I created a test version of a RPZ add-on and I am looking for feedback

Networking DNS
101

As early “influencer” of @jon’s work, just some thoughts.

  • I’m using a home environment with some PCs and SmartTVs, but I think the concept is interesting for greater networks also.
  • More and more sites switch to HTTPS, which makes it difficult to filter traffic with URL Filter ( SquidGuard ).
  • More and more admins therefore tend to use appliances like PIHole, which are DNS filters. But this demands big efforts to rule internal DNS traffic.
  • The RPZ concept allows to place this filtering into IPFire, our internet access gateway, which should solely used as DNS source of the internal network.
  • The selection of the lists, which are updated automagical by unbound, demands some effort. But I trust in our community for good proposals and verification of these. Jon has collected a good set yet, I think.
  • My tests with this feature don’t show a significant increase of system load.
4 Likes
102

Hi Jon,

Regards,
Stephen

2 Likes
103

What environment?
home
Estimated users?
5+
What value does this have to you?
blocking DOH
securing DNS
What types of things are you hoping to block?
DOH
ads
What did you use in the past?
Pihole
And why did you change?
Having DNS in 2 locations.
Not the greatest to manage.
What would you like to see for RPZ in the future?
A plugin or as core part of IPfire
A WUI

2 Likes
104

What environment?

  • office,

Estimated users?

  • 4

What types of things are you hoping to block?

  • Phishing and NSFW links

What did you use in the past? And why did you change?

  • IP blocklist, hostfile, adblock, pihole
105

9 posts were split to a new topic: Other lists for RPZ?

106

I still need your help! The info gathered below will convey if RPZ has value and if it will be accepted by the Developers.

I am hoping the current users of RPZ (and even future users of RPZ) can answer a few questions from me and from the IPFire Core Developers:

Please enable your personal “double verbose mode” when answering these questions. Your details (including examples) do matter!

  • What environment?

    • home, office, something else?

  • Estimated users?

  • What value does this have to you?

    • please add details

  • What types of things are you hoping to block?

  • What did you use in the past? And why did you change?

  • What would you like to see for RPZ in the future?

    • WebGUI is definitely on the list!
107

latest and greatest:

added new WebGUI at rpz.cgi

  • a BIG thank you to Leo Hofmann for all of his work creating the webgui!!

Change Log

rpz-beta-0.1.10-10 on 2024-10-15
rpz-make:

  • bug: corrected validation error for a custom list entry (thank you siosios!)
    • e.g., *.cloudflare-dns.com

install.sh:

  • bug: add chown to correct user created files

update.sh:

  • bug: add chown to correct user created files (thank you siosios!)

rpz-beta-0.1.9-9 on 2024-10-08
rpz.cgi:

  • feature: added new language file for German (thank you Leo)
  • bug: add missing “rpz exitcode 110”
  • bug: corrected missing RPZ menu item at menu > IPFire

rpz-beta-0.1.8-8.ipfire on 2024-10-04

  • skipped (error in change to install.sh file)

rpz-beta-0.1.7-7.ipfire on 2024-10-03
All:

  • update: includes beta version numbers for pakfire package, instead of only rpz-1.0.0-1.ipfire, for each release.

rpz.cgi:

  • feature: added new WebGUI at rpz.cgi
    • a BIG thank you to Leo Hofmann for all of his work creating the webgui!!
  • bug: corrected missing RPZ menu item at menu > IPFire

rpz-make:

  • feature: validate entries in allowlist and blocklist
  • feature: add “no-reload” option for WebGUI

rpz-metrics:

  • feature: info can be sorted by name, by hit count, by line count, by “enabled” list or all lists

backups:

  • bug: include all files in /var/ipfire/dns/rpz directory in backup

update.sh:

  • bug: corrected ownership for /var/ipfire/dns/rpz directory during an update

Build:

  • remove block.rpz.conf and block.rpz from build. Files to be created > by rpz-make

rpz-beta-0.1.10-10.ipfire.zip (15.2 KB)

Copy the rpz-n-n-1.ipfire file to the /opt/pakfire/tmp/ directory. (Speak up if you need assistance with this!)

Then:

#   go to this directory:
cd /opt/pakfire/tmp/

#   uncompress the file:
tar xvf rpz-n-n.ipfire

#   check to make sure there are files there:
ls -l /opt/pakfire/tmp

#   copy this one file to a new location
cp -v ROOTFILES /opt/pakfire/db/rootfiles/rpz

#   - to update from a past version -
NAME=rpz ./update.sh
#  - or for a new install -
NAME=rpz ./install.sh
6 Likes
108

i have install rpz-beta-0.1.10-10.ipfire.zip
work fine the gui is good
do you have possible add
define-tag:
access-control-tag:
in future version
ty

109

The next phases are to get RPZ approved by the IPFire Core Developers and to add better logging/statistics/metrics to RPZ.

And for me to better understand tags!

Please keep testing and continue to provide feedback for RPZ! Especially related to the value it provides to you and your network environment.

2 Likes
110

hello, I’m trying it on my application
I took the liberty of doing the translations in Italian if you want to include it in the package
rpz.it.zip (893 Byte)

5 Likes
111

Here, my little grain of sand.

Cheers.
rpz.es.pl.zip (863 Bytes)

2 Likes
112

Just a little annotation.
The ‘Apply’ button in the WUI activates the changes. I have added this to the wiki article, yet.
Because this means a reload/restart of unbound the problem of long update periods shows up. But usually there is no need to change the config very often, therefore we can neglect this issue.

3 Likes
115

Some clarification if I may:

  1. Does “Save” also launch unbound-control reload ? Looking in the /var/log/messages it seems it does but I do not see the [OK] after it
Oct 18 09:28:05 black-x86-64 unbound: info: rpz: make config file "00-rpz.conf"
Oct 18 09:28:05 black-x86-64 unbound: info: rpz: create zonefile for "allowlist"
Oct 18 09:28:05 black-x86-64 unbound: info: rpz: make config file "block.rpz.conf"
Oct 18 09:28:05 black-x86-64 unbound: info: rpz: create zonefile for "blocklist"
Oct 18 09:28:42 black-x86-64 unbound: info: rpz: check for errors with "unbound-checkconf"
Oct 18 09:28:45 black-x86-64 unbound: info: rpz: run "unbound-control reload"
  1. Can we have an Reload button near Apply? unbound-control reload is much, much faster than restart of the unbound.
  2. From what I see in the logs, Apply does a restart of the unbound, which is more time consuming: 3 seconds for a Intel(R) N100 x4 machine with 8GB RAM and nVME disk
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: service stopped (unbound 1.19.3).
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: server stats for thread 0: 153 queries, 54 answers from cache, 99 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: server stats for thread 0: requestlist max 12 avg 1.31313 exceeded 0 jostled 0
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: average recursion processing time 0.168153 sec
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: histogram of recursion processing times
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: [25%]=0.0766537 median[50%]=0.13703 [75%]=0.235334
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info: lower(secs) upper(secs) recursions
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info:    0.008192    0.016384 1
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info:    0.032768    0.065536 19
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info:    0.065536    0.131072 28
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info:    0.131072    0.262144 33
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info:    0.262144    0.524288 17
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] info:    1.000000    2.000000 1
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] notice: Restart of unbound 1.19.3.
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] notice: init module 0: respip
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] notice: init module 1: validator
Oct 18 09:28:45 black-x86-64 unbound: [31035:0] notice: init module 2: iterator
Oct 18 09:28:48 black-x86-64 unbound: [31035:0] info: start of service (unbound 1.19.3).
116

Hi,
All the rpz-config and rpz-make actions are performed with the --no-reload option. So you should be able to edit multiple times without unbound restarting.
The “Apply” button then runs rpz-config reload which (I think) finally does the unbound-control reload.

I can answer that far from the WUI side, @jon knows better what happens in the scripts :slight_smile:

3 Likes
119

Leo is correct. Apply equals unbound-control reload .

When a change is made, the Apply button goes from grey to black. Clicking Apply causes a reload.

No. Only the Apply causes a reload.

2 Likes
120

I just started a new build with these language files!

Thank you! Thank you! Thank you!

3 Likes
121

New version!

Change Log

rpz-beta-0.1.11-11 on 2024-10-18
rpz.cgi:

  • feature: added new language file for Italian (thank you umberto)
  • feature: added new language file for Spanish (thank you Roberto)

rpz-beta-0.1.11-11.ipfire.zip (16.1 KB)

2 Likes
122

Thank you for your effort!!!

If you need anything I can help with, let me know.

Bye.

123

hi
rpz…fr.pl.zip (844 Octets)
french
ty

4 Likes
124

Apologies if I am asking a really stupid question, what EXACTLY does this rpz add-on do, in layman’s terms if possible, please? I have been following this thread but I am still not sure what it actually does, LOL. Please forgive an old man.

2 Likes