RPZ and Views Interaction
Otto Retter
otto at relax.theregoesmy.email
Tue Jan 28 23:02:00 UTC 2025
Yorgos Thessalonikefs via Unbound-users wrote:
> Hi Otto,
>
> From a quick test here locally (1.22.0) the tagged client does get the
> view local-data and also gets RPZ filtering applied.
>
> The minimal configuration I used is:
> '''
> server:
> module-config: "respip validator iterator"
> define-tag: "test-client"
> access-control-tag: 127.0.0.0/8 "test-client"
> access-control-view: 127.0.0.0/8 "test-client"
>
> rpz:
> name: "rpz.test.zone"
> zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
> rpz-action-override: nxdomain
> rpz-log: yes
> rpz-log-name: "rpz.test"
> tags: "test-client"
>
> view:
> name: "test-client"
> view-first: yes
> local-zone: "test.internal" static
> local-data: "test.internal A 10.0.0.1"
> '''
>
> If the above does not work for you a couple of pointers:
> - Is the incoming traffic using the expected 10.0.0.1 IP?
> - Are you using proxy-protocol-port?
> - Other configuration that interferes with the above? Mainly for the
> access-control part?
> - Maybe the content of the RPZ? Try using just a single record for
> testing (you still need to SOA record as well).
>
> Best regards,
> -- Yorgos
Hello Yorgos,
Thank you very much for the suggestions and for being able to do a
quick test to confirm the functionality on your end. I just reviewed
your configuration, tried again, and things do seem to be working
as expected!
It's possible I left off the "test-client" tag within the RPZ zone
definition, but then unwittingly added it as I typed out the email
(after I had reset back to my "known-working" state). Apologies for
barking up the wrong tree! Time to get some more sleep before trying
to change my Unbound configuration :-).
Cheers,
Otto
More information about the Unbound-users
mailing list