So far it works great, will report back later so it has some time to do its thing.
1 Like
This has been running on two separate firewalls with out issues for the one with allow entries (1 day) and one with out (3 days). I am not seeing an additional load increase when it comes to the cpu, memory, and hard drive on the one with out allow entries. I am also running both firewalls on enterprise equipment
Without allows x86_64 Intel Xeon CPU E5-2623 v3 @ 3.00GHz with 64 gig of memory.
allow 0 enabled 0 0 2024-07-31
block 0 enabled 0 0 2024-07-31
Hagezi_doh 40081 enabled 2730 1468 2024-08-19
Hagezi_tlds 28 enabled 357 7 2024-08-19
MxLightHZ 21806 enabled 137345 15 2024-08-19
popup 2 enabled 161583 0 2024-08-19
SSLblAbuseCh 0 enabled 57 0 2024-08-19
URLHausAbuseCh 33 enabled 273 12 2024-08-19
======= ========
Totals --> 61950 302345
I did see 3% increase in cached memory and 1% increase of used memory on the system that has the allow entries.
With allows x86_64 Intel Xeon CPU E5-2667 v3 @ 3.20GHz with 65 gig of memory.
allow 2178 enabled 23 9469 2024-08-18
block 0 enabled 0 0 2024-07-31
BlockDOH_jpgpi250 104 enabled 3479 2 2024-08-18
HagheziHuaweiNative 0 enabled 191 0 2024-08-18
Hdnsblock 557 enabled 2732 20 2024-08-18
MxUltimateHZ 4148 enabled 399239 1 2024-08-18
SSLblAbuseCh 0 enabled 57 0 2024-08-19
threatfox 0 enabled 6372 0 2024-08-19
======= ========
Totals --> 6987 412093
I’m not sure if this is helpful but i figured it cant hurt.
3 Likes
Here is the latest and greatest build:
rpz-1.0.0-1.ipfire (20 KB)
Change Log
• feature: added 'list' action
• update: reformatted code and comments (tabs to spaces)
• update: changed `cat` << heredocs to `echo` > file
• update: reworded some msg_log messages
• update: change exit codes from "1" to unique exit code numbers
• update: remove path to executables
• bug: added check for empty allow/block config file
• bug: removed auth_zone_reload (had double reload for allow/block)
• bug: change rpz config file to `chown nobody:nobody`
• bug: change rpz config file to `chmod 644`
thank you to the testers! Your feedback is excellent!!
EDIT: there is an error in one file. I dropped a :.
to fix, edit /etc/unbound/local.d/00-rpz.conf and look for the block section:
Find:
rpz-action-override nxdomain
and change it to:
rpz-action-override: nxdomain
3 Likes
Thank you for another solid update 
If that helps, my “00-rpzconf” file hasn’t changed for 2 weeks and didn’t have the semi colon missing:
server:
module-config: "respip validator iterator"
rpz:
name: allow.rpz
zonefile: /etc/unbound/zonefiles/allow.rpz
rpz-action-override: passthru
rpz-log: yes
rpz-log-name: allow
rpz-signal-nxdomain-ra: yes
rpz:
name: block.rpz
zonefile: /etc/unbound/zonefiles/block.rpz
rpz-action-override: nxdomain
rpz-log: yes
rpz-log-name: block
rpz-signal-nxdomain-ra: yes
1 Like
Thanks for letting me know!
I think the colon issue happens with an NAME=rpz ./install.sh and not the NAME=rpz ./update.sh.
Did you do the NAME=rpz ./update.sh ?
1 Like
still no issues here, @jon when you have a semi functional page for this id like to test it out at some point
1 Like
Hi,
I just did the following
curl https://community.ipfire.org/uploads/short-url/3mClzBSVXNQFFA5DV7QG2Rm43AA.ipfire --output /opt/pakfire/tmp/rpz-1.0.0-1.ipfire
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 20480 0 20480 0 0 62726 0 --:--:-- --:--:-- --:--:-- 62822
[root@black-x86-64 ~]# cd /opt/pakfire/tmp
[root@black-x86-64 tmp]# NAME=rpz ./update.sh
Extracting backup includes...
var/ipfire/backup/addons/includes/
var/ipfire/backup/addons/includes/rpz
...Finished.
Stopping Unbound DNS Proxy... [ OK ]
Creating Backup...
tar: Cowardly refusing to create an empty archive
Try 'tar --help' or 'tar --usage' for more information.
...Finished.
Removing files...
removed '/var/ipfire/backup/addons/includes/rpz'
...Finished.
Starting Unbound DNS Proxy... [ OK ]
Extracting files...
etc/
etc/unbound/
etc/unbound/zonefiles/
etc/unbound/zonefiles/block.rpz
etc/unbound/zonefiles/allow.rpz
etc/unbound/local.d/
etc/unbound/local.d/00-rpz.conf
usr/
usr/sbin/
usr/sbin/rpz-sleep
usr/sbin/rpz-metrics
usr/sbin/rpz-config
var/
var/ipfire/
var/ipfire/dns/
var/ipfire/dns/rpz/
var/ipfire/dns/rpz/blocklist
var/ipfire/dns/rpz/allowlist
var/ipfire/backup/
var/ipfire/backup/addons/
var/ipfire/backup/addons/includes/
var/ipfire/backup/addons/includes/rpz
...Finished.
Restoring Backup...
etc/unbound/local.d/00-rpz.conf
etc/unbound/local.d/BlockDOH_jpgpi250.rpz.conf
etc/unbound/local.d/HagheziDOH.rpz.conf
etc/unbound/local.d/HagheziHuaweiNative.rpz.conf
etc/unbound/local.d/HagheziLgTVWebOS.rpz.conf
etc/unbound/local.d/HagheziMulti.rpz.conf
etc/unbound/local.d/HagheziPopupAds.rpz.conf
etc/unbound/local.d/HagheziXiaomiNative.rpz.conf
etc/unbound/local.d/SSLblAbuseCh.rpz.conf
etc/unbound/local.d/URLHausAbuseCh.rpz.conf
etc/unbound/zonefiles/allow.rpz
etc/unbound/zonefiles/block.rpz
var/ipfire/dns/rpz/allowlist
var/ipfire/dns/rpz/blocklist
...Finished.
Stopping Unbound DNS Proxy... [ OK ]
Starting Unbound DNS Proxy... [ OK ]
All ok for the moment.
As said above, /etc/unbound/local.d/00-rpz.conf is unchanged (being restored from backup).
Hope it helps!
1 Like
Hi.
Does it have a web interface? or is it all command line?
Regards.
Yes, I used the NAME=rpz ./update.sh
Many thanks for your hard work.
1 Like
New version changes:
added functions for future webgui.
rpz-config listrpz-config reload- added
--no-reloadoption for multiple RPZ list changes - removed extra
unbound-checkconf - etc.
moved custom lists allow & block to a separate script.
rpz-make allowrpz-make block- includes
--no-reloadoption for multiple RPZ list changes
updated wiki page for recent changes:
rpz-1.0.0-1.ipfire.tar (20 KB)
3 Likes
Installed, I’ll let you know if I see any issues
1 Like
What exactly is this line doing? Of course it installs RPZ but I did not see such a construct before. I’m not a bash expert though.
And for the records, RPZ simply blocks DNS queries, this includes ads of various sources, too?
Can I specify a file with domains to whitelist?
I’m currently using sfeakes dns_blocklist.sh from GitHub - sfeakes/ipfire-scripts: Scripts for ipfire and have to whitelist some domains to reach needed services out there, which are normally blocked.
Edit: I see now, it’s called allowlist 
Within the script for install.sh (and uninstall.sh and update.sh) there is a variable called NAME:
NAME=rpz sets the variable NAME to “rpz” for the script. Without this, the script would not install (or uninstall or update) properly.
Yes, depending on the list you pick.
Here is a list just for pop-up ads.
https://github.com/hagezi/dns-blocklists/tree/main?tab=readme-ov-file#popupads
Make sure you pick the RPZ format.
And there are many others RPZ lists and categories to choose from:
Yes - glad you found it!
Please add feedback to this list.
2 Likes
I updated to the newest “v4” version
NAME=rpz ./update.sh
Extracting backup includes...
var/ipfire/backup/addons/includes/
var/ipfire/backup/addons/includes/rpz
...Finished.
Stopping Unbound DNS Proxy... [ OK ]
Creating Backup...
tar: Removing leading `//' from member names
//etc/unbound/local.d/00-rpz.conf
tar: Removing leading `//' from hard link targets
//etc/unbound/local.d/light.rpz.conf
//etc/unbound/local.d/nsfw.rpz.conf
//etc/unbound/local.d/urlhaus.rpz.conf
//etc/unbound/zonefiles/allow.rpz
//etc/unbound/zonefiles/block.rpz
//var/ipfire/dns/rpz/allowlist
//var/ipfire/dns/rpz/blocklist
...Finished.
Removing files...
removed '/etc/unbound/local.d/00-rpz.conf'
removed '/etc/unbound/zonefiles/nsfw.rpz'
removed '/etc/unbound/zonefiles/allow.rpz'
removed '/etc/unbound/zonefiles/light.rpz'
removed '/etc/unbound/zonefiles/block.urlhaus.rpz.zone'
removed '/etc/unbound/zonefiles/urlhaus.rpz'
removed '/etc/unbound/zonefiles/doh.rpz'
removed '/etc/unbound/zonefiles/block.threatfox.rpz.zone'
removed '/etc/unbound/zonefiles/block.doh.rpz.zone'
removed '/etc/unbound/zonefiles/block.rpz'
removed directory '/etc/unbound/zonefiles'
removed '/usr/sbin/rpz-config'
removed '/usr/sbin/rpz-metrics'
removed '/usr/sbin/rpz-sleep'
removed '/var/ipfire/backup/addons/includes/rpz'
removed '/var/ipfire/dns/rpz/blocklist'
removed '/var/ipfire/dns/rpz/allowlist'
removed directory '/var/ipfire/dns/rpz'
...Finished.
removed '/etc/unbound/local.d/light.rpz.conf'
removed '/etc/unbound/local.d/nsfw.rpz.conf'
removed '/etc/unbound/local.d/urlhaus.rpz.conf'
Extracting files...
etc/
etc/unbound/
etc/unbound/zonefiles/
etc/unbound/zonefiles/block.rpz
etc/unbound/zonefiles/allow.rpz
etc/unbound/local.d/
etc/unbound/local.d/00-rpz.conf
usr/
usr/sbin/
usr/sbin/rpz-sleep
usr/sbin/rpz-metrics
usr/sbin/rpz-config
var/
var/ipfire/
var/ipfire/dns/
var/ipfire/dns/rpz/
var/ipfire/dns/rpz/blocklist
var/ipfire/dns/rpz/allowlist
var/ipfire/backup/
var/ipfire/backup/addons/
var/ipfire/backup/addons/includes/
var/ipfire/backup/addons/includes/rpz
...Finished.
Restoring Backup...
etc/unbound/local.d/00-rpz.conf
etc/unbound/local.d/light.rpz.conf
etc/unbound/local.d/nsfw.rpz.conf
etc/unbound/local.d/urlhaus.rpz.conf
etc/unbound/zonefiles/allow.rpz
etc/unbound/zonefiles/block.rpz
var/ipfire/dns/rpz/allowlist
var/ipfire/dns/rpz/blocklist
...Finished.
Starting Unbound DNS Proxy...
@peppetech - thank you for posting this! It helped me find an “oops!” (a.k.a. bug)
There should be four files here for the backup & restore and not just two files:
var/ipfire/dns/rpz/allowlist
var/ipfire/dns/rpz/blocklist
I had not noticed this when I checked! Thank you!
2 Likes
Ah, this probably brings up a new topic. Does IPFire’s built-in backup and restore, save RPZ’s objects, too, e.g. blocklist, allowlist, etc.
Or with others words: Once RPZ gets an official package, are there plans to include (custom) settings as above, into the backup?
As an alternative, use the add-on backup feature available in WebIF?
Yes! The backup (& restore) does grab all of the configurations. Here is the items backed-up from @peppetech:
Creating Backup...
tar: Removing leading `//' from member names
//etc/unbound/local.d/00-rpz.conf
tar: Removing leading `//' from hard link targets
//etc/unbound/local.d/light.rpz.conf
//etc/unbound/local.d/nsfw.rpz.conf
//etc/unbound/local.d/urlhaus.rpz.conf
//etc/unbound/zonefiles/allow.rpz
//etc/unbound/zonefiles/block.rpz
//var/ipfire/dns/rpz/allowlist
//var/ipfire/dns/rpz/blocklist
...Finished.
The two files I missed are from a future WebGUI config. (no promise dates!)
Yes!
2 Likes
Thanks!
As soon as I will find some minutes I will drop dns_blocklist and install RPZ addon.
Any estimated date when the WebIF page is released 
1 Like
2 Likes