, nothing of t= his should come as a surprise. >>=20 >> Please consider if that can be changed and if there is a path forward with= this. >>=20 >> All the best, >> -Michael >>=20 >>> On 6 Feb 2025, at 16:35, Jon Murphy wrote: >>>=20 >>> What is it? >>> Response Policy Zone (RPZ) is a mechanism to define local policies in a >>> standardized way and load those policies from external sources. >>> Bottom line: RPZ allows admins to easily block access to websites via DNS= lookup. >>>=20 >>> RPZ can block websites via categories. Examples include: fake websites, = annoying >>> pop-up ads, newly registered domains, DoH bypass sites, bad "host" servic= es, >>> maliscious top level domains (e.g., *.zip, *.mov), piracy, gambling, porn= ography, >>> and more. RPZ lists come from various RPZ providers and their available >>> catagories. >>>=20 >>> This RPZ add-on enables the RPZ functionality by adding a couple lines in= a >>> configuration file. This add-on simply adds configuration files and adds >>> scripts (config, metrics and sleep) to make RPZ easier for the admin to u= se. >>>=20 >>> The RPZ scripts include additional languages: German, Spanish, French, Tu= rkish, >>> and Italian. >>>=20 >>> RPZ itself was release in 2010 and has been part of the IPFire build sinc= e ~2015. >>>=20 >>> Why is it needed? What is its value? >>>=20 >>> - The RPZ concept places this filtering into IPFire, our internet access >>> gateway, which is (should be) solely used as DNS source of the internal n= etwork. >>>=20 >>> - As most sites use HTTPS it makes it difficult to filter traffic with URL >>> Filter without also properly configuring conventional (non-transparent) >>> mode on the proxy. RPZ is a nice replacement for the URL Filter. >>>=20 >>> - No need to install and maintain an additional device like PiHole or AdB= lock >>> browser extensions on multiple user devices. >>>=20 >>> - This is an additional layer of protection for users. Less worry someone= will >>> click on something that gets them into trouble. And, saying this with emp= hasis, >>> the ability to do it in one place! >>>=20 >>> - Blocked sites save on unneeded traffic and can lessen the threat of mal= ware >>> in advertisements >>>=20 >>> - Logging allows the admin to see the site blocked and take actions >>>=20 >>> - RPZ will be used at the home, home-office (work from home), schools, >>> ministerial, and at the office. Device counts are small (2-6) to medium = (~80) >>> to mediam-large (200+). >>>=20 >>> - RPZ can block ads, popups, phishing, scammers, spyware, malware, annoyi= ng >>> popups, NSFW links, DOH servers, and the usual internet trash. >>>=20 >>> ------------------------------ >>>=20 >>> Change Log for RPZ add-on >>>=20 >>> rpz-1.0.0-18 on 2025-02-05 >>> - Build for approval & release as IPFire add-on >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>> rpz.cgi: >>> - new feature: added a mod key to force a unbound restart >>>=20 >>> rpz-config and rpz-make: >>> - new feature: added action for unbound restart `rpz-config unbound-resta= rt` >>>=20 >>> rpz-metrics: >>> - simple reformatting >>> - rename far right column from "last update" to "last download" >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>> rpz-make >>> - bug fix: corrected validation regex for wildcards like: `*.domain.com` >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>> rpz-make >>> - new feature: updated validation regex >>> - bug fix: moved validation to beginning of process. Now we validate bef= ore >>> creating config files. >>>=20 >>> rpz.cgi: >>> - new feature: use CSS color variables of the main ipfire theme >>> - bug fix: empty zonefile remarks were stored as =E2=80=9Cundef=E2=80=9D = and caused a warning >>> - bug fix: HTML textarea removes the first empty line in a custom list >>> - thank you Leo! >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>> rpz.cgi: >>> - new feature: added new language file for Turkish (thank you Peppe) >>>=20 >>> rpz-make >>> - bug fix: corrected empty allow/block list issue. An empty allow/block = list >>> will now remove contents of allow/block.rpz files and remove unneeded >>> allow/block.conf file. (thank you iptom) >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>> rpz-config: >>> - bug fix: correct missing rpz extension. `rpz-config list` displayed URL >>> incorrectly (thank you Bernhard) >>>=20 >>> rpz.cgi: >>> - bug fix: remove extra `"` in language files (thank you Bernhard) >>> - new feature: slightly dim "apply" button when not enabled >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>> - skipped >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>> rpz.cgi: >>> - new feature: added new language file for French (thank you gw-ipfire) >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>> rpz.cgi: >>> - new feature: added new language file for Italian (thank you umberto) >>> - new feature: added new language file for Spanish (thank you Roberto) >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>> rpz-make: >>> - bug fix: corrected validation error for a custom list entry (thank you = siosios) >>> - e.g., `*.cloudflare-dns.com` >>>=20 >>> install.sh: >>> - bug fix: add chown to correct user created files >>>=20 >>> update.sh: >>> - bug fix: add chown to correct user created files (thank you siosios) >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>> rpz.cgi: >>> - new feature: added new language file for German (thank you Leo) >>> - bug fix: add missing "rpz exitcode 110" >>> - bug fix: corrected missing RPZ menu item at menu > IPFire >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>> - skipped >>>=20 >>> --- >>>=20 >>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>> All: >>> - new feature: includes beta version numbers for pakfire package, >>> instead of only `rpz-1.0.0-1.ipfire`, for each release. >>>=20 >>> rpz.cgi: >>> - new feature: added new WebGUI at `rpz.cgi` >>> - a BIG thank you to Leo Hofmann for all of his work creating the webgui= !! >>> - bug fix: corrected missing RPZ menu item at menu > IPFire >>>=20 >>> rpz-make: >>> - new feature: validate entries in allowlist and blocklist >>> - new feature: add "no-reload" option for WebGUI >>>=20 >>> rpz-metrics: >>> - new feature: info can be sorted by name, by hit count, by line count, by >>> "enabled" list or all lists >>>=20 >>> backups: >>> - bug fix: include all files in `/var/ipfire/dns/rpz` directory in backup >>>=20 >>> update.sh: >>> - bug fix: corrected ownership for `/var/ipfire/dns/rpz` directory during= an >>> update >>>=20 >>> Build: >>> - bug fix: `block.rpz.conf` and `block.rpz` from build. Files to be crea= ted >>> by `rpz-make` >>>=20 >>> WebGUI and German language file >>> Contribution-by: Leo-Andres Hofmann >>>=20 >>> Spanish language file >>> Contribution-by: Roberto Pe=C3=B1a >>>=20 >>> Italian language file >>> Contribution-by: Umberto Parma >>>=20 >>> French language file >>> Contribution-by: gw-ipfire >>>=20 >>> Turkish language file >>> Contribution-by: Peppe Tech >>>=20 >>> Contribution-by: Bernhard Bitsch >>> Contribution-by: Erik Kapfer >>> Signed-off-by: Jon Murphy >> --- >>> config/backup/includes/rpz | 4 + >>> config/cfgroot/manualpages | 1 + >>> config/menu/EX-rpz.menu | 6 + >>> config/rootfiles/common/configroot | 1 + >>> config/rootfiles/common/web-user-interface | 1 + >>> config/rootfiles/packages/rpz | 20 + >>> config/rpz/00-rpz.conf | 10 + >>> config/rpz/rpz-config | 130 +++ >>> config/rpz/rpz-functions | 85 ++ >>> config/rpz/rpz-make | 203 +++++ >>> config/rpz/rpz-metrics | 170 ++++ >>> config/rpz/rpz-sleep | 58 ++ >>> config/rpz/rpz.de.pl | 30 + >>> config/rpz/rpz.en.pl | 30 + >>> config/rpz/rpz.es.pl | 30 + >>> config/rpz/rpz.fr.pl | 30 + >>> config/rpz/rpz.it.pl | 30 + >>> config/rpz/rpz.tr.pl | 30 + >>> html/cgi-bin/rpz.cgi | 923 +++++++++++++++++++++ >>> lfs/rpz | 96 +++ >>> make.sh | 3 +- >>> src/paks/rpz/install.sh | 36 + >>> src/paks/rpz/uninstall.sh | 38 + >>> src/paks/rpz/update.sh | 52 ++ >>> 24 files changed, 2016 insertions(+), 1 deletion(-) >>> create mode 100644 config/backup/includes/rpz >>> create mode 100644 config/menu/EX-rpz.menu >>> create mode 100644 config/rootfiles/packages/rpz >>> create mode 100644 config/rpz/00-rpz.conf >>> create mode 100644 config/rpz/rpz-config >>> create mode 100644 config/rpz/rpz-functions >>> create mode 100644 config/rpz/rpz-make >>> create mode 100755 config/rpz/rpz-metrics >>> create mode 100755 config/rpz/rpz-sleep >>> create mode 100644 config/rpz/rpz.de.pl >>> create mode 100644 config/rpz/rpz.en.pl >>> create mode 100644 config/rpz/rpz.es.pl >>> create mode 100644 config/rpz/rpz.fr.pl >>> create mode 100644 config/rpz/rpz.it.pl >>> create mode 100644 config/rpz/rpz.tr.pl >>> create mode 100644 html/cgi-bin/rpz.cgi >>> create mode 100644 lfs/rpz >>> create mode 100644 src/paks/rpz/install.sh >>> create mode 100644 src/paks/rpz/uninstall.sh >>> create mode 100644 src/paks/rpz/update.sh >>>=20 >>> diff --git a/config/backup/includes/rpz b/config/backup/includes/rpz >>> new file mode 100644 >>> index 000000000..36513e494 >>> --- /dev/null >>> +++ b/config/backup/includes/rpz >>> @@ -0,0 +1,4 @@ >>> +/var/ipfire/dns/rpz/* >>> +/etc/unbound/zonefiles/allow.rpz >>> +/etc/unbound/zonefiles/block.rpz >>> +/etc/unbound/local.d/*rpz.conf >>> diff --git a/config/cfgroot/manualpages b/config/cfgroot/manualpages >>> index 1f7e01efc..d3a48c633 100644 >>> --- a/config/cfgroot/manualpages >>> +++ b/config/cfgroot/manualpages >>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pakfire >>> wlanap.cgi=3Daddons/wireless >>> tor.cgi=3Daddons/tor >>> samba.cgi=3Daddons/samba >>> +rpz.cgi=3Daddons/rpz >>>=20 >>> # Logs menu >>> logs.cgi/summary.dat=3Dconfiguration/logs/summary >>> diff --git a/config/menu/EX-rpz.menu b/config/menu/EX-rpz.menu >>> new file mode 100644 >>> index 000000000..2f4daf410 >>> --- /dev/null >>> +++ b/config/menu/EX-rpz.menu >>> @@ -0,0 +1,6 @@ >>> +$subipfire->{'20.rpz'} =3D { >>> + 'caption' =3D> $Lang::tr{'rpz'}, >>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>> + 'title' =3D> "RPZ", >>> + 'enabled' =3D> 1, >>> +}; >>> diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common= /configroot >>> index 9839eee45..b30d6aae4 100644 >>> --- a/config/rootfiles/common/configroot >>> +++ b/config/rootfiles/common/configroot >>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu >>> #var/ipfire/menu.d/EX-apcupsd.menu >>> #var/ipfire/menu.d/EX-guardian.menu >>> #var/ipfire/menu.d/EX-mympd.menu >>> +#var/ipfire/menu.d/EX-rpz.menu >>> #var/ipfire/menu.d/EX-samba.menu >>> #var/ipfire/menu.d/EX-tor.menu >>> #var/ipfire/menu.d/EX-transmission.menu >>> diff --git a/config/rootfiles/common/web-user-interface b/config/rootfile= s/common/web-user-interface >>> index 816241dae..e00464076 100644 >>> --- a/config/rootfiles/common/web-user-interface >>> +++ b/config/rootfiles/common/web-user-interface >>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi >>> srv/web/ipfire/cgi-bin/qos.cgi >>> srv/web/ipfire/cgi-bin/remote.cgi >>> srv/web/ipfire/cgi-bin/routing.cgi >>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>> #srv/web/ipfire/cgi-bin/samba.cgi >>> srv/web/ipfire/cgi-bin/services.cgi >>> srv/web/ipfire/cgi-bin/shutdown.cgi >>> diff --git a/config/rootfiles/packages/rpz b/config/rootfiles/packages/rpz >>> new file mode 100644 >>> index 000000000..1c8663049 >>> --- /dev/null >>> +++ b/config/rootfiles/packages/rpz >>> @@ -0,0 +1,20 @@ >>> +etc/unbound/local.d/00-rpz.conf >>> +etc/unbound/zonefiles >>> +etc/unbound/zonefiles/allow.rpz >>> +usr/sbin/rpz-config >>> +usr/sbin/rpz-functions >>> +usr/sbin/rpz-make >>> +usr/sbin/rpz-metrics >>> +usr/sbin/rpz-sleep >>> +var/ipfire/addon-lang/rpz.de.pl >>> +var/ipfire/addon-lang/rpz.en.pl >>> +var/ipfire/addon-lang/rpz.es.pl >>> +var/ipfire/addon-lang/rpz.fr.pl >>> +var/ipfire/addon-lang/rpz.it.pl >>> +var/ipfire/addon-lang/rpz.tr.pl >>> +var/ipfire/backup/addons/includes/rpz >>> +var/ipfire/dns/rpz >>> +var/ipfire/dns/rpz/allowlist >>> +var/ipfire/dns/rpz/blocklist >>> +var/ipfire/menu.d/EX-rpz.menu >>> +srv/web/ipfire/cgi-bin/rpz.cgi >>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.conf >>> new file mode 100644 >>> index 000000000..f005a4f2e >>> --- /dev/null >>> +++ b/config/rpz/00-rpz.conf >>> @@ -0,0 +1,10 @@ >>> +server: >>> + module-config: "respip validator iterator" >>> + >>> +rpz: >>> + name: allow.rpz >>> + zonefile: /etc/unbound/zonefiles/allow.rpz >>> + rpz-action-override: passthru >>> + rpz-log: yes >>> + rpz-log-name: allow >>> + rpz-signal-nxdomain-ra: yes >>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-config >>> new file mode 100644 >>> index 000000000..c72d50f9b >>> --- /dev/null >>> +++ b/config/rpz/rpz-config >>> @@ -0,0 +1,130 @@ >>> +#!/bin/bash >>> +########################################################################= ####### >>> +# = # >>> +# IPFire.org - A linux based firewall = # >>> +# Copyright (C) 2024-2025 IPFire Team = # >>> +# = # >>> +# This program is free software: you can redistribute it and/or modify = # >>> +# it under the terms of the GNU General Public License as published by = # >>> +# the Free Software Foundation, either version 3 of the License, or = # >>> +# (at your option) any later version. = # >>> +# = # >>> +# This program is distributed in the hope that it will be useful, = # >>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # >>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # >>> +# GNU General Public License for more details. = # >>> +# = # >>> +# You should have received a copy of the GNU General Public License = # >>> +# along with this program. If not, see .= # >>> +# = # >>> +########################################################################= ####### >>> + >>> +version=3D"2025-01-11 - v44" >>> + >>> +############### Functions ############### >>> + >>> +source /usr/sbin/rpz-functions >>> + >>> +############### Main ############### >>> + >>> +tagName=3D"unbound" >>> + >>> +rpzAction=3D"${1}" # input RPZ action >>> +rpzName=3D"${2}" # input RPZ name >>> +rpzURL=3D"${3}" # input RPZ URL >>> +rpzOption1=3D"${4}" # input RPZ option #1 >>> +rpzOption2=3D"${5}" # input RPZ option #2 >>> + >>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf" # output zone= conf file >>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz" # output for = RPZ file >>> + >>> +rpzLog=3D"yes" # log default is yes >>> +ucReload=3D"yes" # reload default is yes >>> + >>> +while [[ $# -gt 0 ]] ; do >>> + case "$1" in >>> + --no-log ) rpzLog=3D"no" ;; >>> + --no-reload ) ucReload=3D"no" ; checkConf=3D"no" ;; >>> + esac >>> + shift # Shift after checking all the cases to get next option >>> +done >>> + >>> +case "${rpzAction}" in >>> + # add new rpz list >>> + add ) >>> + check_name "${rpzName}" # is this a valid name? >>> + # does this config already exist? If yes, then exit >>> + if [[ -f "${rpzConfig}" ]] ; then >>> + msg_log "error: rpz: duplicate - ${rpzConfig} already exists= . exit" >>> + exit 104 >>> + fi >>> + >>> + # is this a valid URL? >>> + regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:alnum:]\+&= @#/%=3D~_|]' >>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>> + msg_log "error: rpz: the URL is not valid: \"${rpzURL}\". ex= it." >>> + exit 105 >>> + fi >>> + >>> + # create the zone config file >>> + { >>> + echo "rpz:" >>> + echo " name: ${rpzName}.rpz" >>> + echo " zonefile: ${rpzFile}" >>> + echo " url: ${rpzURL}" >>> + echo " rpz-action-override: nxdomain" >>> + echo " rpz-log: ${rpzLog}" >>> + echo " rpz-log-name: ${rpzName}" >>> + echo " rpz-signal-nxdomain-ra: yes" >>> + } > "${rpzConfig}" >>> + >>> + # set-up zonefile >>> + # create an empty rpz file if it does not exist >>> + if [[ ! -f "${rpzFile}" ]] ; then >>> + touch "${rpzFile}" >>> + # unbound requires these settings for rpz files >>> + set_permissions "${rpzFile}" "${rpzConfig}" >>> + fi >>> + ;; >>> + >>> + # trash config file & rpz file >>> + remove ) >>> + if ! [[ -f "${rpzConfig}" ]] ; then >>> + msg_log "error: rpz: cannot remove ${rpzConfig}, does not ex= ist. exit" >>> + exit 106 >>> + fi >>> + >>> + msg_log "info: rpz: remove config file & rpz file \"${rpzName}\"" >>> + rm "${rpzConfig}" >>> + rm "${rpzFile}" >>> + ;; >>> + >>> + reload ) >>> + check_unbound_conf "${checkConf}" >>> + ;; >>> + >>> + list ) >>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, "",$2) ; NAME= =3D$2 } \ >>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME"=3D"$2":"$3= } ' \ >>> + /etc/unbound/local.d/*rpz.conf >>> + exit >>> + ;; >>> + >>> + unbound-restart ) >>> + check_unbound_conf "${checkConf}" >>> + unbound_restart >>> + exit >>> + ;; >>> + >>> + * ) >>> + msg_log "error: rpz: missing or incorrect parameter" >>> + printf "Usage: $(basename "$0")