From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fgMvj3rdKz335n for ; Tue, 24 Mar 2026 21:03:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fgMvV58RTz2xM3; Tue, 24 Mar 2026 21:03:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fgMvQ3Nb0z5h5; Tue, 24 Mar 2026 21:03:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1774386195; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Y7IH7XipmC4HdzkkhpdpgoOM0vYgySemgZj3KdJ1iCs=; b=Ms2nxgmAgWr5NbbXrfdt5od8aRuyC9DhG9usO2HZ1H5ja15nzT3B+YurizuU0x5kzehv87 vPdaTCRbw1e8XMAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1774386195; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Y7IH7XipmC4HdzkkhpdpgoOM0vYgySemgZj3KdJ1iCs=; b=BNn2WHBiFuNzT+FkHeK2tajsrn9zLnWCmXLNMMgSl6sgVh5fAdNQc1gaDEnqwlZijcdt5q uUSni2STW6rZQ0Uys6+XJMkkr2hAirRwZv9VHJn2+jo+viogWvJYb3V/nwaip1Eha05hcm qGl3DIP6a8X41gnMgrUqD6lDHMAtnrz36Kyw2nz6N84fheicWpChY4aEnLS2DH2Vd+tbhg EVgc4V3Re6Emwv6boLnBXn5p97L7l6frMVpmuNOQyBtuhHeqpsNH9w1J3XH4raCoHqT1Fa YmaDk28hCBIOktE26VaftSfAci4bwu3SJ1SwCYeYXhfCXVpR8nOXjb7W1MoJNQ== From: "Jon Murphy" To: "Michael Tremer" , "Adolf Belka" Subject: Re[2]: Feedback on issues with DNSFW in CU201 Testing Cc: "IPFire: Development-List" , dbl@lists.ipfire.org Date: Tue, 24 Mar 2026 21:03:10 +0000 Message-Id: In-Reply-To: <8A994F8C-FB85-487E-9799-98CED1881E1F@ipfire.org> References: <9786EB04-D529-48D2-9BB6-AEF37B246714@ipfire.org> <99E8DC3B-30D7-43D5-AEBE-34B01E2953A0@ipfire.org> <12445407-95ac-457d-b0fe-0f74a3d2eb21@ipfire.org> <8A994F8C-FB85-487E-9799-98CED1881E1F@ipfire.org> Reply-To: "Jon Murphy" Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Try this in the dnsbl.conf file. server: define-tag: "ads.rpz.ipfire.org dating.rpz.ipfire.org" server: access-control-tag: 192.168.74.0/24 "ads.rpz.ipfire.org=20 dating.rpz.ipfire.org" Separate "access-control-tag" don=E2=80=99t seem to work. The above changes allows RPZ to work as expected. ------ Original Message ------ >From "Michael Tremer" To "Adolf Belka" Cc development@lists.ipfire.org; dbl@lists.ipfire.org Date 3/23/2026 9:41:07=E2=80=AFAM Subject Re: Feedback on issues with DNSFW in CU201 Testing >Hello, > >So this looks good. The list has been properly loaded into Unbound. > >I don=E2=80=99t quite know what could be going wrong now. > >-Michael > >> On 23 Mar 2026, at 12:22, Adolf Belka wrote: >> >> Hi Michael, >> >> On 23/03/2026 12:10, Michael Tremer wrote: >>> Hello Adolf, >>> What is the output of unbound-control list_auth_zones? >> >> porn.rpz.ipfire.org. serial 1773964805 since 1774267487 2026-= 03-23T13:04:47 >> gambling.rpz.ipfire.org serial 1773997205 since 1774267487 = 2026-03-23T13:04:47 >> >> Regards, >> >> Adolf. >> >>> -Michael >>>> On 20 Mar 2026, at 16:59, Adolf Belka wrote: >>>> >>>> Hi Michael, >>>> >>>> On 20/03/2026 16:56, Michael Tremer wrote: >>>>> Hello Adolf, >>>>> I am copying the DBL list, too. >>>> >>>> Good idea. I was just thinking of it being related to Testing issue. >>>>> So this is obviously not normal, but we can debug this step by step: >>>>> First of all, we should check if Unbound was able to successfully fe= tch the DNS zones. Gambling has clearly been downloaded, but it seems that= the Porn list might not. You can check in /var/cache/unbound if there is th= e zone file. If yes, then you can try to resolve a couple of things on the= console and check if they are being blocked: >>>> >>>> I should have already mentioned this but forgot. It was one of the fi= rst things I checked and I have just re-confirmed now. The porn zone file i= s present. It was updated at 11:40 CET and the Gambling zone was updated at = 12:53 CET. >>>> >>>> I also checked that the zone file contained the url's being used and= it did and does. >>>> >>>>> # dig @localhost some.porn.website.com >>>>> You should see NXDOMAIN if the domain exists and has been blocked an= d you should see the log entries just like gambling. >>>> >>>> Got >>>> >>>> ;; Got answer: >>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54293 >>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: = 1 >>>> >>>> So NXDOMAIN is in the answer but there was nothing additional in the= unbound log. The last entry in it was from 12:58:50 when I did the tests wi= th the gambling sites and if there was an entry it should have a timestamp= for around 17:45 >>>> >>>>> This rules out anything that is going wrong between the browser and= Unbound. >>>>> In case of the URL filter, it simply seems that squidguard is not se= eing the requests. You might as well try something like: >>>> >>>> With the URL Filter enabled and DNSFW disabled then the URL Filter bl= ocks and logs both the Gambling and Porn site accesses. Sorry if that came= across as differently in my mail. The URL Filter works fine for me with bot= h CU200 and CU201 Testing. >>>> >>>>> # http_proxy=3Dhttp://1.2.3.4:800 https_proxy= =3Dhttp://1.2.3.4:800 wget -d http://some.porn.websit= e.com >>>>> The squidguard.log should also contain some interesting information= if something didn=E2=80=99t go as planned. >>>>> -Michael >>>>>> On 20 Mar 2026, at 12:30, Adolf Belka wrot= e: >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I am having issues with getting DNSFW to work properly, it fails in = many conditions to block things from the list. >>>>>> >>>>>> The dbl list works fine for me in the URL Filter for both CU200 and = CU201 Testing. >>>>>> >>>>>> For my testing I created a new install of CU201 Testing and just we= nt straight to DNSFW and enabled the Gambling and Pornography categories an= d Saved. >>>>>> >>>>>> Then selected the Green network for both categories using the penci= l edit option. >>>>>> >>>>>> In this setup I had no Web Proxy enabled. >>>>>> >>>>>> I then cleared the browser cache and set the Browser to No Proxy. >>>>>> >>>>>> I then tested out nl.onecasino.com and www.xnxx.com in Firefox and= in Netsurf >>>>>> >>>>>> The gambling site was blocked and gave the message >>>>>> >>>>>> Unable to connect >>>>>> Firefox can=E2=80=99t establish a connection to the server at nl.on= ecasino.com. >>>>>> >>>>>> For the porn site it was not blocked but opened up. >>>>>> I tried with two other gambling and porn sites. All three gambling= sites were blocked. All three porn sites were allowed through. >>>>>> >>>>>> In the DND: Unbound System Logs I found >>>>>> >>>>>> 12:52:26 unbound: [1820:0] info: rpz: applied [gambling.rpz.ipfire= .org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44247 www.postcodel= oterij.nl. A IN >>>>>> 12:52:26 unbound: [1820:0] info: rpz: applied [gambling.rpz.ipfire= .org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44356 www.postcodel= oterij.nl. HTTPS IN >>>>>> 12:51:32 unbound: [1820:0] info: rpz: applied [gambling.rpz.ipfire= .org] *.onecasino.com. rpz-nxdomain 192.168.200.11@55955 nl.onecasino.com.= A IN >>>>>> 12:51:32 unbound: [1820:0] info: rpz: applied [gambling.rpz.ipfire= .org] *.onecasino.com. rpz-nxdomain 192.168.200.11@49136 nl.onecasino.com.= HTTPS IN >>>>>> 12:50:41 unbound: [1820:0] info: rpz: applied [gambling.rpz.ipfire= .org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@47229 welkom.hollandc= asino.nl. A IN >>>>>> 12:50:41 unbound: [1820:0] info: rpz: applied [gambling.rpz.ipfire= .org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@43346 welkom.hollandc= asino.nl. HTTPS IN >>>>>> >>>>>> So the blocked gambling sites were in the logs but not any of the p= ornography sites had tested. >>>>>> >>>>>> Then tried the browser with the Network Settings set to Use system= proxy settings and the same result occurred. >>>>>> >>>>>> I then turned on the Web Proxy with conventional connection on port = 800. Saved and restarted and then Cleared the web proxy cache. >>>>>> Then I cleared the browser cache and set the Network Settings to Ma= nual proxy configuration with the IP of my IPFire system being tested. >>>>>> >>>>>> I then tested the same three gambling URL's and Porn URL's. >>>>>> All of the sites were opened up. >>>>>> In the DNS: Unbound system log there were no new entries. >>>>>> In the Proxy Logs there were entries for the gambling and porn site= s. >>>>>> >>>>>> I have also tested the browser out using the web proxy with the Aut= omatic proxy configuration URL accessing the wpad file via dhcp and that al= so had the same results as using the Manual proxy configuration option. >>>>>> >>>>>> I have repeated a lot of my tests multiple times, also with repeate= d new installs and for me, as long as I ensured I had cleared the web proxy = and browser caches, always came up with the same results as I have describ= ed above. >>>>>> >>>>>> It would be good to know if any of you also experience the same eff= ect or if it works without problems for yourselves. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Adolf. >>>>>> >>>>>> >>>> >>>> >> >> > >