@jon, why not add NAME=rpz to the install and uninstall scripts
I believe it is because the three scripts (install, uninstall, update) were originally written generically so they could be used across a wide range of add-ons and not just one add-on. And so it can be easily used with the Pakfire WebGUI, and the pakfire command line. One of the Core Developers would have to step in to give us the answer since I can only speculate.
1 Like
Maybe your right, I just downloaded amazon-ssm-agent-3.2.582.0-8.ipfire and unpacked it and it has the same setup
. /opt/pakfire/lib/functions.sh
stop_service ${NAME}
make_backup ${NAME}
remove_files
I was just thinking of while it was in testing, not actually in pakfire yet.
$(NAME) is defined in pakfire when it is installing a package.
2 Likes
Hi @jon,
Will you please detail a bit the RPZ documentation from www.ipfire.org - RPZ - Response Policy Zones ?
- Is ā*ā assumed in the blocklist and in the allowlist? Ex: is
.cnasumed to be*.cn - Will the subdomains be included for the allow/block list? Ex:
salesforce.com(or*.salesforce.com- depending on point aboveā¦) will also solve forwww.salesforce.comand forcdn.salesforce.com? - How to create allowlist with the help of rpz-make. My machine does not have rpz-make - so I do not know how to create allow listā¦
Reason I ask: I am trying to āmoveā the allowed and blocked domains from URLFilter to RPZ and I realized that syntax might be different!
For clarity:
I want to āmoveā inside RPZ blocklist what I have in
/var/ipfire/urlfilter/blacklists/custom/blocked/domains
I want to āmoveā inside RPZ allowlist what I have in
/var/ipfire/urlfilter/blacklists/custom/allowed/domains
And above files do seem to have some flexibility in defining the entries. For example, blocked/domains accepted something like this
ae
by
ru
cn
biz
su
us
ad.yieldmanager.com
adservingfactory.com
ad20.net
adnxs.com
ads.mopub.com
analytics.yahoo.com
Thank you!
Late edit
From my tests the ā*ā is mandatory, i.e. to block all subdomains of adnxs.com does require the *.adnxs.com.
More, if I also want to block adnxs.com then I need another line like that.
Looking to the Haghezi RPZ files I noticed that each domain appear twice: once with *. and once without thatā¦
So I guess that my observation is correctā¦
Does allow list working for you?
And what steps you performed to activate it? (I tried to reload and later restart unbound but no success: /etc/unbound/zonefiles/allow.rpz is empty!
Late edit - I upgraded to this version (a bit confusing the fact that file is always containing same version number rpz-1.0.0-1.ipfire.tar)ā¦
no. *.cn is correct.
salesforce.com does not include subdomains. You must add the *. to include subdomains to *.salesforce.com.
The version you posted does include rpz-make. Did you run the copy the new version and run NAME=rpz ./update.sh?
This looks correct. Please post the output of NAME=rpz ./update.sh command.
I had posted this version with the hope it would be accepted for release on IPFire and pakfire. That did not happen (yet).
Iāll change the version in the next release. Keep in mind these are all beta releases until approved by the Core Developers.
1 Like
Thanks,
I figured that by trial and error, and also looking inside Haghezi rpz files - each domain appears with and without the *..
Such a painā¦
Some websites need both:
salesforce.com
*.safeforce.com
But definitely not all. It depends on how the web admin set-up the website. In my allow list, I only have one site that requires both (with * and without)
I did not saved that partā¦ 
I did. Twice. It turns out that first time I āreusedā by mistake the exact same .tar archive that was already āinstalledā. This is why I made the comment about the fact that file name is always the same
I have the rpz-make utility and successfully generated the allow.rpz and block.rpz. Now I am editing the sources as per your above guide in using *..
Will take some time to add the domain with and without leading *.ā¦
1 Like
Indeed - it all depends on that website codeā¦
It could be that at some parts the code contains www.that_website.com while in other to be taht_website.com so the RPZ list must contains the entry with *.that_website.com and that_website.com
To whitelist salesforce.com in the URLFilter I had to add all of these:
salesforce.com
customersuccessjp.salesforce.com
go.salesforce.com
lct.salesforce.com
beacon.my.salesforce.com
na2.salesforce.com
omtr1.partners.salesforce.com
tandc.salesforce.com
www.salesforce.com
Did just two not work?
salesforce.com
*.salesforce.com
I have not tested salesforce yet.
But I do see that emerginthreats and digicert entries inside allowlist do work:
19:47:51 unbound: [23945:0] info: rpz: applied [allow] ocsp.digicert.com. rpz-passthru 127.0.0.1@33960 ocsp .digicert.com. A IN
19:48:46 unbound: [23945:0] info: rpz: applied [allow] ocsp.digicert.com. rpz-passthru 192.168.a.b@39525 ocsp.digicert.com. A IN
19:48:56 unbound: [23945:0] info: rpz: applied [allow] crl3.digicert.com. rpz-passthru 192.168.a.b@55871 crl3.digicert.com. A IN
19:49:01 unbound: [23945:0] info: rpz: applied [allow] *.digicert.com. rpz-passthru 192.168.a.b@44006 cr l4.digicert.com. A IN
19:58:02 unbound: [23945:0] info: rpz: applied [allow] *.emergingthreats.net. rpz-passthru 127.0.0.1@60169 rules.emergingthreats.net. A IN
19:58:02 unbound: [23945:0] info: rpz: applied [allow] *.emergingthreats.net. rpz-passthru 127.0.0.1@49407 rules.emergingthreats.net. A IN
20:13:00 unbound: [23945:0] info: rpz: applied [allow] *.emergingthreats.net. rpz-passthru 127.0.0.1@38408 rules.emergingthreats.net. A IN
20:13:01 unbound: [23945:0] info: rpz: applied [allow] *.emergingthreats.net. rpz-passthru 127.0.0.1@51456 rules.emergingthreats.net. A IN
1 Like
This page might be useful
3.2. The "NODATA" Action (CNAME *.)
A single RR consisting of a CNAME whose target is the wildcard top-
level domain (*.) will cause a response of NODATA (ANCOUNT=0) to be
returned regardless of query type.
$ORIGIN RPZ.EXAMPLE.ORG.
example.com CNAME *. ; return NODATA
*.example.com CNAME *. ; return NODATA
2 Likes
I need your help! I am hoping the current users of RPZ (and even future users of RPZ) can answer a few questions from me and from the IPFire Core Developers:
-
What environment?
- home, office, something else?
-
Estimated users?
-
What value does this have to you?
- please add details
-
What types of things are you hoping to block?
-
What did you use in the past? And why did you change?
-
What would you like to see for RPZ in the future?
- WebGUI is definitely on the list!
This will convey if RPZ has value and if it will be accepted by the Developers.
Please enable your personal āverbose modeā when answering these questions. Your details (including examples) do matter!
2 Likes
hi
i am not a user of RPZ but i am interested
i will try to give you some answers to your question
in my case the environment will be schools and ministerial offices
as users of 200 and up
it is a service that i would definitely enable, i would say very interested
for the other questions i have nothing to add to give you added value
2 Likes
See my comments in quote above!
3 Likes
Answers in above quote
3 Likes
Hi all,
@jon , the first statement is, i like firewalls 
and am glad also to test your DNS firewall. Since i try to make also some statistics with the related data (log entries) am also impressed about how much stuff (high amount of log data) has been blocked with not that much lists (popup, jpgpi250DOH,threadfox, URLHausAbuseCH ā about 30.000 blocklist lines). Mainly the the whole "Smart"phone and tablet stuff becomes a new glance for me and i do like see that some traffic is simply blocked. Also, the work and motivation from you and Leo but also from the community in here reminds me a little of the good old days where people from the community starts to work on their own projects and share them in here in hope of good feedback and further ideas with also simply a good reflection form all 
Your questions:
What environment?: Home, round about 5 clients sometimes more sometimes lessā¦
Estimated users?: 2 - 6
What value does this have to you?: Firewalling on different levels and checkout different behavior of technology.
What types of things are you hoping to block?: Like the previouse speaker, adds , popups, DoH and such stuff.
What did you use in the past? And why did you change?: On this level currently nothing but longer time ago the URL Filter but times has been changed. DonĀ“t speak now about blocking on an IP level 
.
What would you like to see for RPZ in the future?: Things i also working on like some good metrics and overviews via WUI.
So far from here. AND thanks for your work and to reanimate the good old community development.
Best,
Erik
5 Likes
quoted above
3 Likes