From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b3Jfl54fqz30Jq for ; Thu, 22 May 2025 19:45:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b3Jfg6Jtdz30Hh for ; Thu, 22 May 2025 19:45:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b3Jff0QF3z7Z; Thu, 22 May 2025 19:45:13 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1747943115; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XPDfZP0O3jfz6i+z0Ru3HyHv4HQFoFkoynNnaecliMc=; b=RCfTLK0qFFiqQeGcwVLJdN9Ko8suUG9bgxym59g8rX1TQvbjxHfc8Us1H0bVa6g6dbCHCc veS7pr8OBH4ReVCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1747943115; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XPDfZP0O3jfz6i+z0Ru3HyHv4HQFoFkoynNnaecliMc=; b=eA076yoHRZxqwt1GkA1dnOQM6FUN3azAig2jxcjm+TFmEbNwkiXrSeUw/79oEG6zkwXedz vMUCW3oNvbEwxdnCKSOFW0TC/ULCsCweiXS4CLvDdnpD/BEu6GeCy3y60HaHVWvYBWKb4e FBoD/Xkolfw88pw+uprhFz84boVya53MHcQmHb22L3KjutZaypXE4GB+lLGfJrf4vtxzeR Frz8dQzUV9Ulwo63KdtO+lJTp3baHFTRgYBeV9Dh2/wTvz1QWvRsshRvNT2FIkjKO8GFhF ylPE/8myTm1uuiXqqSVYLAuNK9sfz0HIlg8MgTzmzljSkb+YJCE3JXX6Y4Bobg== From: "Jon Murphy" To: "Michael Tremer" Subject: Re[2]: [PATCH] RPZ: update code to include WEBGUI and additional languages Cc: "Bernhard Bitsch" , "IPFire: Development-List" Date: Thu, 22 May 2025 19:45:11 +0000 Message-Id: In-Reply-To: <79F36C8A-29DD-4964-A854-21AF104A41B8@ipfire.org> References: <20250206163522.2363178-1-jon.murphy@ipfire.org> <8b594873-86ca-46b9-bb4b-94fd6b0239b1@ipfire.org> <9A0DBDA4-75B0-40D2-AE06-78D9BA5EE7D3@ipfire.org> <89101199-33D1-40AC-8CCE-DD97583129F2@ipfire.org> <8703C3D8-C30C-4A56-9F30-7B90BB1E3027@ipfire.org> <502fa002-d6da-45d6-9b3e-d4130e59f50a@ipfire.org> <64617942-44E2-4E7B-A8AB-D5C22F94F68B@ipfire.org> <8D5093D0-A699-4C4E-AEA3-185AD323EF67@ipfire.org> <9221F825-15BB-484C-A921-118C7F3266AC@ipfire.org> <0261B2EC-034E-4231-B105-DEFB8091BF07@ipfire.org> <79F36C8A-29DD-4964-A854-21AF104A41B8@ipfire.org> Reply-To: "Jon Murphy" Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable I understand that "Unbound, RPZ and a blacklist" was unsuitable. I am=20 curious what was suitable. ------ Original Message ------ >From "Michael Tremer" To "Jon Murphy" Cc "Bernhard Bitsch" ; "IPFire: Development-List"=20 Date 5/22/2025 10:46:25=E2=80=AFAM Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional=20 languages >Unbound, RPZ and a blacklist that I deemed suitable. It isn=E2=80=99t. > >> On 22 May 2025, at 16:45, Jon Murphy wrote: >> >> Still curious=E2=80=A6 What are you using to block adult websites? >> >> >> >> ------ Original Message ------ >> From "Michael Tremer" >> To "Jon Murphy" >> Cc "Bernhard Bitsch" ; "IPFire: Development-List" <= development@lists.ipfire.org> >> Date 5/22/2025 10:43:55=E2=80=AFAM >> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional l= anguages >> >>> I stated that before. I need to block adult websites. >>> >>>> On 22 May 2025, at 16:42, Jon Murphy wrote: >>>> >>>> Now I am curious! What is your use-case? Tell me more... >>>> >>>> >>>> ------ Original Message ------ >>>> From "Michael Tremer" >>>> To "Jon Murphy" >>>> Cc "Bernhard Bitsch" ; "IPFire: Development-List" = >>>> Date 5/22/2025 10:40:38=E2=80=AFAM >>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additional = languages >>>> >>>>> Hello Jon, >>>>> >>>>> I have not been spending on time on this at all since we talked last= . >>>>> >>>>> I don=E2=80=99t need Unbound to download any files for my use-case e= ither. >>>>> >>>>> -Michael >>>>> >>>>>> On 20 May 2025, at 17:30, Jon Murphy wrote: >>>>>> >>>>>> Michael, >>>>>> >>>>>> Were you able to debug RPZ and get Unbound to download `.rpz` files= ? >>>>>> >>>>>> >>>>>> Jon >>>>>> >>>>>> >>>>>> >>>>>> ------ Original Message ------ >>>>>> From "Michael Tremer" >>>>>> To "Jon Murphy" >>>>>> Cc "Bernhard Bitsch" ; "IPFire: Development-Lis= t" >>>>>> Date 3/24/2025 9:43:37=E2=80=AFAM >>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and addition= al languages >>>>>> >>>>>>> Yes, I don=E2=80=99t need any debugging of this... >>>>>>> >>>>>>>> On 24 Mar 2025, at 14:42, Jon Murphy wrot= e: >>>>>>>> >>>>>>>> Is there a: >>>>>>>> >>>>>>>> server: >>>>>>>> module-config: "respip validator iterator" >>>>>>>> >>>>>>>> In your RPZ set-up? >>>>>>>> >>>>>>>> >>>>>>>> ------ Original Message ------ >>>>>>>> From "Michael Tremer" >>>>>>>> To "Jon Murphy" >>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: Development-L= ist" >>>>>>>> Date 3/24/2025 9:40:15=E2=80=AFAM >>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and additi= onal languages >>>>>>>> >>>>>>>>> Because it is not doing it on my system... >>>>>>>>> >>>>>>>>>> On 24 Mar 2025, at 14:38, Jon Murphy wr= ote: >>>>>>>>>> >>>>>>>>>> Actually it did. >>>>>>>>>> >>>>>>>>>> Why do you think Unbound did not? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------ Original Message ------ >>>>>>>>>> From "Michael Tremer" >>>>>>>>>> To "Jon Murphy" >>>>>>>>>> Cc "Bernhard Bitsch" ; "IPFire: Development= -List" >>>>>>>>>> Date 3/24/2025 9:36:53=E2=80=AFAM >>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and addi= tional languages >>>>>>>>>> >>>>>>>>>>> Unbound did not put those there... >>>>>>>>>>> >>>>>>>>>>>> On 24 Mar 2025, at 14:33, Jon Murphy = wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> And where are these stored? >>>>>>>>>>>> >>>>>>>>>>>> In `/etc/unbound/zonefiles`: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [root@ipfire ~] # ls -al /etc/unbound/zonefiles >>>>>>>>>>>> total 20664 >>>>>>>>>>>> drwxr-xr-x 2 nobody nobody 4096 Mar 24 04:40 . >>>>>>>>>>>> drwxr-xr-x 4 root root 4096 Mar 19 16:24 .. >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 3999087 Mar 23 15:11 adhocSB.rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 1411 Mar 23 14:23 allow.rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 25355 Mar 24 04:40 AmazonTrkrHZ= .rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 7241 Mar 24 04:40 AppleTrkrHZ.= rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 178 Mar 23 14:23 block.rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 78496 Mar 24 04:40 DOHblockHZ.r= pz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 16983551 Mar 24 04:40 MxProPlusHZ.= rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 2893 Mar 24 04:40 tldHZ.rpz >>>>>>>>>>>> -rw-r--r-- 1 nobody nobody 29419 Mar 24 04:40 WinTrkrHZ.rp= z >>>>>>>>>>>> [root@ipfire ~] # >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>> From "Michael Tremer" >>>>>>>>>>>> To "Bernhard Bitsch" >>>>>>>>>>>> Cc development@lists.ipfire.org >>>>>>>>>>>> Date 3/24/2025 9:25:40=E2=80=AFAM >>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI and ad= ditional languages >>>>>>>>>>>> >>>>>>>>>>>>> Hello, >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 24 Mar 2025, at 13:33, Bernhard Bitsch wrote: >>>>>>>>>>>>>> Am 24.03.2025 um 11:17 schrieb Michael Tremer: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 24 Mar 2025, at 00:00, Jon Murphy wrote: >>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>> FYI - I was wrong Unbound RPZ is _not_ watching the seri= al number, it is watching the "refresh", the number after the serial number= . >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Refresh just tells the client how often to check for an up= date. >>>>>>>>>>>>>>> If that is actually being set by the list publisher, then= we have another problem here, because they could put some insanely low valu= e there and we would then DDoS their infrastructure. I think we should keep = it like we have it in other places that we control how often we want to ch= eck or pull for updates. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> You are right. But an extra update process wastes addition= al processor time. The update mechanism of unbound does the check for updat= e ( however it is realized ) nevertheless. >>>>>>>>>>>>> >>>>>>>>>>>>> Yes, doing more things needs resources. But we are not seri= ously considering whether an IPFire system has enough resources to perform= the download of a text file, or are we? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but you got= the information from somewhere. Documentation maybe? Since that is out of d= ate very often I like to consult the code. >>>>>>>>>>>>>>>> From testing. Downloading rpz files using rpz unbound, an= d watching what happens. If the rpz file is setup for "once per day" refres= h, then it only downloads one time. >>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem . . . and = having no cache. >>>>>>>>>>>>>>>> In `/etc/unbound/tuning.conf` there is `rrset-cache-size: = 128m`. Are you referring to a different cache. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Naturally unbound is loading the zone into its memory whic= h we generally call cache. >>>>>>>>>>>>>>> When I say cache I am thinking about persistent data stora= ge across multiple restarts of Unbound. If I am downloading 100 MiB of RPZ= lists (which is presumably still on the lower end) and I reboot my firewall= , I do not want to download the same data again. We can only ever download= a list *once* unless we are 100% certain that it has changed. Then we can d= ownload it once again. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The RPZ lists are stored in files in persistent storage. U= nbound creates the internal cache from these. >>>>>>>>>>>>> >>>>>>>>>>>>> And where are these stored? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>> Yes. There are very few AXFR list (I think only four wer= e found). And many more HTTPS rpz files. >>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>> ------ Original Message ------ >>>>>>>>>>>>>>>> From "Michael Tremer" >>>>>>>>>>>>>>>> To "Jon Murphy" >>>>>>>>>>>>>>>> Cc "IPFire: Development-List" >>>>>>>>>>>>>>>> Date 3/20/2025 11:26:43=E2=80=AFAM >>>>>>>>>>>>>>>> Subject Re: [PATCH] RPZ: update code to include WEBGUI an= d additional languages >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>> Please don=E2=80=99t forget to Cc the list... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 18:27, Jon Murphy wrote: >>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I cannot find= anything like this: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Keep in mind I am not a "C" person. Maybe in this sect= ion?: >>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a=3D= blob;f=3Dservices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b7d#= l5875 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This where the AXFR response is being handled when doin= g a DNS zone transfer. This code is not being called when performing a HTTP = download. >>>>>>>>>>>>>>>>> I understand that you don=E2=80=99t speak C, but you got = the information from somewhere. Documentation maybe? Since that is out of= date very often I like to consult the code. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> =E2=80=94 >>>>>>>>>>>>>>>>>> When I was just learning about RPZ I created a separate = RPZ file for testing. When I changed the SOA line with a new serial number= , the RPZ file download would happen in about 5 minutes. >>>>>>>>>>>>>>>>>> https://people.ipfire.org/~jon/sblack-adhoc.rpz >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> It might well be that the file is not being reloaded if = the download matches the content that unbound already has. That would of c= ourse save some resources. >>>>>>>>>>>>>>>>> However that won=E2=80=99t solve our problem with redund= ant downloads and having no cache. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> That is how I found out the SOA line is watched for a= serial number change. >>>>>>>>>>>>>>>>>> I=E2=80=99ll reconfirm my findings. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> The second reason is that we have a lot of firewalls = out there. Not all of them will enable this feature and all of the lists,= but even if it is a good chunk, we will generate terabytes of traffic which = put load on the infrastructure and will cost money. It simply is not what= we want to do, regardless of self-hosting those lists and pulling them from = somewhere else. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> So I understand, are you thinking of hosting RPZ AXFR= (DNS zone transfer) on IPFire infrastructure? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> No, I don=E2=80=99t think that we can generally do this= . The biggest problem is licensing as we cannot take anyones content and ho= st it ourselves. We would re-distribute those lists and that will only work = with permission of the publishers. I assume that would be too much work to = actually get some useful content out there. We might limit ourselves to on= ly those lists that are under a very permissive license. Nobody wants that. >>>>>>>>>>>>>>>>> From a technical point of view, DNS over TCP might not b= e very nice in terms of forging the transfer and so we would need TLS as we= ll=E2=80=A6 It should work, but even if we would be able to encourage other = people to publish their lists I doubt they would implement DNS over TLS fo= r authoritative DNS. That standard is in very early stages as well. >>>>>>>>>>>>>>>>> As far as I can see, those vendors who offer a list as a = commercial product are using DNS to distribute it (e.g. Spamhaus). Those p= eople who have made this all a hobby are throwing the lists onto GitHub and = let them handle the traffic. >>>>>>>>>>>>>>>>> Maybe we need to implement both? >>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>> On 3/19/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>> Where in the code is this implemented? I cannot find a= nything like this: >>>>>>>>>>>>>>>>>>> Unbound loads the entire file into memory and then sta= rts parsing it. The only special treatment there is is to check whether the = first line is a valid zone entry. It does not even have to be a SOA record= . >>>>>>>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dthirdparty/unbound.git;a= =3Dblob;f=3Dservices/authzone.c;hb=3D30b9cb5f813003d0a2b1c2e678652396615b1b= 7d#l1188 >>>>>>>>>>>>>>>>>>> I am also concerned that Unbound will not be able to s= upport an upstream proxy for any downloads. The caching situation is also u= nclear for me, so I believe that we will be looking at writing a custom dow= nloader that implements all these things. >>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 19 Mar 2025, at 02:58, Jon Murphy wrote: >>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads of the sa= me list. That is >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> =E2=80=8B> what cannot happen. >>>>>>>>>>>>>>>>>>>> The Unbound RPZ code, as installed within IPFire, wat= ches for a change >>>>>>>>>>>>>>>>>>>> =E2=80=8Bin the SOA line of each RPZ file. This is an = example of the first few >>>>>>>>>>>>>>>>>>>> =E2=80=8Blines for every RPZ file. >>>>>>>>>>>>>>>>>>>> $TTL 300 >>>>>>>>>>>>>>>>>>>> @ SOA localhost. root.localhost. 1742298960 43200 360= 0 86400 300 >>>>>>>>>>>>>>>>>>>> NS localhost. >>>>>>>>>>>>>>>>>>>> ; >>>>>>>>>>>>>>>>>>>> ; Title: HaGeZi's Pop-Up Ads DNS Blocklist >>>>>>>>>>>>>>>>>>>> ; Description: Blocks annoying and malicious pop-up a= ds. >>>>>>>>>>>>>>>>>>>> If the SOA serial number changes (e.g. the 1742298960= ), then Unbound RPZ >>>>>>>>>>>>>>>>>>>> =E2=80=8Bcode does its thing and downloads. Otherwise = there is no download. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that we won=E2= =80=99t download a list again >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> =E2=80=8B> unless it has actually changed. >>>>>>>>>>>>>>>>>>>> This should do what you want but I may be missing you= r point. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. It sim= ply does the job >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> =E2=80=8B> for you. I was just wondering whether tha= t was not being used. >>>>>>>>>>>>>>>>>>>> I need to read about AXFR/IXFR and learn a little mor= e. >>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>> On 3/17/25 5:35 AM, Michael Tremer wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Good Morning Jon, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 16 Mar 2025, at 17:00, Jon Murphy wrote: >>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>> I was reading through you response again an I want= to understand this post: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I have also stated that we cannot download any li= sts over HTTPS again and again and again. The implementation that we have h= ere seems to exactly do that and therefore I think that my feedback has bee= n dismissed entirely. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> So if RPZ doesn't use HTTPS, what is it using? I a= m missing a key point here. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> The emphasis is on the repeated downloads of the sa= me list. That is what cannot happen. >>>>>>>>>>>>>>>>>>>>> Although it might not affect a lot of people in our= general user-base, there are some that have a metered connection and will p= ay for data by volume. Some of the lists I looked at are just under 20 MiB. = Therefore we need to keep any traffic down to a minimum. The second reason = is that we have a lot of firewalls out there. Not all of them will enable= this feature and all of the lists, but even if it is a good chunk, we will= generate terabytes of traffic which put load on the infrastructure and will = cost money. It simply is not what we want to do, regardless of self-hostin= g those lists and pulling them from somewhere else. >>>>>>>>>>>>>>>>>>>>> So there has to be a way to ensure that we won=E2=80= =99t download a list again unless it has actually changed. >>>>>>>>>>>>>>>>>>>>> DNS has a builtin functionality called AXFR. It simp= ly does the job for you. I was just wondering whether that was not being us= ed. >>>>>>>>>>>>>>>>>>>>> HTTPS is an option because that is simply what we us= e elsewhere, but extra functionality will have to be built for it. >>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>> On 2/13/25 3:34 PM, jon wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve read through your comments a few time= s and I ended up with many more questions. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> What I rather mean is that it has never been add= ed as a topic on the agenda and it has not been pitched by yourself. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> To me the efforts to get new code accepted seem t= o have changed and it seemed easier in the past. In the past I made the Cor= e Team aware via the Dev Mailing List and wrote a simple two or three parag= raphs of "What is it? / What is the value? / Here is the code" >>>>>>>>>>>>>>>>>>>>>>> So in an effort to move forward: How exactly is so= mething presented to the Core Team? >>>>>>>>>>>>>>>>>>>>>>> Is there an example of a recent effort that was pr= esented that I can see as a sample? (This type of info can also be added to = the Wiki) >>>>>>>>>>>>>>>>>>>>>>> I understand you want it this way, but I don=E2=80= =99t know what exactly is needed. Please be specific. >>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>> PS - I am not ignoring your other comments, I am j= ust trying to move forward and keep things simple. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On Feb 8, 2025, at 1:27=E2=80=AFPM, Michael Trem= er wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>> Thanks for your reply. And good that you are copy= ing everyone into this conversation. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 8 Feb 2025, at 18:41, jon wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Michael, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at lengths bef= ore that this project has been started as a separate effort >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Yes, this has been a separate effort (a very pu= blic separate effort). Yes, as you pointed this out early on with the "proo= f-of-concept" and then my request for people to help test RPZ. Nothing was= hidden. >>>>>>>>>>>>>>>>>>>>>>>>> This was done because you (and maybe others) did = not have the time and I wanted to help and because I needed assistance wit= h RPZ. I tried my best to do this without bothering you. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t that it is accurate that nobody= wanted to help on this. The list was always open - although not every email = has been replied to swiftly it is also your responsibility to raise a ques= tion again if it was missed. People here have open ears. >>>>>>>>>>>>>>>>>>>>>>>> It was also stated on this very list on in our do= cumentation that working on something without involving the core team is a= risky undertaking. Of course IPFire is free software and so everyone is fre= e to fork if they wish to do so. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> and as far as I am aware none of the other team = members has been involved. This has not been discussed either on this list= , on our calls. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> You were aware many steps along the way. See yo= ur email on July 28, 2024, August 15, 2024, September 30, 2024, December 23= , 2024, and January 16. My attempts to get the team involved were met with= "things are busy" and sometimes silence. (Yes, I get it, people are busy.) >>>>>>>>>>>>>>>>>>>>>>>>> You and Adolf, Leo, Erik and Bernhard have been= aware since the beginning. You mention you were aware of the "proof-of-conc= ept". If you include those beginning posts, since Sep 2023. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Yes, I am aware of a proof-of-concept that I hav= e been running myself for a long time. I am also aware of the efforts that= you have been taking. >>>>>>>>>>>>>>>>>>>>>>>> Yet I don=E2=80=99t think there has ever been any = joint effort, or am I seeing that wrong? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> This has not been discussed . . . on our calls. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On the July 28th you stated: >>>>>>>>>>>>>>>>>>>>>>>>> "We have talked about RPZ many times on the mont= hly call since the URL filter feature is falling more and more out of fashi= on. I think there is also many posts about this on the forum." >>>>>>>>>>>>>>>>>>>>>>>>> Please don=E2=80=99t insult me again by stating= "you know what I mean". >>>>>>>>>>>>>>>>>>>>>>>>> And it has been discussed but not documented in= the Monthly Meeting notes. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I am not at all insulting you. I don=E2=80=99t w= ant to take this down to a personal level at all. This is a public mailing= list and people who read this don=E2=80=99t need to listen to an argument w= e are having. They are here for the tech inside IPFire. >>>>>>>>>>>>>>>>>>>>>>>> When I wrote that it has not been discussed that= does not mean that we have not been touching on the topic. We have been tal= king about lots of things on the calls, the weather, politics, how our pets = are. None of that makes it to the logs. What I rather mean is that it has= never been added as a topic on the agenda and it has not been pitched by yo= urself. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Instead there has been a separate conversation= on the forum with the occasional dip here to the list. But that was not a r= egular two-way conversation. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Regular conversation on the Dev Mailing list is = many times met with silence. I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>>> And regular two-way conversation doesn=E2=80=99t = happen on the list. At least not with me. I=E2=80=99d be happy to point ou= t the posts that were met with silence. >>>>>>>>>>>>>>>>>>>>>>>>> Again, I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> And you think my emails are not being met with s= ilence? This has nothing to do with this specific topic. This has something = to do with how occupied people are and how engaged they are on certain top= ics. Not everyone is involved in all the things and simply will ignore emai= ls simply based on their subject line. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> But the "dip here to the list" were my attempts = to get a conversation started. As I said, many time met with silence. >>>>>>>>>>>>>>>>>>>>>>>>> The only place I was not met with silence was on = the Community. You have a great group of people in the Community. It is a= shame you don=E2=80=99t want to have others help. It would reduce your work= load. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> You should stop making statements that are not t= rue. Who doesn=E2=80=99t want anyone to help? >>>>>>>>>>>>>>>>>>>>>>>> Not having this conversation on a Saturday evenin= g would reduce my workload. At least it would free up time for something el= se. Helping with the things that are already on the go would reduce the wor= kload of the entire team. Starting one thing at a time and finishing it is= a lot better to manage than starting a hundred things and not even finish o= ne. I can tell you that I already have a hundred things on the go. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Therefore, what am I supposed to do with this e= mail? >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> To me it is beyond obvious=E2=80=A6 >>>>>>>>>>>>>>>>>>>>>>>>> If it isn=E2=80=99t what you want, then guide me = with how to do this the correct way. And be specific. I am trying to help. = I am trying to make things better. I am trying to do things the right way. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> To me it isn=E2=80=99t. This is yet another proj= ect that has been dumped to the list like so many before and later on every= one has left to have the team deal with the rest. >>>>>>>>>>>>>>>>>>>>>>>> It is a huge patch set. You explained what the vi= sion is, but that is about it. There is no chance this will continue if thi= s disagreement isn=E2=80=99t solved first. I didn=E2=80=99t even look at th= e code. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don= =E2=80=99t agree with. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I asked multiple times if you "agreed with the= concept" and again, met with silence. Yes I get it, people are busy. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Having support for RPZ? Yes, it was definitely o= n the roadmap. That I agree with. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> So many fundamental things that I have been rai= sing have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> You mentioned this a in the past, but for some= reason you do not disclose what I dismissed. Why do you continue to make th= is harder, wouldn=E2=80=99t it not be easier to tell me what I have dismiss= ed? >>>>>>>>>>>>>>>>>>>>>>>>> I have sent multiple emails trying to answer you= r concerns and comments. On July 28, Aug 14, Aug 22, Aug 23, Sep 30, etc. >>>>>>>>>>>>>>>>>>>>>>>>> I=E2=80=99ve gone through all of the questions y= ou asked and I cannot find a "dismissed" item. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Maybe I need to be *more clear*. I feel humoured = by this. >>>>>>>>>>>>>>>>>>>>>>>> It is late on a Saturday and I want my dinner soo= n, but certainly I have stated that this should never be an add-on consider= ing it is supposed to replace URL Filter. We should never allow people to a= dd their own sources. I have also stated that we cannot download any lists= over HTTPS again and again and again. The implementation that we have here= seems to exactly do that and therefore I think that my feedback has been di= smissed entirely. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no= future inside IPFire as there is no constructive conversation with the main= tainers of it. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Unbound and/or RPZ? >>>>>>>>>>>>>>>>>>>>>>>>> The maintainers of Hagezi list, the threatfox li= st, the urlhaus list, etc.? >>>>>>>>>>>>>>>>>>>>>>>>> What else? The maintainers or the RPZ scripts? T= hat is me. Let=E2=80=99s talk! >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> You. I don=E2=80=99t care much about the provide= rs of the lists. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> See, this is where it gets confusing. There are = hundreds of open source packages as part of IPFire. Pick the last five yea= rs of items added to the IPFire build. You're telling me you have "construc= tive conversation with the maintainers" of all of the added packages? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> They publish their software and they don=E2=80= =99t care whether I am pulling it or not. They publish it with the commitme= nt to maintain it - sometimes for better and sometimes for worse. >>>>>>>>>>>>>>>>>>>>>>>> You care about me pulling your code and I don=E2= =80=99t know whether you would commit to maintain this. >>>>>>>>>>>>>>>>>>>>>>>> These two are very different cases. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Pick the IP Blocklists list (i.e., 3CORESEC, AB= USECH, DSHIELD, SPAMHAUS, etc.) or the Suricata lists (i.e.,Emergingthreats= .net ,Abuse.ch , etc.). So y= ou=E2=80=99ve have "constructive conversation with the maintainers"? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Yes, occasionally I have phone calls with a few= of these providers. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to make you= aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Ha! Yes a surprise. In the beginning you seemed = interested as IPFire needed a replacement for URL Filter. You asked good q= uestions about the lists picked, asked for the value to the users, etc. And = I answered the best I could. >>>>>>>>>>>>>>>>>>>>>>>>> You even asked: =E2=80=9CWhy is this realised as = an add-on and not part of the core system?=E2=80=9D from your Jul 28, 2024 = email. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Ah, so, why is the patch creating an add-on? Not = that I am saying that what I say is law, but it has not been challenged ei= ther. If my input is being ignored, why should I put this to the top of my= list of priorities? I am not disappointed about this, just trying to be ver= y good with my time. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> And on January 16, 2025 I wrote a message looki= ng for help. And you were kind to respond quickly. So in three weeks time,= since the kind response, something has changed. You went from supportive to = "this". >>>>>>>>>>>>>>>>>>>>>>>>> So yes, I am surprised. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Well, maybe I should not have replied to that em= ail. It was clear that you were on some path that was not right, but you we= re not interested before in finding the right path from the beginning. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed and if t= here is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Be more specific, what has to change? What exac= tly did I dismiss? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Dismissal is just my assumption. I don=E2=80=99t = know what you actually did with my feedback. I can only see the end produc= t that does not seem contain much of it. Repeatedly I have been pointing ou= t that we should think before we build. I am sure a lot of hours have now g= one into some code that simply does not satisfy me. And I am not not talkin= g about the code itself, what it does is what I don=E2=80=99t think is righ= t for us. >>>>>>>>>>>>>>>>>>>>>>>> The process is very clear for me that we should f= irst of all think whether we want a certain feature now. Then there should= be a clear roadmap for everyone to follow; tasks can be split-up as we go a= nd hopefully then have something that is maintainable, interesting for our= users and even would do us proud. This is how this should work. >>>>>>>>>>>>>>>>>>>>>>>> So, what has to change? I don=E2=80=99t think wit= h shouting at each other, throwing patches around and making me generally u= nhappy is a good start. >>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 6, 2025, at 2:13=E2=80=AFPM, Michael Tr= emer wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hello Jon, >>>>>>>>>>>>>>>>>>>>>>>>>> Well, here we are again with another patch rega= rding this feature. >>>>>>>>>>>>>>>>>>>>>>>>>> I cannot quite see from your email what the que= stion is, but if this is a request to have this merged into IPFire, I am on= ce again sorry to disappoint you. >>>>>>>>>>>>>>>>>>>>>>>>>> I think I have covered this all at lengths befo= re that this project has been started as a separate effort and as far as I= am aware none of the other team members has been involved. This has not bee= n discussed either on this list, on our calls. Instead there has been a sep= arate conversation on the forum with the occasional dip here to the list. B= ut that was not a regular two-way conversation. Therefore, what am I suppos= ed to do with this email? >>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that I don= =E2=80=99t agree with. So many fundamental things that I have been raising= have either not been discussed or outright dismissed. >>>>>>>>>>>>>>>>>>>>>>>>>> I don=E2=80=99t want to merge code that has no= future inside IPFire as there is no constructive conversation with the main= tainers of it. >>>>>>>>>>>>>>>>>>>>>>>>>> Having been trying for a long time to make you= aware of this, nothing of this should come as a surprise. >>>>>>>>>>>>>>>>>>>>>>>>>> Please consider if that can be changed and if t= here is a path forward with this. >>>>>>>>>>>>>>>>>>>>>>>>>> All the best, >>>>>>>>>>>>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 6 Feb 2025, at 16:35, Jon Murphy wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> What is it? >>>>>>>>>>>>>>>>>>>>>>>>>>> Response Policy Zone (RPZ) is a mechanism to d= efine local policies in a >>>>>>>>>>>>>>>>>>>>>>>>>>> standardized way and load those policies from= external sources. >>>>>>>>>>>>>>>>>>>>>>>>>>> Bottom line: RPZ allows admins to easily block = access to websites via DNS lookup. >>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ can block websites via categories. Example= s include: fake websites, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>> pop-up ads, newly registered domains, DoH bypa= ss sites, bad "host" services, >>>>>>>>>>>>>>>>>>>>>>>>>>> maliscious top level domains (e.g., *.zip, *.m= ov), piracy, gambling, pornography, >>>>>>>>>>>>>>>>>>>>>>>>>>> and more. RPZ lists come from various RPZ prov= iders and their available >>>>>>>>>>>>>>>>>>>>>>>>>>> catagories. >>>>>>>>>>>>>>>>>>>>>>>>>>> This RPZ add-on enables the RPZ functionality= by adding a couple lines in a >>>>>>>>>>>>>>>>>>>>>>>>>>> configuration file. This add-on simply adds co= nfiguration files and adds >>>>>>>>>>>>>>>>>>>>>>>>>>> scripts (config, metrics and sleep) to make RP= Z easier for the admin to use. >>>>>>>>>>>>>>>>>>>>>>>>>>> The RPZ scripts include additional languages:= German, Spanish, French, Turkish, >>>>>>>>>>>>>>>>>>>>>>>>>>> and Italian. >>>>>>>>>>>>>>>>>>>>>>>>>>> RPZ itself was release in 2010 and has been pa= rt of the IPFire build since ~2015. >>>>>>>>>>>>>>>>>>>>>>>>>>> Why is it needed? What is its value? >>>>>>>>>>>>>>>>>>>>>>>>>>> - The RPZ concept places this filtering into I= PFire, our internet access >>>>>>>>>>>>>>>>>>>>>>>>>>> gateway, which is (should be) solely used as D= NS source of the internal network. >>>>>>>>>>>>>>>>>>>>>>>>>>> - As most sites use HTTPS it makes it difficul= t to filter traffic with URL >>>>>>>>>>>>>>>>>>>>>>>>>>> Filter without also properly configuring conve= ntional (non-transparent) >>>>>>>>>>>>>>>>>>>>>>>>>>> mode on the proxy. RPZ is a nice replacement f= or the URL Filter. >>>>>>>>>>>>>>>>>>>>>>>>>>> - No need to install and maintain an additiona= l device like PiHole or AdBlock >>>>>>>>>>>>>>>>>>>>>>>>>>> browser extensions on multiple user devices. >>>>>>>>>>>>>>>>>>>>>>>>>>> - This is an additional layer of protection fo= r users. Less worry someone will >>>>>>>>>>>>>>>>>>>>>>>>>>> click on something that gets them into trouble= . And, saying this with emphasis, >>>>>>>>>>>>>>>>>>>>>>>>>>> the ability to do it in one place! >>>>>>>>>>>>>>>>>>>>>>>>>>> - Blocked sites save on unneeded traffic and c= an lessen the threat of malware >>>>>>>>>>>>>>>>>>>>>>>>>>> in advertisements >>>>>>>>>>>>>>>>>>>>>>>>>>> - Logging allows the admin to see the site blo= cked and take actions >>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ will be used at the home, home-office (w= ork from home), schools, >>>>>>>>>>>>>>>>>>>>>>>>>>> ministerial, and at the office. Device counts= are small (2-6) to medium (~80) >>>>>>>>>>>>>>>>>>>>>>>>>>> to mediam-large (200+). >>>>>>>>>>>>>>>>>>>>>>>>>>> - RPZ can block ads, popups, phishing, scammer= s, spyware, malware, annoying >>>>>>>>>>>>>>>>>>>>>>>>>>> popups, NSFW links, DOH servers, and the usual = internet trash. >>>>>>>>>>>>>>>>>>>>>>>>>>> ------------------------------ >>>>>>>>>>>>>>>>>>>>>>>>>>> Change Log for RPZ add-on >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-1.0.0-18 on 2025-02-05 >>>>>>>>>>>>>>>>>>>>>>>>>>> - Build for approval & release as IPFire add-o= n >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.18-18.ipfire on 2025-02-01 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added a mod key to force a unbo= und restart >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config and rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added action for unbound restar= t `rpz-config unbound-restart` >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>> - simple reformatting >>>>>>>>>>>>>>>>>>>>>>>>>>> - rename far right column from "last update" t= o "last download" >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.17-17.ipfire on 2024-12-09 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation regex for wild= cards like: `*.domain.com` >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.16-16.ipfire on 2024-11-18 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: updated validation regex >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: moved validation to beginning of pr= ocess. Now we validate before >>>>>>>>>>>>>>>>>>>>>>>>>>> creating config files. >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: use CSS color variables of the= main ipfire theme >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: empty zonefile remarks were stored= as =E2=80=9Cundef=E2=80=9D and caused a warning >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: HTML textarea removes the first emp= ty line in a custom list >>>>>>>>>>>>>>>>>>>>>>>>>>> - thank you Leo! >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.15-15.ipfire on 2024-11-04 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Tur= kish (thank you Peppe) >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected empty allow/block list is= sue. An empty allow/block list >>>>>>>>>>>>>>>>>>>>>>>>>>> will now remove contents of allow/block.rpz fi= les and remove unneeded >>>>>>>>>>>>>>>>>>>>>>>>>>> allow/block.conf file. (thank you iptom) >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.14-14.ipfire on 2024-10-29 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-config: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: correct missing rpz extension. `rpz= -config list` displayed URL >>>>>>>>>>>>>>>>>>>>>>>>>>> incorrectly (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: remove extra `"` in language files= (thank you Bernhard) >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: slightly dim "apply" button whe= n not enabled >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.13-13.ipfire on 2024-10-27 >>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.12-12.ipfire on 2024-10-21 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Fre= nch (thank you gw-ipfire) >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.11-11.ipfire on 2024-10-18 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Ita= lian (thank you umberto) >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Spa= nish (thank you Roberto) >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.10-10.ipfire on 2024-10-15 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected validation error for a cu= stom list entry (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>> - e.g., `*.cloudflare-dns.com` >>>>>>>>>>>>>>>>>>>>>>>>>>> install.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created f= iles >>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add chown to correct user created f= iles (thank you siosios) >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.9-9.ipfire on 2024-10-08 >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new language file for Ger= man (thank you Leo) >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: add missing "rpz exitcode 110" >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at= menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.8-8.ipfire on 2024-10-04 >>>>>>>>>>>>>>>>>>>>>>>>>>> - skipped >>>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-beta-0.1.7-7.ipfire on 2024-10-03 >>>>>>>>>>>>>>>>>>>>>>>>>>> All: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: includes beta version numbers f= or pakfire package, >>>>>>>>>>>>>>>>>>>>>>>>>>> instead of only `rpz-1.0.0-1.ipfire`, for each = release. >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz.cgi: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: added new WebGUI at `rpz.cgi` >>>>>>>>>>>>>>>>>>>>>>>>>>> - a BIG thank you to Leo Hofmann for all of hi= s work creating the webgui!! >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected missing RPZ menu item at= menu > IPFire >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-make: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: validate entries in allowlist a= nd blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: add "no-reload" option for WebG= UI >>>>>>>>>>>>>>>>>>>>>>>>>>> rpz-metrics: >>>>>>>>>>>>>>>>>>>>>>>>>>> - new feature: info can be sorted by name, by= hit count, by line count, by >>>>>>>>>>>>>>>>>>>>>>>>>>> "enabled" list or all lists >>>>>>>>>>>>>>>>>>>>>>>>>>> backups: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: include all files in `/var/ipfire/d= ns/rpz` directory in backup >>>>>>>>>>>>>>>>>>>>>>>>>>> update.sh: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: corrected ownership for `/var/ipfir= e/dns/rpz` directory during an >>>>>>>>>>>>>>>>>>>>>>>>>>> update >>>>>>>>>>>>>>>>>>>>>>>>>>> Build: >>>>>>>>>>>>>>>>>>>>>>>>>>> - bug fix: `block.rpz.conf` and `block.rpz` fr= om build. Files to be created >>>>>>>>>>>>>>>>>>>>>>>>>>> by `rpz-make` >>>>>>>>>>>>>>>>>>>>>>>>>>> WebGUI and German language file >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Leo-Andres Hofmann >>>>>>>>>>>>>>>>>>>>>>>>>>> Spanish language file >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Roberto Pe=C3=B1a >>>>>>>>>>>>>>>>>>>>>>>>>>> Italian language file >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Umberto Parma >>>>>>>>>>>>>>>>>>>>>>>>>>> French language file >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: gw-ipfire >>>>>>>>>>>>>>>>>>>>>>>>>>> Turkish language file >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Peppe Tech >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Bernhard Bitsch >>>>>>>>>>>>>>>>>>>>>>>>>>> Contribution-by: Erik Kapfer >>>>>>>>>>>>>>>>>>>>>>>>>>> Signed-off-by: Jon Murphy >>>>>>>>>>>>>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>>>>>>>>>>>>>> config/backup/includes/rpz | 4 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/cfgroot/manualpages | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/menu/EX-rpz.menu | 6 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/configroot | 1 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/common/web-user-interface | 1 = + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rootfiles/packages/rpz | 20 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/00-rpz.conf | 10 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-config | 130 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-functions | 85 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-make | 203 +++++ >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-metrics | 170 ++++ >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz-sleep | 58 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.de.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.en.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.es.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.fr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.it.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>> config/rpz/rpz.tr.pl | 30 + >>>>>>>>>>>>>>>>>>>>>>>>>>> html/cgi-bin/rpz.cgi | 923 +++++++++++++++++++= ++ >>>>>>>>>>>>>>>>>>>>>>>>>>> lfs/rpz | 96 +++ >>>>>>>>>>>>>>>>>>>>>>>>>>> make.sh | 3 +- >>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/install.sh | 36 + >>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/uninstall.sh | 38 + >>>>>>>>>>>>>>>>>>>>>>>>>>> src/paks/rpz/update.sh | 52 ++ >>>>>>>>>>>>>>>>>>>>>>>>>>> 24 files changed, 2016 insertions(+), 1 deleti= on(-) >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rootfiles/packages/r= pz >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100755 config/rpz/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 config/rpz/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 html/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 lfs/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/install.sh >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/uninstall.sh >>>>>>>>>>>>>>>>>>>>>>>>>>> create mode 100644 src/paks/rpz/update.sh >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/backup/includes/rpz b/conf= ig/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..36513e494 >>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/backup/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,4 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>> +/var/ipfire/dns/rpz/* >>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/zonefiles/block.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> +/etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/cfgroot/manualpages b/conf= ig/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>> index 1f7e01efc..d3a48c633 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/cfgroot/manualpages >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -70,6 +70,7 @@ pakfire.cgi=3Dconfiguration/= ipfire/pakfire >>>>>>>>>>>>>>>>>>>>>>>>>>> wlanap.cgi=3Daddons/wireless >>>>>>>>>>>>>>>>>>>>>>>>>>> tor.cgi=3Daddons/tor >>>>>>>>>>>>>>>>>>>>>>>>>>> samba.cgi=3Daddons/samba >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz.cgi=3Daddons/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> # Logs menu >>>>>>>>>>>>>>>>>>>>>>>>>>> logs.cgi/summary.dat=3Dconfiguration/logs/summ= ary >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/menu/EX-rpz.menu b/config/= menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..2f4daf410 >>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/menu/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,6 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>> +$subipfire->{'20.rpz'} =3D { >>>>>>>>>>>>>>>>>>>>>>>>>>> + 'caption' =3D> $Lang::tr{'rpz'}, >>>>>>>>>>>>>>>>>>>>>>>>>>> + 'uri' =3D> '/cgi-bin/rpz.cgi', >>>>>>>>>>>>>>>>>>>>>>>>>>> + 'title' =3D> "RPZ", >>>>>>>>>>>>>>>>>>>>>>>>>>> + 'enabled' =3D> 1, >>>>>>>>>>>>>>>>>>>>>>>>>>> +}; >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/configroo= t b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>> index 9839eee45..b30d6aae4 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/configroot >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -120,6 +120,7 @@ var/ipfire/menu.d/70-log.m= enu >>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-apcupsd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-guardian.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-mympd.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> +#var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-samba.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-tor.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> #var/ipfire/menu.d/EX-transmission.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/common/web-user-= interface b/config/rootfiles/common/web-user-interface >>>>>>>>>>>>>>>>>>>>>>>>>>> index 816241dae..e00464076 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> --- a/config/rootfiles/common/web-user-interfa= ce >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/common/web-user-interfa= ce >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -69,6 +69,7 @@ srv/web/ipfire/cgi-bin/proxy= .cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/qos.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/remote.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/routing.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> +#srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> #srv/web/ipfire/cgi-bin/samba.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/services.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> srv/web/ipfire/cgi-bin/shutdown.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rootfiles/packages/rpz b/c= onfig/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..1c8663049 >>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rootfiles/packages/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,20 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/local.d/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles >>>>>>>>>>>>>>>>>>>>>>>>>>> +etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-make >>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-metrics >>>>>>>>>>>>>>>>>>>>>>>>>>> +usr/sbin/rpz-sleep >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.de.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.en.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.es.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.fr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.it.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/addon-lang/rpz.tr.pl >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/backup/addons/includes/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/allowlist >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/dns/rpz/blocklist >>>>>>>>>>>>>>>>>>>>>>>>>>> +var/ipfire/menu.d/EX-rpz.menu >>>>>>>>>>>>>>>>>>>>>>>>>>> +srv/web/ipfire/cgi-bin/rpz.cgi >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/00-rpz.conf b/config/r= pz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..f005a4f2e >>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/00-rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,10 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>> +server: >>>>>>>>>>>>>>>>>>>>>>>>>>> + module-config: "respip validator iterator" >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpz: >>>>>>>>>>>>>>>>>>>>>>>>>>> + name: allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> + zonefile: /etc/unbound/zonefiles/allow.rpz >>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-action-override: passthru >>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log: yes >>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-log-name: allow >>>>>>>>>>>>>>>>>>>>>>>>>>> + rpz-signal-nxdomain-ra: yes >>>>>>>>>>>>>>>>>>>>>>>>>>> diff --git a/config/rpz/rpz-config b/config/rp= z/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>>>>>>>>>>>>>>> index 000000000..c72d50f9b >>>>>>>>>>>>>>>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>>>>>>>>>>>>>>> +++ b/config/rpz/rpz-config >>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -0,0 +1,130 @@ >>>>>>>>>>>>>>>>>>>>>>>>>>> +#!/bin/bash >>>>>>>>>>>>>>>>>>>>>>>>>>> +#############################################= ################################## >>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# IPFire.org - A linux based firewall # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# Copyright (C) 2024-2025 IPFire Team # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is free software: you can redi= stribute it and/or modify # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# it under the terms of the GNU General Publi= c License as published by # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# the Free Software Foundation, either versio= n 3 of the License, or # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# (at your option) any later version. # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# This program is distributed in the hope tha= t it will be useful, # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# but WITHOUT ANY WARRANTY; without even the= implied warranty of # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR = PURPOSE. See the # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# GNU General Public License for more details= . # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# You should have received a copy of the GNU= General Public License # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# along with this program. If not, see . # >>>>>>>>>>>>>>>>>>>>>>>>>>> +# # >>>>>>>>>>>>>>>>>>>>>>>>>>> +#############################################= ################################## >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +version=3D"2025-01-11 - v44" >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Functions ############### >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +source /usr/sbin/rpz-functions >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +############### Main ############### >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +tagName=3D"unbound" >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzAction=3D"${1}" # input RPZ action >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzName=3D"${2}" # input RPZ name >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzURL=3D"${3}" # input RPZ URL >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption1=3D"${4}" # input RPZ option #1 >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzOption2=3D"${5}" # input RPZ option #2 >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzConfig=3D"/etc/unbound/local.d/${rpzName}.= rpz.conf" # output zone conf file >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzFile=3D"/etc/unbound/zonefiles/${rpzName}.= rpz" # output for RPZ file >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +rpzLog=3D"yes" # log default is yes >>>>>>>>>>>>>>>>>>>>>>>>>>> +ucReload=3D"yes" # reload default is yes >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +while [[ $# -gt 0 ]] ; do >>>>>>>>>>>>>>>>>>>>>>>>>>> + case "$1" in >>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-log ) rpzLog=3D"no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + --no-reload ) ucReload=3D"no" ; checkConf=3D= "no" ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + esac >>>>>>>>>>>>>>>>>>>>>>>>>>> + shift # Shift after checking all the cases t= o get next option >>>>>>>>>>>>>>>>>>>>>>>>>>> +done >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> +case "${rpzAction}" in >>>>>>>>>>>>>>>>>>>>>>>>>>> + # add new rpz list >>>>>>>>>>>>>>>>>>>>>>>>>>> + add ) >>>>>>>>>>>>>>>>>>>>>>>>>>> + check_name "${rpzName}" # is this a valid na= me? >>>>>>>>>>>>>>>>>>>>>>>>>>> + # does this config already exist? If yes, th= en exit >>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: duplicate - ${rpzConfig= } already exists. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 104 >>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + # is this a valid URL? >>>>>>>>>>>>>>>>>>>>>>>>>>> + regex=3D'^https://[-[:alnum:]\+&@#/%?=3D~_|!= :,.;]*[-[:alnum:]\+&@#/%=3D~_|]' >>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ "${rpzURL}" =3D~ $regex ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: the URL is not valid: \= "${rpzURL}\". exit." >>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 105 >>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + # create the zone config file >>>>>>>>>>>>>>>>>>>>>>>>>>> + { >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo "rpz:" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " name: ${rpzName}.rpz" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " zonefile: ${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " url: ${rpzURL}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-action-override: nxdomain" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log: ${rpzLog}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-log-name: ${rpzName}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + echo " rpz-signal-nxdomain-ra: yes" >>>>>>>>>>>>>>>>>>>>>>>>>>> + } > "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + # set-up zonefile >>>>>>>>>>>>>>>>>>>>>>>>>>> + # create an empty rpz file if it does not ex= ist >>>>>>>>>>>>>>>>>>>>>>>>>>> + if [[ ! -f "${rpzFile}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>> + touch "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + # unbound requires these settings for rpz fi= les >>>>>>>>>>>>>>>>>>>>>>>>>>> + set_permissions "${rpzFile}" "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + # trash config file & rpz file >>>>>>>>>>>>>>>>>>>>>>>>>>> + remove ) >>>>>>>>>>>>>>>>>>>>>>>>>>> + if ! [[ -f "${rpzConfig}" ]] ; then >>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: cannot remove ${rpzConf= ig}, does not exist. exit" >>>>>>>>>>>>>>>>>>>>>>>>>>> + exit 106 >>>>>>>>>>>>>>>>>>>>>>>>>>> + fi >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "info: rpz: remove config file & rpz = file \"${rpzName}\"" >>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzConfig}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + rm "${rpzFile}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + reload ) >>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + list ) >>>>>>>>>>>>>>>>>>>>>>>>>>> + awk -F':' '/^\s*name:/{ gsub(/[[:blank:]]|\.= rpz/, "",$2) ; NAME=3D$2 } \ >>>>>>>>>>>>>>>>>>>>>>>>>>> + /^\s*url:/{ gsub(/[[:blank:]]/, "") ; print= NAME"=3D"$2":"$3} ' \ >>>>>>>>>>>>>>>>>>>>>>>>>>> + /etc/unbound/local.d/*rpz.conf >>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound-restart ) >>>>>>>>>>>>>>>>>>>>>>>>>>> + check_unbound_conf "${checkConf}" >>>>>>>>>>>>>>>>>>>>>>>>>>> + unbound_restart >>>>>>>>>>>>>>>>>>>>>>>>>>> + exit >>>>>>>>>>>>>>>>>>>>>>>>>>> + ;; >>>>>>>>>>>>>>>>>>>>>>>>>>> + >>>>>>>>>>>>>>>>>>>>>>>>>>> + * ) >>>>>>>>>>>>>>>>>>>>>>>>>>> + msg_log "error: rpz: missing or incorrect pa= rameter" >>>>>>>>>>>>>>>>>>>>>>>>>>> + printf "Usage: $(basename "$0")