From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZLwdy0NtRz333p for ; Mon, 24 Mar 2025 14:38:30 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZLwds6v76z2yf1 for ; Mon, 24 Mar 2025 14:38:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZLwdr2vRmz6p; Mon, 24 Mar 2025 14:38:24 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1742827105; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UICg8rD1zOztS6IRPaA41WmZS2hnX4U5spiezJ0btTU=; b=a4xsZ5divpO+e0EXlzrzkprUIhYm0Eu/0KalIS3Wrwc8zikgyRbx4NuLbhqTKw4VbfGJWn BTkQpyXmC9yGIPDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1742827105; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UICg8rD1zOztS6IRPaA41WmZS2hnX4U5spiezJ0btTU=; b=SPxo7gBX4Xh/nxpdVngZEZWlQ9meh9vE4FD8nJjyx+qyUAtZdJ2m7zSTEp7PnoO7guKRV+ Gfajw0yfZt8KdQkC5JCkFYUWswhGopauPaiqy8hHT3mjYYu8HKxINvsScxLSZBOxQEvbXg 7JeWO51G1lQ8NZktN5I2FEC4GiGHdy7/90jHoSESFo/t6GF1D2XjaRNQv3+ulE1rox9fxK fkSa0FwTWSVTyL3QgKWRvYfl6sdKacz55ttL7IrZ7VX1lqLnwDG5BjiCCzK++4gzYwV3P3 9MWbZGW01AKQ3jdZC6NmaTO89z9Yz552POMeMnJrKppPlxBRQ8Sn1+mujBVgJg== From: "Jon Murphy" To: "Michael Tremer" Subject: Re[2]: [PATCH] RPZ: update code to include WEBGUI and additional languages Cc: "Bernhard Bitsch" , "IPFire: Development-List" Date: Mon, 24 Mar 2025 14:38:23 +0000 Message-Id: In-Reply-To: <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8b594873-86ca-46b9-bb4b-94fd6b0239b1@ipfire.org> <9A0DBDA4-75B0-40D2-AE06-78D9BA5EE7D3@ipfire.org> <89101199-33D1-40AC-8CCE-DD97583129F2@ipfire.org> <8703C3D8-C30C-4A56-9F30-7B90BB1E3027@ipfire.org> <502fa002-d6da-45d6-9b3e-d4130e59f50a@ipfire.org> <64617942-44E2-4E7B-A8AB-D5C22F94F68B@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> Reply-To: "Jon Murphy" Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Actually it did. Why do you think Unbound did not? ------ Original Message ------ >From "Michael Tremer" To "Jon Murphy" Cc "Bernhard Bitsch" ; "IPFire: Development-List"=20 Date 3/24/2025 9:36:53=E2=80=AFAM Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional=20 languages >Unbound did not put those there... > >> On 24 Mar 2025, at 14:33, Jon Murphy wrote: >> >> >> >> And where are these stored? >> >> In `/etc/unbound/zonefiles`: >> >> >> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >> total 20664 >> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >> drwxr-xr-x 4 root root 4096 Mar 19 16:24 .. >> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 adhocSB.rpz >> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 allow.rpz >> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 AmazonTrkrHZ.rpz >> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 AppleTrkrHZ.rpz >> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 block.rpz >> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 DOHblockHZ.rpz >> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 MxProPlusHZ.rpz >> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 tldHZ.rpz >> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 WinTrkrHZ.rpz >> [root@ipfire ~] # >> >> >> >> ------ Original Message ------ >> From "Michael Tremer" >> To "Bernhard Bitsch" >> Cc development@lists.ipfire.org >> Date 3/24/2025 9:25:40=E2=80=AFAM >> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional l= anguages >> >>> Hello, >>> >>>> >>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch wrote: >>>> Am 24.03.2025 um 11:17 schrieb Michael Tremer: >>>>> >>>>> >>>>> Hello Jon, >>>>>> >>>>>> >>>>>> On 24 Mar 2025, at 00:00, Jon Murphy wrote: >>>>>> Michael, >>>>>> FYI - I was wrong Unbound RPZ is _not_ watching the serial number, = it is watching the "refresh", the number after the serial number. >>>>> >>>>> Refresh just tells the client how often to check for an update. >>>>> If that is actually being set by the list publisher, then we have an= other problem here, because they could put some insanely low value there an= d we would then DDoS their infrastructure. I think we should keep it like w= e have it in other places that we control how often we want to check or pul= l for updates. >>>>> >>>> You are right. But an extra update process wastes additional process= or time. The update mechanism of unbound does the check for update ( howeve= r it is realized ) nevertheless. >>> >>> Yes, doing more things needs resources. But we are not seriously cons= idering whether an IPFire system has enough resources to perform the downlo= ad of a text file, or are we? >>> >>>> >>>>>> I understand that you don=E2=80=99t speak C, but you got the inform= ation from somewhere. Documentation maybe? Since that is out of date very o= ften I like to consult the code. >>>>>> From testing. Downloading rpz files using rpz unbound, and watching = what happens. If the rpz file is setup for "once per day" refresh, then it = only downloads one time. >>>>>> However that won=E2=80=99t solve our problem . . . and having no = cache. >>>>>> In `/etc/unbound/tuning.conf` there is `rrset-cache-size: 128m`. Ar= e you referring to a different cache. >>>>> >>>>> Naturally unbound is loading the zone into its memory which we gener= ally call cache. >>>>> When I say cache I am thinking about persistent data storage across= multiple restarts of Unbound. If I am downloading 100 MiB of RPZ lists (whi= ch is presumably still on the lower end) and I reboot my firewall, I do not = want to download the same data again. We can only ever download a list *on= ce* unless we are 100% certain that it has changed. Then we can download it = once again. >>>> >>>> The RPZ lists are stored in files in persistent storage. Unbound cre= ates the internal cache from these. >>> >>> And where are these stored? >>> >>>> >>>>>> Maybe we need to implement both? >>>>>> Yes. There are very few AXFR list (I think only four were found).= And many more HTTPS rpz files. >>>>>> Jon >>>>>> ------ Original Message ------ >>>>>> From "Michael Tremer" >>>>>> To "Jon Murphy" >>>>>> Cc "IPFire: Development-List" >>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and addition= al languages >>>>>> >>>>>>> >>>>>>> Hello Jon, >>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>> >>>>>>>> >>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy wro= te: >>>>>>>> Michael, >>>>>>>> >>>>>>>>> >>>>>>>>> Where in the code is this implemented? I cannot find anything l= ike this: >>>>>>>> >>>>>>>> Keep in mind I am not a "C" person. Maybe in this section?: >>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob;f=3Ds= ervices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l5875 >>>>>>> >>>>>>> This where the AXFR response is being handled when doing a DNS zo= ne transfer. This code is not being called when performing a HTTP download. >>>>>>> I understand that you don=E2=80=99t speak C, but you got the infor= mation from somewhere. Documentation maybe? Since that is out of date very= often I like to consult the code. >>>>>>> >>>>>>>> >>>>>>>> =E2=80=94 >>>>>>>> When I was just learning about RPZ I created a separate RPZ file= for testing. When I changed the SOA line with a new serial number, the RPZ= file download would happen in about 5 minutes. >>>>>>>> https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>> >>>>>>> It might well be that the file is not being reloaded if the downl= oad matches the content that unbound already has. That would of course save = some resources. >>>>>>> However that won=E2=80=99t solve our problem with redundant downlo= ads and having no cache. >>>>>>> >>>>>>>> >>>>>>>> That is how I found out the SOA line is watched for a serial num= ber change. >>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> The second reason is that we have a lot of firewalls out there= . Not all of them will enable this feature and all of the lists, but even i= f it is a good chunk, we will generate terabytes of traffic which put load= on the infrastructure and will cost money. It simply is not what we want to = do, regardless of self-hosting those lists and pulling them from somewhere = else. >>>>>>>> >>>>>>>> So I understand, are you thinking of hosting RPZ AXFR (DNS zone= transfer) on IPFire infrastructure? >>>>>>> >>>>>>> No, I don=E2=80=99t think that we can generally do this. The bigg= est problem is licensing as we cannot take anyones content and host it ours= elves. We would re-distribute those lists and that will only work with perm= ission of the publishers. I assume that would be too much work to actually= get some useful content out there. We might limit ourselves to only those l= ists that are under a very permissive license. Nobody wants that. >>>>>>> From a technical point of view, DNS over TCP might not be very nic= e in terms of forging the transfer and so we would need TLS as well=E2=80= =A6 It should work, but even if we would be able to encourage other people= to publish their lists I doubt they would implement DNS over TLS for author= itative DNS. That standard is in very early stages as well. >>>>>>> As far as I can see, those vendors who offer a list as a commercia= l product are using DNS to distribute it (e.g. Spamhaus). Those people who= have made this all a hobby are throwing the lists onto GitHub and let them= handle the traffic. >>>>>>> Maybe we need to implement both? >>>>>>> -Michael >>>>>>> >>>>>>>> >>>>>>>> Jon >>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello Jon, >>>>>>>>> Where in the code is this implemented? I cannot find anything li= ke this: >>>>>>>>> Unbound loads the entire file into memory and then starts parsin= g it. The only special treatment there is is to check whether the first lin= e is a valid zone entry. It does not even have to be a SOA record. >>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3Dblob;f=3D= services/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#l1188 >>>>>>>>> I am also concerned that Unbound will not be able to support an= upstream proxy for any downloads. The caching situation is also unclear for = me, so I believe that we will be looking at writing a custom downloader th= at implements all these things. >>>>>>>>> -Michael >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy w= rote: >>>>>>>>>> Michael, >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> The emphasis is on the repeated downloads of the same list. T= hat is >>>>>>>>>> >>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>> The Unbound RPZ code, as installed within IPFire, watches for a = change >>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. This is an example o= f the first few >>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>> $TTL 300 >>>>>>>>>> @ SOA localhost. root.localhost. 1742298960 43200 3600 86400 30= 0 >>>>>>>>>> NS localhost. >>>>>>>>>> ; >>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>> ; Description: Blocks annoying and malicious pop-up ads. >>>>>>>>>> If the SOA serial number changes (e.g. the 1742298960), then Un= bound RPZ >>>>>>>>>> =E2=80=8Bcode does its thing and downloads. Otherwise there is= no download. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> So there has to be a way to ensure that we won=E2=80=99t down= load a list again >>>>>>>>>> >>>>>>>>>> =E2=80=8B> unless it has actually changed. >>>>>>>>>> This should do what you want but I may be missing your point. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> DNS has a builtin functionality called AXFR. It simply does t= he job >>>>>>>>>> >>>>>>>>>> =E2=80=8B> for you. I was just wondering whether that was not= being used. >>>>>>>>>> I need to read about AXFR/IXFR and learn a little more. >>>>>>>>>> Jon >>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Good Morning Jon, >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy = wrote: >>>>>>>>>>>> Michael, >>>>>>>>>>>> I was reading through you response again an I want to underst= and this post: >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I have also stated that we cannot download any lists over H= TTPS again and again and again. The implementation that we have here seems= to exactly do that and therefore I think that my feedback has been dismisse= d entirely. >>>>>>>>>>>> >>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it using? I am missing= a key point here. >>>>>>>>>>> >>>>>>>>>>> The emphasis is on the repeated downloads of the same list. T= hat is what cannot happen. >>>>>>>>>>> Although it might not affect a lot of people in our general us= er-base, there are some that have a metered connection and will pay for dat= a by volume. Some of the lists I looked at are just under 20 MiB. Therefore = we need to keep any traffic down to a minimum. The second reason is that w= e have a lot of firewalls out there. Not all of them will enable this featu= re and all of the lists, but even if it is a good chunk, we will generate t= erabytes of traffic which put load on the infrastructure and will cost mone= y. It simply is not what we want to do, regardless of self-hosting those li= sts and pulling them from somewhere else. >>>>>>>>>>> So there has to be a way to ensure that we won=E2=80=99t downl= oad a list again unless it has actually changed. >>>>>>>>>>> DNS has a builtin functionality called AXFR. It simply does th= e job for you. I was just wondering whether that was not being used. >>>>>>>>>>> HTTPS is an option because that is simply what we use elsewher= e, but extra functionality will have to be built for it. >>>>>>>>>>> -Michael >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Jon >>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Michael, >>>>>>>>>>>>> I=E2=80=99ve read through your comments a few times and I en= ded up with many more questions. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> What I rather mean is that it has never been added as a to= pic on the agenda and it has not been pitched by yourself. >>>>>>>>>>>>> >>>>>>>>>>>>> To me the efforts to get new code accepted seem to have cha= nged and it seemed easier in the past. In the past I made the Core Team awa= re via the Dev Mailing List and wrote a simple two or three paragraphs of "= What is it? / What is the value? / Here is the code" >>>>>>>>>>>>> So in an effort to move forward: How exactly is something pr= esented to the Core Team? >>>>>>>>>>>>> Is there an example of a recent effort that was presented th= at I can see as a sample? (This type of info can also be added to the Wiki) >>>>>>>>>>>>> I understand you want it this way, but I don=E2=80=99t know= what exactly is needed. Please be specific. >>>>>>>>>>>>> Jon >>>>>>>>>>>>> PS - I am not ignoring your other comments, I am just trying = to move forward and keep things simple. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, Michael Tremer wrote: >>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>> Thanks for your reply. And good that you are copying everyo= ne into this conversation. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon wrot= e: >>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I think I have covered this all at lengths before that t= his project has been started as a separate effort >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yes, this has been a separate effort (a very public separ= ate effort). Yes, as you pointed this out early on with the "proof-of-conce= pt" and then my request for people to help test RPZ. Nothing was hidden. >>>>>>>>>>>>>>> This was done because you (and maybe others) did not have= the time and I wanted to help and because I needed assistance with RPZ. I t= ried my best to do this without bothering you. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I don=E2=80=99t that it is accurate that nobody wanted to= help on this. The list was always open - although not every email has been= replied to swiftly it is also your responsibility to raise a question again = if it was missed. People here have open ears. >>>>>>>>>>>>>> It was also stated on this very list on in our documentatio= n that working on something without involving the core team is a risky unde= rtaking. Of course IPFire is free software and so everyone is free to fork= if they wish to do so. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> and as far as I am aware none of the other team members h= as been involved. This has not been discussed either on this list, on our c= alls. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You were aware many steps along the way. See your email o= n July 28, 2024, August 15, 2024, September 30, 2024, December 23, 2024, an= d January 16. My attempts to get the team involved were met with "things ar= e busy" and sometimes silence. (Yes, I get it, people are busy.) >>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard have been aware sinc= e the beginning. You mention you were aware of the "proof-of-concept". If y= ou include those beginning posts, since Sep 2023. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept that I have been run= ning myself for a long time. I am also aware of the efforts that you have b= een taking. >>>>>>>>>>>>>> Yet I don=E2=80=99t think there has ever been any joint eff= ort, or am I seeing that wrong? >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This has not been discussed . . . on our calls. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>> "We have talked about RPZ many times on the monthly call s= ince the URL filter feature is falling more and more out of fashion. I thin= k there is also many posts about this on the forum." >>>>>>>>>>>>>>> Please don=E2=80=99t insult me again by stating "you know= what I mean". >>>>>>>>>>>>>>> And it has been discussed but not documented in the Monthl= y Meeting notes. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am not at all insulting you. I don=E2=80=99t want to tak= e this down to a personal level at all. This is a public mailing list and p= eople who read this don=E2=80=99t need to listen to an argument we are havi= ng. They are here for the tech inside IPFire. >>>>>>>>>>>>>> When I wrote that it has not been discussed that does not m= ean that we have not been touching on the topic. We have been talking about = lots of things on the calls, the weather, politics, how our pets are. None = of that makes it to the logs. What I rather mean is that it has never been = added as a topic on the agenda and it has not been pitched by yourself. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Instead there has been a separate conversation on the for= um with the occasional dip here to the list. But that was not a regular two= -way conversation. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regular conversation on the Dev Mailing list is many time= s met with silence. I get it, people are busy. >>>>>>>>>>>>>>> And regular two-way conversation doesn=E2=80=99t happen on = the list. At least not with me. I=E2=80=99d be happy to point out the post= s that were met with silence. >>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>> >>>>>>>>>>>>>> And you think my emails are not being met with silence? Th= is has nothing to do with this specific topic. This has something to do wit= h how occupied people are and how engaged they are on certain topics. Not e= veryone is involved in all the things and simply will ignore emails simply= based on their subject line. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> But the "dip here to the list" were my attempts to get a= conversation started. As I said, many time met with silence. >>>>>>>>>>>>>>> The only place I was not met with silence was on the Commu= nity. You have a great group of people in the Community. It is a shame you= don=E2=80=99t want to have others help. It would reduce your workload. >>>>>>>>>>>>>> >>>>>>>>>>>>>> You should stop making statements that are not true. Who d= oesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>> Not having this conversation on a Saturday evening would re= duce my workload. At least it would free up time for something else. Helpin= g with the things that are already on the go would reduce the workload of t= he entire team. Starting one thing at a time and finishing it is a lot bett= er to manage than starting a hundred things and not even finish one. I can= tell you that I already have a hundred things on the go. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Therefore, what am I supposed to do with this email? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, then guide me with how= to do this the correct way. And be specific. I am trying to help. I am tryi= ng to make things better. I am trying to do things the right way. >>>>>>>>>>>>>> >>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet another project that h= as been dumped to the list like so many before and later on everyone has le= ft to have the team deal with the rest. >>>>>>>>>>>>>> It is a huge patch set. You explained what the vision is, b= ut that is about it. There is no chance this will continue if this disagree= ment isn=E2=80=99t solved first. I didn=E2=80=99t even look at the code. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80=99t a= gree with. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I asked multiple times if you "agreed with the concept" a= nd again, met with silence. Yes I get it, people are busy. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Having support for RPZ? Yes, it was definitely on the road= map. That I agree with. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So many fundamental things that I have been raising have= either not been discussed or outright dismissed. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You mentioned this a in the past, but for some reason you = do not disclose what I dismissed. Why do you continue to make this harder, = wouldn=E2=80=99t it not be easier to tell me what I have dismissed? >>>>>>>>>>>>>>> I have sent multiple emails trying to answer your concerns = and comments. On July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the questions you asked a= nd I cannot find a "dismissed" item. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Maybe I need to be *more clear*. I feel humoured by this. >>>>>>>>>>>>>> It is late on a Saturday and I want my dinner soon, but cer= tainly I have stated that this should never be an add-on considering it is= supposed to replace URL Filter. We should never allow people to add their o= wn sources. I have also stated that we cannot download any lists over HTTPS = again and again and again. The implementation that we have here seems to e= xactly do that and therefore I think that my feedback has been dismissed en= tirely. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no future ins= ide IPFire as there is no constructive conversation with the maintainers of = it. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>>>>>>>> The maintainers of Hagezi list, the threatfox list, the ur= lhaus list, etc.? >>>>>>>>>>>>>>> What else? The maintainers or the RPZ scripts? That is me. = Let=E2=80=99s talk! >>>>>>>>>>>>>> >>>>>>>>>>>>>> You. I don=E2=80=99t care much about the providers of the= lists. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> See, this is where it gets confusing. There are hundreds= of open source packages as part of IPFire. Pick the last five years of item= s added to the IPFire build. You're telling me you have "constructive conve= rsation with the maintainers" of all of the added packages? >>>>>>>>>>>>>> >>>>>>>>>>>>>> They publish their software and they don=E2=80=99t care wh= ether I am pulling it or not. They publish it with the commitment to mainta= in it - sometimes for better and sometimes for worse. >>>>>>>>>>>>>> You care about me pulling your code and I don=E2=80=99t kno= w whether you would commit to maintain this. >>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., 3CORESEC, ABUSECH, DSH= IELD, SPAMHAUS, etc.) or the Suricata lists (i.e.,Emergingthreats.net ,Abuse.ch , etc.). So you=E2=80= =99ve have "constructive conversation with the maintainers"? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Yes, occasionally I have phone calls with a few of these p= roviders. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Having been trying for a long time to make you aware of t= his, nothing of this should come as a surprise. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning you seemed intereste= d as IPFire needed a replacement for URL Filter. You asked good questions a= bout the lists picked, asked for the value to the users, etc. And I answere= d the best I could. >>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this realised as an add-on = and not part of the core system?=E2=80=9D from your Jul 28, 2024 email. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Ah, so, why is the patch creating an add-on? Not that I am = saying that what I say is law, but it has not been challenged either. If m= y input is being ignored, why should I put this to the top of my list of pr= iorities? I am not disappointed about this, just trying to be very good wit= h my time. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> And on January 16, 2025 I wrote a message looking for hel= p. And you were kind to respond quickly. So in three weeks time, since the= kind response, something has changed. You went from supportive to "this". >>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Well, maybe I should not have replied to that email. It wa= s clear that you were on some path that was not right, but you were not int= erested before in finding the right path from the beginning. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Please consider if that can be changed and if there is a= path forward with this. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Be more specific, what has to change? What exactly did I= dismiss? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Dismissal is just my assumption. I don=E2=80=99t know what = you actually did with my feedback. I can only see the end product that doe= s not seem contain much of it. Repeatedly I have been pointing out that we= should think before we build. I am sure a lot of hours have now gone into s= ome code that simply does not satisfy me. And I am not not talking about th= e code itself, what it does is what I don=E2=80=99t think is right for us. >>>>>>>>>>>>>> The process is very clear for me that we should first of al= l think whether we want a certain feature now. Then there should be a clear = roadmap for everyone to follow; tasks can be split-up as we go and hopeful= ly then have something that is maintainable, interesting for our users and= even would do us proud. This is how this should work. >>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t think with shouting = at each other, throwing patches around and making me generally unhappy is= a good start. >>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tremer wrote: >>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>> Well, here we are again with another patch regarding this = feature. >>>>>>>>>>>>>>>> I cannot quite see from your email what the question is,= but if this is a request to have this merged into IPFire, I am once again s= orry to disappoint you. >>>>>>>>>>>>>>>> I think I have covered this all at lengths before that th= is project has been started as a separate effort and as far as I am aware n= one of the other team members has been involved. This has not been discusse= d either on this list, on our calls. Instead there has been a separate conv= ersation on the forum with the occasional dip here to the list. But that wa= s not a regular two-way conversation. Therefore, what am I supposed to do w= ith this email? >>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don=E2=80=99t a= gree with. So many fundamental things that I have been raising have either= not been discussed or outright dismissed. >>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no future ins= ide IPFire as there is no constructive conversation with the maintainers of = it. >>>>>>>>>>>>>>>> Having been trying for a long time to make you aware of t= his, nothing of this should come as a surprise. >>>>>>>>>>>>>>>> Please consider if that can be changed and if there is a= path forward with this. >>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy wrote: >>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a mechanism to define loca= l policies in a >>>>>>>>>>>>>>>>> standardized way and load those policies from external s= ources. >>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to easily block access to = websites via DNS lookup. >>>>>>>>>>>>>>>>> RPZ can block websites via categories. Examples include: = fake websites, annoying >>>>>>>>>>>>>>>>> pop-up ads, newly registered domains, DoH bypass sites,= bad "host" services, >>>>>>>>>>>>>>>>> maliscious top level domains (e.g., *.zip, *.mov), pirac= y, gambling, pornography, >>>>>>>>>>>>>>>>> and more. RPZ lists come from various RPZ providers and= their available >>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ functionality by adding= a couple lines in a >>>>>>>>>>>>>>>>> configuration file. This add-on simply adds configuratio= n files and adds >>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) to make RPZ easier f= or the admin to use. >>>>>>>>>>>>>>>>> The RPZ scripts include additional languages: German, Sp= anish, French, Turkish, >>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and has been part of the= IPFire build since ~2015. >>>>>>>>>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>>>>>>>> - The RPZ concept places this filtering into IPFire, our = internet access >>>>>>>>>>>>>>>>> gateway, which is (should be) solely used as DNS source= of the internal network. >>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes it difficult to filte= r traffic with URL >>>>>>>>>>>>>>>>> Filter without also properly configuring conventional (n= on-transparent) >>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice replacement for the URL = Filter. >>>>>>>>>>>>>>>>> - No need to install and maintain an additional device l= ike PiHole or AdBlock >>>>>>>>>>>>>>>>> browser extensions on multiple user devices. >>>>>>>>>>>>>>>>> - This is an additional layer of protection for users. L= ess worry someone will >>>>>>>>>>>>>>>>> click on something that gets them into trouble. And, say= ing this with emphasis, >>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>> - Blocked sites save on unneeded traffic and can lessen= the threat of malware >>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>> - Logging allows the admin to see the site blocked and t= ake actions >>>>>>>>>>>>>>>>> - RPZ will be used at the home, home-office (work from h= ome), schools, >>>>>>>>>>>>>>>>> ministerial, and at the office. Device counts are small= (2-6) to medium (~80) >>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>> - RPZ can block ads, popups, phishing, scammers, spyware= , malware, annoying >>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, and the usual internet= trash. >>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>> - Build for approval & release as IPFire add-on >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: added a mod key to force a unbound restar= t >>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>> - new feature: added action for unbound restart `rpz-con= fig unbound-restart` >>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>> - rename far right column from "last update" to "last do= wnload" >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>> - bug fix: corrected validation regex for wildcards like= : `*.domain.com` >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>> - new feature: updated validation regex >>>>>>>>>>>>>>>>> - bug fix: moved validation to beginning of process. Now = we validate before >>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: use CSS color variables of the main ipfir= e theme >>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks were stored as =E2=80= =9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes the first empty line in = a custom list >>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: added new language file for Turkish (than= k you Peppe) >>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>> - bug fix: corrected empty allow/block list issue. An em= pty allow/block list >>>>>>>>>>>>>>>>> will now remove contents of allow/block.rpz files and re= move unneeded >>>>>>>>>>>>>>>>> allow/block.conf file. (thank you iptom) >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>> - bug fix: correct missing rpz extension. `rpz-config li= st` displayed URL >>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in language files (thank you = Bernhard) >>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" button when not enab= led >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: added new language file for French (thank = you gw-ipfire) >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: added new language file for Italian (than= k you umberto) >>>>>>>>>>>>>>>>> - new feature: added new language file for Spanish (than= k you Roberto) >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>> - bug fix: corrected validation error for a custom list= entry (thank you siosios) >>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created files >>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created files (than= k you siosios) >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: added new language file for German (thank = you Leo) >>>>>>>>>>>>>>>>> - bug fix: add missing "rpz exitcode 110" >>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > IPF= ire >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>> - new feature: includes beta version numbers for pakfire = package, >>>>>>>>>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, for each release. >>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>> - new feature: added new WebGUI at `rpz.cgi` >>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann for all of his work cre= ating the webgui!! >>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at menu > IPF= ire >>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>> - new feature: validate entries in allowlist and blockli= st >>>>>>>>>>>>>>>>> - new feature: add "no-reload" option for WebGUI >>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>> - new feature: info can be sorted by name, by hit count, = by line count, by >>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>> - bug fix: include all files in `/var/ipfire/dns/rpz` di= rectory in backup >>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>> - bug fix: corrected ownership for `/var/ipfire/dns/rpz` = directory during an >>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and `block.rpz` from build.= Files to be created >>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann >>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch >>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer >>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>> config/rootfiles/common/configroot | 1 + >>>>>>>>>>>>>>>>> config/rootfiles/common/web-user-interface | 1 + >>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 +++++++++++++++++++++ >>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>> 24 files changed, 2016 insertions(+), 1 deletion(-) >>>>>>>>>>>>>>>>> create mode 100644 config/backup/includes/rpz >>>>>>>>>>>>>>>>> create mode 100644 config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>> create mode 100644 config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-config >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-functions >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-metrics >>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>>>>>>>>> diff --git a/config/backup/includes/rpz b/config/backup/= includes/rpz >>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>> diff --git a/config/cfgroot/manualpages b/config/cfgroot= /manualpages >>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/ipfire/pak= fire >>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>> logs.cgi/summary.dat=3Dconfiguration/logs/summary >>>>>>>>>>>>>>>>> diff --git a/config/menu/EX-rpz.menu b/config/menu/EX-rp= z.menu >>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/configroot b/config= /rootfiles/common/configroot >>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.menu >>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/web-user-interface= b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi >>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/packages/rpz b/config/root= files/packages/rpz >>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/config/rpz/00-rpz.= conf >>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>> + module-config: "respip validator iterator" >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>> + zonefile: /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rpz/rpz-conf= ig >>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>> +#######################################################= ######################## >>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>> +# IPFire.org - A linux based firewall # >>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team = # >>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>> +# This program is free software: you can redistribute i= t and/or modify # >>>>>>>>>>>>>>>>> +# it under the terms of the GNU General Public License= as published by # >>>>>>>>>>>>>>>>> +# the Free Software Foundation, either version 3 of the = License, or # >>>>>>>>>>>>>>>>> +# (at your option) any later version. # >>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>> +# This program is distributed in the hope that it will= be useful, # >>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied wa= rranty of # >>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.= See the # >>>>>>>>>>>>>>>>> +# GNU General Public License for more details. # >>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>> +# You should have received a copy of the GNU General Pu= blic License # >>>>>>>>>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>> +#######################################################= ######################## >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +############### Functions ############### >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +############### Main ############### >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option #1 >>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option #2 >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.rpz.conf"= # output zone conf file >>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.rpz" # out= put for RPZ file >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default is yes >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; checkConf=3D"no" ;; >>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>> + shift # Shift after checking all the cases to get next = option >>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this a valid name? >>>>>>>>>>>>>>>>> + # does this config already exist? If yes, then exit >>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - ${rpzConfig} already= exists. exit" >>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>> + regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!:,.;]*[-[:= alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is not valid: \"${rpzURL}= \". exit." >>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>> + # create an empty rpz file if it does not exist >>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>> + # unbound requires these settings for rpz files >>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" "${rpzConfig}" >>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot remove ${rpzConfig}, does= not exist. exit" >>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config file & rpz file \"${= rpzName}\"" >>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.rpz/, "",$= 2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print NAME"=3D"$= 2":"$3} ' \ >>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or incorrect parameter" >>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0") =