From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jon Murphy To: development@lists.ipfire.org Subject: Re: [PATCH] (V3) Forcing DNS/NTP Date: Mon, 29 Mar 2021 16:34:26 -0500 Message-ID: <00500BDB-1B84-4DAE-B8D1-547700FDB395@gmail.com> In-Reply-To: <20210305194017.7114-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3890263311797880340==" List-Id: --===============3890263311797880340== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello! Hope everyone is healthy! I am just curious if this was approved by the Developers? Jon > On Mar 5, 2021, at 1:40 PM, Matthias Fischer wrote: >=20 > Originally triggered by: > https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-= firewall/3512 >=20 > Current discussion: > https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >=20 > Summary and functionality: > These patches are controlled through "Firewall Options". They add new > firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw= /settings'. > They activate/deactivate appropriate REDIRECT rules through a new ctrl file > ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsnt= p'). >=20 > Default of all new rules is OFF (set in 'lfs/configroot'). > If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS = and NTP > servers specified in IPFire. GUI links to DNS and NTP options were added t= o make > this more transparent. >=20 > Flaw/ToDo: > To make things work as I wanted I had to add a 'dnsntpctrl' file which cal= ls the actual > init file, 'dnsntp'. This is actually an unnecessary detour. > In fact I wanted to merge these two files in *one* C file, but this was be= yond my > capabilities, perhaps "someone" else knows how to program this. >=20 > Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > The corresponding interface options - including 'Masquerade ...' - are onl= y visible if > the respective interface actually exists. > If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP= on BLUE' > or logging options for BLUE available (e.g.). > Added text colors for better readability and links to DNS and NTP GUI. > Separated logging options per interface. >=20 > No reboot required: > Rules can be switched ON/OFF without rebooting IPFire. > Changes immedediatly take effect after clicking 'Save'. >=20 > Changes to '/etc/rc.d/init.d/firewall': > To avoid collisions with possibly existing CUSTOM rules, I added a new PRE= ROUTING > chain: DNS_NTP_REDIRECT. > This chain is flushed by the init file before before the desired settings = are applied. > Corrected a 'trafic' typo. >=20 > Signed-off-by: Matthias Fischer > --- > config/rootfiles/common/aarch64/initscripts | 1 + > config/rootfiles/common/armv5tel/initscripts | 1 + > config/rootfiles/common/i586/initscripts | 1 + > config/rootfiles/common/misc-progs | 1 + > config/rootfiles/common/x86_64/initscripts | 1 + > html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > langs/de/cgi-bin/de.pl | 15 +++- > langs/en/cgi-bin/en.pl | 15 +++- > lfs/configroot | 4 + > src/initscripts/system/dnsntp | 36 ++++++++ > src/initscripts/system/firewall | 9 +- > src/misc-progs/Makefile | 2 +- > src/misc-progs/dnsntpctrl.c | 19 ++++ > 13 files changed, 168 insertions(+), 29 deletions(-) > create mode 100644 src/initscripts/system/dnsntp > create mode 100644 src/misc-progs/dnsntpctrl.c >=20 > diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles= /common/aarch64/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/aarch64/initscripts > +++ b/config/rootfiles/common/aarch64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfile= s/common/armv5tel/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/armv5tel/initscripts > +++ b/config/rootfiles/common/armv5tel/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/co= mmon/i586/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/i586/initscripts > +++ b/config/rootfiles/common/i586/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/m= isc-progs > index d6594b3f8..4bcb94812 100644 > --- a/config/rootfiles/common/misc-progs > +++ b/config/rootfiles/common/misc-progs > @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > usr/local/bin/collectdctrl > usr/local/bin/ddnsctrl > usr/local/bin/dhcpctrl > +usr/local/bin/dnsntpctrl > usr/local/bin/extrahdctrl > usr/local/bin/fireinfoctrl > usr/local/bin/firewallctrl > diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/= common/x86_64/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/x86_64/initscripts > +++ b/config/rootfiles/common/x86_64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > index 321642e82..3fc707e8b 100644 > --- a/html/cgi-bin/optionsfw.cgi > +++ b/html/cgi-bin/optionsfw.cgi > @@ -2,7 +2,7 @@ > ###########################################################################= #### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2014-2020 IPFire Team = # > +# Copyright (C) 2014-2021 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > $errormessage .=3D $Lang::tr{'new optionsfw later'}; > &General::writehash($filename, \%settings); # Save good setti= ngs > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > }else{ > if ($settings{'POLICY'} ne ''){ > $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; > @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettin= gs); > &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsetting= s); > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > } > &General::readhash($filename, \%settings); # Load good settings > } > @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_O= RANGE'}} =3D 'selected=3D"sele > $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; > $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; > $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selected=3D= "selected"'; > +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; > +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; > +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D "check= ed=3D'checked'"; > +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; > +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; > +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "checked= =3D'checked'"; > +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; > +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; > +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D "check= ed=3D'checked'"; > +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; > +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; > +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "checked= =3D'checked'"; >=20 > &Header::openbox('100%', 'center',); > print "
"; > @@ -189,13 +203,44 @@ END > END > } >=20 > - print < +print < + > + > +   > + > + > + > + > +END > + > + if (&Header::blue_used()) { > + print < +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}$Lang::tr{'on'} / > + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}$Lang::tr{'on'} / > + $Lang::tr{'off'}
> + > +   > + > + > + > + > + > + > + > +END > + } > + > + print <
$L= ang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}$Lang::tr{'on'} / > + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / > + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / > + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / > + $Lang::tr{'off'}
>=20 > -
> +
>=20 > - > - > +
$Lan= g::tr{'fw logging'}
> + > > > > -<= td align=3D'left'>$Lang::tr{'on'} / > +END > + > + if (&Header::blue_used()) { > + print < +
$Lan= g::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / > $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / > @@ -206,21 +251,30 @@ END > $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / > $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}
> + > +
> + > + > + > + > + > - > -
$Lan= g::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / > $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / > +
$Lang::tr{'drop wirelessforward'}<= /td>$Lang::tr{'on'} / > $Lang::tr{'off'}
> -
> + > +END > + } > + > + print < + > + > +
>=20 > - > - > - > - > -
$Lan= g::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / > - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / > - $Lang::tr{'off'}
> -
> > > $Lang::tr{'on'} / > @@ -252,7 +306,7 @@ END >=20 >
>
$Lang= ::tr{'fw settings'}
$Lang::tr{'fw settings color'}
> - >
> +
> >
> @@ -278,7 +332,7 @@ print < <= input type=3D'hidden' name=3D'defpol' value=3D'1'> > END > print ""; > - print"

"; > + print"

"; > print <
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 6a8133807..d6bb234fa 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -836,6 +836,8 @@ > 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren DNS S= erver ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!
Die eingegebene sekund=C3=A4ren DNS Server Adresse ist jed= och g=C3=BCltig.
', > 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3=A4ren wie auch des sekund=C3=A4ren DNS-Servers sind nicht = g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', > 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren DNS= Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!Die eingegebene prim=C3=A4re DNS Server Adresse ist jedo= ch g=C3=BCltig.', > +'dns force on blue' =3D> 'Erzwinge lokale D= NS-Server auf BLAU', > +'dns force on green' =3D> 'Erzwinge lokale = DNS-Server auf GR=C3=9CN', > 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohlen)', > 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', > 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', > @@ -1102,9 +1104,12 @@ > 'from email server' =3D> 'Von E-Mail-Server', > 'from email user' =3D> 'Von E-Mail-Benutzer', > 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', > -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', > +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das BL= AUE Interface', > 'fw default drop' =3D> 'Firewallrichtlinie', > +'fw green' =3D> 'Firewalloptionen f=C3=BCr das G= R=C3=9CNE Interface', > 'fw logging' =3D> 'Firewallprotokollierung', > +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', > +'fw logging red' =3D> 'Firewallprotokollierung (= ROT)', > 'fw settings' =3D> 'Firewalleinstellungen', > 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', > 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite anzei= gen', > @@ -1644,9 +1649,9 @@ > 'map to guest' =3D> 'Map to Guest', > 'march' =3D> 'M=C3=A4rz', > 'marked' =3D> 'Markiert', > -'masquerade blue' =3D> 'NAT auf BLAU', > -'masquerade green' =3D> 'NAT auf GR=C3=9CN', > -'masquerade orange' =3D> 'NAT auf ORANGE', > +'masquerade blue' =3D> 'NAT auf BLAU', > +'masquerade green' =3D> 'NAT auf GR=C3=9CN', > +'masquerade orange' =3D> 'NAT auf ORANGE', > 'masquerading' =3D> 'Masquerading/NAT', > 'masquerading disabled' =3D> 'NAT ausgeschaltet', > 'masquerading enabled' =3D> 'NAT eingeschaltet', > @@ -1814,6 +1819,8 @@ > 'november' =3D> 'November', > 'ntp common settings' =3D> 'Allgemeine Einstellungen', > 'ntp configuration' =3D> 'Zeitserverkonfiguration', > +'ntp force on blue' =3D> 'Erzwinge lokale = NTP-Server auf BLAU', > +'ntp force on green' =3D> 'Erzwinge lokale= NTP-Server auf GR=C3=9CN', > 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k=C3=B6n= nen, muss NTP vorher aktiviert sein.', > 'ntp server' =3D> 'NTP-Server', > 'ntp sync' =3D> 'Synchronisation', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index 8f7e0c2cf..474612025 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -859,6 +859,8 @@ > 'dns error 0' =3D> 'The IP address of the primary DNS serv= er is not valid, please check your entries!
The entered secondar= y DNS server address is valid.', > 'dns error 01' =3D> 'The entered IP address of the primary= and secondary DNS server are not valid, please check your e= ntries!', > 'dns error 1' =3D> 'The IP address of the secondary DNS se= rver is not valid, please check your entries!
The entered primar= y DNS server address is valid.', > +'dns force on blue' =3D> 'Force DNS to use = local DNS servers on BLUE', > +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', > 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', > 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', > 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', > @@ -1128,9 +1130,12 @@ > 'from email server' =3D> 'From Email server', > 'from email user' =3D> 'From e-mail user', > 'from warn email bad' =3D> 'From e-mail address is not valid', > -'fw blue' =3D> 'Firewall options for BLUE interface', > +'fw blue' =3D> 'Firewall options for BLUE= Interface', > 'fw default drop' =3D> 'Firewall policy', > +'fw green' =3D> 'Firewall options for GREEN Interface', > 'fw logging' =3D> 'Firewall logging', > +'fw logging blue' =3D> 'Firewall logging (BLUE)', > +'fw logging red' =3D> 'Firewall logging (RED)', > 'fw settings' =3D> 'Firewall settings', > 'fw settings color' =3D> 'Show colors in ruletable', > 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', > @@ -1672,9 +1677,9 @@ > 'map to guest' =3D> 'Map to Guest', > 'march' =3D> 'March', > 'marked' =3D> 'Marked', > -'masquerade blue' =3D> 'Masquerade BLUE', > -'masquerade green' =3D> 'Masquerade GREEN', > -'masquerade orange' =3D> 'Masquerade ORANGE', > +'masquerade blue' =3D> 'Masquerade BLUE', > +'masquerade green' =3D> 'Masquerade GREEN', > +'masquerade orange' =3D> 'Masquerade ORANGE', > 'masquerading' =3D> 'Masquerading', > 'masquerading disabled' =3D> 'Masquerading disabled', > 'masquerading enabled' =3D> 'Masquerading enabled', > @@ -1844,6 +1849,8 @@ > 'november' =3D> 'November', > 'ntp common settings' =3D> 'Common settings', > 'ntp configuration' =3D> 'NTP Configuration', > +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', > +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', > 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to have cli= ents.', > 'ntp server' =3D> 'NTP Server', > 'ntp sync' =3D> 'Synchronization', > diff --git a/lfs/configroot b/lfs/configroot > index a3e474d70..622793b35 100644 > --- a/lfs/configroot > +++ b/lfs/configroot > @@ -129,6 +129,10 @@ $(TARGET) : > echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings > diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > new file mode 100644 > index 000000000..2eafa9d20 > --- /dev/null > +++ b/src/initscripts/system/dnsntp > @@ -0,0 +1,36 @@ > +#!/bin/sh > +######################################################################## > +# Begin $rc_base/init.d/dnsntp > +# > +# Description : dnsntp init script for DNS/NTP rules only > +# > +######################################################################## > + > +# flush chain > +iptables -t nat -F DNS_NTP_REDIRECT > + > +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > + > +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j= REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j= REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j = REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j = REDIRECT > +fi > + > +# Force NTP REDIRECTs on GREEN (udp, 123) > +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -= j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, 123) > +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j= REDIRECT > +fi > + > +# End $rc_base/init.d/dnsntp > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index 65f1c979b..43ae74113 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -169,6 +169,10 @@ iptables_init() { > # Fix for braindead ISPs > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-t= o-pmtu >=20 > + # DNS / NTP REDIRECT > + iptables -t nat -N DNS_NTP_REDIRECT > + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > + > # CUSTOM chains, can be used by the users themselves > iptables -N CUSTOMINPUT > iptables -A INPUT -j CUSTOMINPUT > @@ -281,7 +285,7 @@ iptables_init() { > iptables -A INPUT -j LOCATIONBLOCK > iptables -A FORWARD -j LOCATIONBLOCK >=20 > - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept eve= rything > + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept ev= erything > iptables -N IPSECINPUT > iptables -N IPSECFORWARD > iptables -N IPSECOUTPUT > @@ -389,6 +393,9 @@ iptables_init() { > # run captivectrl > /usr/local/bin/captivectrl >=20 > + # run dnsntpctrl > + /usr/local/bin/dnsntpctrl > + > # POLICY CHAIN > iptables -N POLICYIN > iptables -A INPUT -j POLICYIN > diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > index 7c3ef7529..6f2733ef0 100644 > --- a/src/misc-progs/Makefile > +++ b/src/misc-progs/Makefile > @@ -26,7 +26,7 @@ PROGS =3D iowrap > SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ > ipsecctrl timectrl dhcpctrl suricatactrl \ > rebuildhosts backupctrl collectdctrl \ > - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > wirelessctrl getipstat qosctrl \ > redctrl syslogdctrl extrahdctrl sambactrl \ > smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > new file mode 100644 > index 000000000..f2a3b89e3 > --- /dev/null > +++ b/src/misc-progs/dnsntpctrl.c > @@ -0,0 +1,19 @@ > +/* This file is part of the IPFire Firewall. > + * > + * This program is distributed under the terms of the GNU General Public > + * Licence. See the file COPYING for details. > + * > + */ > + > +#include > +#include "setuid.h" > + > +int main(void) > +{ > + if (!(initsetuid())) > + exit(1); > + > + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > + > + return 0; > +} > --=20 > 2.18.0 >=20 --===============3890263311797880340==--