NOTE: work in progress, not completed.

This is a template for any sub-pages in the roadmap space. Copy, paste, and edit it as you need.

What is it?

Describe briefly what this feature is about and its benefits to IPFire.

RPZ allows admins to easily block access to websites via DNS lookup. The lookup is done before the main communication which is based on IP addresses ( which can be blocked by IP Address Blocklists ). Usually the URLs of malicious websites do change much less often, compared to the IPs of them.

Response Policy Zone (RPZ) is a mechanism to define local policies in a standardized way and load those policies from external sources. This is done usually by application like PiHole ( running on device in the local network ). This addon allows this functionality as part of unbound ( inside IPFire ).

Who is working on it?

List the people who own this feature.

  • Jon Murphy
  • Bernhard Bitsch
  • Leo Hofmann
  • Erik Kapfer - consultant

Current Status

  • Targeted Release: N/A
  • Tracker Bug: none

Description

Describe this feature in detail. Include details as listed below.

This RPZ addon enable the RPZ functionality by adding about 10 lines in the unbound configuration file. The configuration files for the various sources are added by a config script. Further scripts ( metrics and sleep ) make RPZ easier for the admin to use.

The RPZ scripts do not actually download the RPZ lists. This is done via the Unbound RPZ code.

Benefits to IPFire

Explain how IPFire and the users benefit from this feature.

RPZ is a straightforward way to stop users from connecting to harmful sites like phishing pages or malware servers while keeping the network and its users safe with minimal fuss.

An easy to use allowlist is handy for avoiding issues when legitimate sites get flagged by mistake or need to stay accessible for business reasons.

RPZ blocking sources are grouped via categories. Examples include:

RPZ lists come from various RPZ providers and their available categories. Tests show that Hagezi's lists are good 'standard', very well maintained and with some issue threads on github for reporting new entries or false entries.

Impact

Explain what impact this feature could have on updates and compatibility.

There may be overlap between an RPZ list and a list offered in IP Address Blocklists or Suricata intrusion prevention systems (IPS). Local admins should review the lists chosen before activating.

Documentation

Write or link to further documentation about this feature. Mainly used to refer to documentation on this site, but also link to developer documentation or Git repositories.

Feedback

This section initially is empty but will over time collect user feedback.

Dependencies

What is required to build this feature. Could be simply 'None'.

This is more of a significant challenge:

  • finding RPZ lists that meet the needed criteria with additional categories.

Release Notes

(Pre-)write some text that can become part of the release notes to make writing those easier.

To do.


  1. may be overlap with IPS.