From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Aw: Re: Re: [PATCH] (V3) Forcing DNS/NTP Date: Sun, 07 Mar 2021 14:02:39 +0100 Message-ID: <07c19c6d-c49a-836a-40da-b9ba7ec5809f@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2366156729310704391==" List-Id: --===============2366156729310704391== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Bernhard, On 07.03.2021 11:20, Bernhard Bitsch wrote: > Hi Matthias, >=20 > yes. You got it. Very good. ;-) > I use these rules now for some time, based on the scripts and discussions i= n the community. > The RETURN rules do not weaken the aim of REDIRECT rules. Running here since ~12 hours. Absolutely no problems. Just for fun, I even told Firefox to use DoH. And: I told my client PC to use 1.2.3.4 as DNS-server. He had no chance. DNS was still working as before. Furthermore I can see the redirections from our blue clients (nasty programmed apps). Settings: DNS-Server with nine DNSSEC-entries, status on 'dhcp.cgi' is "Working", DNS-Protocol: TLS, QNAME-Minmisation: Strict. Running 'unbound 1.13.1'. > Because I can do not know a measurement tool, I can't say something about p= erformance. What about something like this? =3D> https://github.com/DNS-OARC/dnsperf/blob/master/README.md > But I'll try to record the behaviour of those 'bad devices' through logging= rules, both for REDIRECT and RETURN. >>From time to time I take a look at the IPTables-GUI - right now its...: Chain DNS_NTP_REDIRECT (1 references) pkts bytes target prot opt in out source destination =09 =09 82 5532 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:53 24 1734 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 RETURN tcp -- green0 * 0.0.0.0/0 192.168.100.254 tcp dpt:53 0 0 REDIRECT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 459 31772 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:53 40 2861 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 RETURN tcp -- blue0 * 0.0.0.0/0 192.168.101.254 tcp dpt:53 0 0 REDIRECT tcp -- blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 983 74708 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:123 0 0 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:123 18 1368 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 Opinions? Best, Matthias P.S.: One (last?) thing to do would be to merge 'dnsntp' (init) and 'dnsntpctrl'.(c) into one C file to get rid of the still remaining init-file. But sorry, that's for someone else, please... >=20 > Best, > Bernhard >=20 >> Gesendet: Sonntag, 07. M=C3=A4rz 2021 um 09:06 Uhr >> Von: "Matthias Fischer" >> An: "Bernhard Bitsch" , "Jon Murphy" >> Cc: "IPFire Development" >> Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP >> >> Hi Bernhard, >>=20 >> Lol. Funny misunderstanding - I'll try to figure it out: >>=20 >> On 06.03.2021 22:15, Bernhard Bitsch wrote: >> > For forcing DNS we generate ( for example ) >> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 = -j REDIRECT >>=20 >> That's for *forcing* AKA *bad* requests that don't go the way we want. >>=20 >> > To filter allowed DNS requests there is a rule >> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p ud= p -m udp --dport 53 -j RETURN >>=20 >> That's for *well-behaving* requests. >>=20 >> AH! I see. I think I know what you meant. >>=20 >> > To get ${GREEN_ADDRESS} dnsntp needs an additional >> > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) >>=20 >> Funny. I suddenly thought of doing something with >> '.../ethernet/settings' while writing the v3-commit. But I didn't think >> of RETURN. >>=20 >> > Concerning performance, we want to minimize the rule set to the amount r= eally necessary. On the other hand, it may be quicker to do just a RETURN tha= n a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) shou= ld be nearly 100%. DNS and NTP servrs are published by DHCP or should be conf= igured in the static case. >> >=20 >> > Hope this makes it clear enough. >>=20 >> I - really - hope I got it right. ;-) >>=20 >> To handle the well-behaving requests, I added RETURN rules prior to the >> REDIRECT rules like this: >>=20 >> ... >> # Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p >> udp -m udp --dport 53 -j RETURN >>=20 >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 >> -j REDIRECT >>=20 >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p >> tcp -m tcp --dport 53 -j RETURN >>=20 >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 >> -j REDIRECT >> fi >> ... >>=20 >> Intention (explanation was translated from >> https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): >> If the first - well-behaving - rule matches: >> =3D> RETURN =3D> "Leave this chain and continue with the caller or execute >> the chain's policy". >>=20 >> Otherwise: >> =3D> REDIRECT the packet. "This goal ensures that the package is delivered >> to the local computer. This allows packets to "fantasy targets" to be >> intercepted and dealt with locally." >>=20 >> I'm still not 100 percent sure - but does this correspond to your intentio= n? >>=20 >> Best, >> Matthias >>=20 >> > Best, >> > Bernhard >> >=20 >> >> Gesendet: Samstag, 06. M=C3=A4rz 2021 um 21:51 Uhr >> >> Von: "Jon Murphy" >> >> An: "Bernhard Bitsch" >> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >> >> >> >> > I mean the extra rules for requests client-->IPFire:53. >> >> > These are 'well-behaving' and must/should not be redirected. Didn't m= easure if the performance is equal with or without these extra rules. >> >>=20 >> >> How do we determine if a 'well-behaving' client is being redirected? O= r how do we measure performance? >> >>=20 >> >> When I tried to measure DNS "speed" in the past, the cache gets in ther= e and makes every look like 38 to 44 ms. >> >>=20 >> >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch wrote: >> >> >=20 >> >> > Hi, >> >> >=20 >> >> >> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 23:49 Uhr >> >> >> Von: "Matthias Fischer" >> >> >> An: "Bernhard Bitsch" >> >> >> Cc: development(a)lists.ipfire.org >> >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >> >> >>=20 >> >> >> Hi, >> >> >>=20 >> >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: >> >> >>> Hi, >> >> >>>=20 >> >> >>> at a first glance I think, the code implements the ideas of the com= munity discussions. >> >> >>=20 >> >> >> Thanks - but unfortunately I'm not quite satisfied with my results y= et >> >> >> because I didn't manage to merge the init and the ctrl-file in *one*= C >> >> >> program. The whole is running as I want but... ;-) >> >> >>=20 >> >> >>> Just one annotation. As mentioned in a post, it could help to honor= 'well-behaving' requests ( to IPFire ) by a RETURN. >> >> >>=20 >> >> >> -v please. I don't know if I get this (the translation english =3D> >> >> >> german) right. >> >> >> If you mean that I asked for some tips and got some, than of course: >> >> >> many thanks to everybody! >> >> >>=20 >> >> > Sorry if I wasn't specific enough. >> >> > I mean the extra rules for requests client-->IPFire:53. >> >> > These are 'well-behaving' and must/should not be redirected. Didn't m= easure if the performance is equal with or without these extra rules. >> >> >=20 >> >> > Best, >> >> > Bernhard >> >> >> Best, >> >> >> Matthias >> >> >>=20 >> >> >>> Regards, >> >> >>> Bernhard >> >> >>>=20 >> >> >>>> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 20:40 Uhr >> >> >>>> Von: "Matthias Fischer" >> >> >>>> An: development(a)lists.ipfire.org >> >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >> >> >>>>=20 >> >> >>>> Originally triggered by: >> >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-la= n-to-the-firewall/3512 >> >> >>>>=20 >> >> >>>> Current discussion: >> >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3= 888 >> >> >>>>=20 >> >> >>>> Summary and functionality: >> >> >>>> These patches are controlled through "Firewall Options". They add= new >> >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/= optionsfw/settings'. >> >> >>>> They activate/deactivate appropriate REDIRECT rules through a new= ctrl file >> >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/ini= t.d/dnsntp'). >> >> >>>>=20 >> >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). >> >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to= the DNS and NTP >> >> >>>> servers specified in IPFire. GUI links to DNS and NTP options wer= e added to make >> >> >>>> this more transparent. >> >> >>>>=20 >> >> >>>> Flaw/ToDo: >> >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file = which calls the actual >> >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. >> >> >>>> In fact I wanted to merge these two files in *one* C file, but th= is was beyond my >> >> >>>> capabilities, perhaps "someone" else knows how to program this. >> >> >>>>=20 >> >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> >> >>>> The corresponding interface options - including 'Masquerade ...' = - are only visible if >> >> >>>> the respective interface actually exists. >> >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for= 'DNS/NTP on BLUE' >> >> >>>> or logging options for BLUE available (e.g.). >> >> >>>> Added text colors for better readability and links to DNS and NTP= GUI. >> >> >>>> Separated logging options per interface. >> >> >>>>=20 >> >> >>>> No reboot required: >> >> >>>> Rules can be switched ON/OFF without rebooting IPFire. >> >> >>>> Changes immedediatly take effect after clicking 'Save'. >> >> >>>>=20 >> >> >>>> Changes to '/etc/rc.d/init.d/firewall': >> >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added = a new PREROUTING >> >> >>>> chain: DNS_NTP_REDIRECT. >> >> >>>> This chain is flushed by the init file before before the desired = settings are applied. >> >> >>>> Corrected a 'trafic' typo. >> >> >>>>=20 >> >> >>>> Signed-off-by: Matthias Fischer >> >> >>>> --- >> >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + >> >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + >> >> >>>> config/rootfiles/common/i586/initscripts | 1 + >> >> >>>> config/rootfiles/common/misc-progs | 1 + >> >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + >> >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++= ---- >> >> >>>> langs/de/cgi-bin/de.pl | 15 +++- >> >> >>>> langs/en/cgi-bin/en.pl | 15 +++- >> >> >>>> lfs/configroot | 4 + >> >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ >> >> >>>> src/initscripts/system/firewall | 9 +- >> >> >>>> src/misc-progs/Makefile | 2 +- >> >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >> >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) >> >> >>>> create mode 100644 src/initscripts/system/dnsntp >> >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c >> >> >>>>=20 >> >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/= rootfiles/common/aarch64/initscripts >> >> >>>> index 800005966..f38a3a294 100644 >> >> >>>> --- a/config/rootfiles/common/aarch64/initscripts >> >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config= /rootfiles/common/armv5tel/initscripts >> >> >>>> index 800005966..f38a3a294 100644 >> >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts >> >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/roo= tfiles/common/i586/initscripts >> >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >> >>>> --- a/config/rootfiles/common/i586/initscripts >> >> >>>> +++ b/config/rootfiles/common/i586/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles= /common/misc-progs >> >> >>>> index d6594b3f8..4bcb94812 100644 >> >> >>>> --- a/config/rootfiles/common/misc-progs >> >> >>>> +++ b/config/rootfiles/common/misc-progs >> >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> >> >>>> usr/local/bin/collectdctrl >> >> >>>> usr/local/bin/ddnsctrl >> >> >>>> usr/local/bin/dhcpctrl >> >> >>>> +usr/local/bin/dnsntpctrl >> >> >>>> usr/local/bin/extrahdctrl >> >> >>>> usr/local/bin/fireinfoctrl >> >> >>>> usr/local/bin/firewallctrl >> >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/r= ootfiles/common/x86_64/initscripts >> >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >> >>>> --- a/config/rootfiles/common/x86_64/initscripts >> >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.c= gi >> >> >>>> index 321642e82..3fc707e8b 100644 >> >> >>>> --- a/html/cgi-bin/optionsfw.cgi >> >> >>>> +++ b/html/cgi-bin/optionsfw.cgi >> >> >>>> @@ -2,7 +2,7 @@ >> >> >>>> ##################################################################= ############# >> >> >>>> # = # >> >> >>>> # IPFire.org - A linux based firewall = # >> >> >>>> -# Copyright (C) 2014-2020 IPFire Team = # >> >> >>>> +# Copyright (C) 2014-2021 IPFire Team = # >> >> >>>> # = # >> >> >>>> # This program is free software: you can redistribute it and/or mo= dify # >> >> >>>> # it under the terms of the GNU General Public License as publishe= d by # >> >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >> >>>> $errormessage .=3D $Lang::tr{'new optionsfw later'}; >> >> >>>> &General::writehash($filename, \%settings); # Save g= ood settings >> >> >>>> system("/usr/local/bin/firewallctrl"); >> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >> >>>> }else{ >> >> >>>> if ($settings{'POLICY'} ne ''){ >> >> >>>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; >> >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fw= dfwsettings); >> >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwd= fwsettings); >> >> >>>> system("/usr/local/bin/firewallctrl"); >> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >> >>>> } >> >> >>>> &General::readhash($filename, \%settings); # Load goo= d settings >> >> >>>> } >> >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MAS= QUERADE_ORANGE'}} =3D 'selected=3D"sele >> >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >> >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >> >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'se= lected=3D"selected"'; >> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; >> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; >> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = =3D "checked=3D'checked'"; >> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; >> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; >> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D= "checked=3D'checked'"; >> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; >> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; >> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = =3D "checked=3D'checked'"; >> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; >> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; >> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D= "checked=3D'checked'"; >> >> >>>>=20 >> >> >>>> &Header::openbox('100%', 'center',); >> >> >>>> print "
"; >> >> >>>> @@ -189,13 +203,44 @@ END >> >> >>>> END >> >> >>>> } >> >> >>>>=20 >> >> >>>> - print <> >> >>>> +print <> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> +END >> >> >>>> + >> >> >>>> + if (&Header::blue_used()) { >> >> >>>> + print <> >> >>>> +
$Lang::tr{'fw green'}<= /td> >> >> >>>> +
$Lang::tr{'dns force on gr= een'}$Lang::tr{'on'} / >> >> >>>> + $Lang::tr{'off'= }
$Lang::tr{'ntp force on gr= een'}$Lang::tr{'on'} / >> >> >>>> + $Lang::tr{'off'= }
>> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> +END >> >> >>>> + } >> >> >>>> + >> >> >>>> + print <> >> >>>>
$Lang::tr{'fw blue'}
$Lang::tr{'dns force on b= lue'}$Lang::tr{'on'} / >> >> >>>> + $Lang::tr{'off'}<= /td>
$Lang::tr{'ntp force on b= lue'}$Lang::tr{'on'} / >> >> >>>> + $Lang::tr{'off'}<= /td>
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >> >> >>>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >> >> >>>> + $Lang::tr{'off'}
>> >> >>>>=20 >> >> >>>> -
>> >> >>>> +
>> >> >>>>=20 >> >> >>>> - >> >> >>>> - >> >> >>>> +
$Lang::tr{'fw logging'}
>> >> >>>> + >> >> >>>> >> >> >>>> <= td align=3D'left'>$Lang::tr{'on'} / >> >> >>>> @@ -206,21 +251,30 @@ END >> >> >>>> $Lang::tr{'off'} >> >> >>>> >> >> >>>> -
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / >> >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop input'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / >> >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinpu= t'}$Lang::tr{'on'} / >> >> >>>> +END >> >> >>>> + >> >> >>>> + if (&Header::blue_used()) { >> >> >>>> + print <> >> >>>> +
>> >> >>>> + >> >> >>>> +
>> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> + >> >> >>>> - >> >> >>>> -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessi= nput'}$Lang::tr{'on'} / >> >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforw= ard'}$Lang::tr{'on'} / >> >> >>>> +
$Lang::tr{'drop wirelessf= orward'}$Lang::tr{'on'} / >> >> >>>> $Lang::tr{'off= '}
>> >> >>>> -
>> >> >>>> + >> >> >>>> +END >> >> >>>> + } >> >> >>>> + >> >> >>>> + print <> >> >>>> + >> >> >>>> + >> >> >>>> +
>> >> >>>>=20 >> >> >>>> - >> >> >>>> - >> >> >>>> -= >> >> >>>> -= >> >> >>>> -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >> >> >>>> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >> >> >>>> - $Lang::tr{'off'}
>> >> >>>> -
>> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> END >> >> >>>> print "
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'= }$Lang::tr{'on'} / >> >> >>>> @@ -252,7 +306,7 @@ END >> >> >>>>=20 >> >> >>>>
>> >> >>>> >> >> >>>> - >> >> >>>>
>> >> >>>> +
>> >> >>>> >> >> >>>>
>> >> >>>> @@ -278,7 +332,7 @@ print <> >> >>>>
"; >> >> >>>> - print"

"; >> >> >>>> + print"

"; >> >> >>>> print <> >> >>>>
>> >> >>>> >> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> >> >>>> index 6a8133807..d6bb234fa 100644 >> >> >>>> --- a/langs/de/cgi-bin/de.pl >> >> >>>> +++ b/langs/de/cgi-bin/de.pl >> >> >>>> @@ -836,6 +836,8 @@ >> >> >>>> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Ein= gabe!
Die eingegebene sekund=C3=A4ren DNS Server Adress= e ist jedoch g=C3=BCltig.
', >> >> >>>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim= =C3=A4ren wie auch des sekund=C3=A4ren DNS-Servers = sind nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', >> >> >>>> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre E= ingabe!
Die eingegebene prim=C3=A4re DNS Server Adresse= ist jedoch g=C3=BCltig.', >> >> >>>> +'dns force on blue' =3D> 'Erzwinge lokale DNS-Server auf BLAU', >> >> >>>> +'dns force on green' =3D> 'Erzwinge lokale DNS-Server auf GR=C3=9CN', >> >> >>>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empf= ohlen)', >> >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)= ', >> >> >>>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an re= d0', >> >> >>>> @@ -1102,9 +1104,12 @@ >> >> >>>> 'from email server' =3D> 'Von E-Mail-Server', >> >> >>>> 'from email user' =3D> 'Von E-Mail-Benutzer', >> >> >>>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BClt= ig', >> >> >>>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', >> >> >>>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das BLAUE Interface', >> >> >>>> 'fw default drop' =3D> 'Firewallrichtlinie', >> >> >>>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', >> >> >>>> 'fw logging' =3D> 'Firewallprotokollierung', >> >> >>>> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', >> >> >>>> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', >> >> >>>> 'fw settings' =3D> 'Firewalleinstellungen', >> >> >>>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', >> >> >>>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsse= ite anzeigen', >> >> >>>> @@ -1644,9 +1649,9 @@ >> >> >>>> 'map to guest' =3D> 'Map to Guest', >> >> >>>> 'march' =3D> 'M=C3=A4rz', >> >> >>>> 'marked' =3D> 'Markiert', >> >> >>>> -'masquerade blue' =3D> 'NAT auf BLAU', >> >> >>>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', >> >> >>>> -'masquerade orange' =3D> 'NAT auf ORANGE', >> >> >>>> +'masquerade blue' =3D> 'NAT auf BLAU= ', >> >> >>>> +'masquerade green' =3D> 'NAT auf GR= =C3=9CN', >> >> >>>> +'masquerade orange' =3D> 'NAT auf O= RANGE', >> >> >>>> 'masquerading' =3D> 'Masquerading/NAT', >> >> >>>> 'masquerading disabled' =3D> 'NAT ausgeschaltet', >> >> >>>> 'masquerading enabled' =3D> 'NAT eingeschaltet', >> >> >>>> @@ -1814,6 +1819,8 @@ >> >> >>>> 'november' =3D> 'November', >> >> >>>> 'ntp common settings' =3D> 'Allgemeine Einstellungen', >> >> >>>> 'ntp configuration' =3D> 'Zeitserverkonfiguration', >> >> >>>> +'ntp force on blue' =3D> 'Erzwinge lokale NTP-Server auf BLAU', >> >> >>>> +'ntp force on green' =3D> 'Erzwinge lokale NTP-Server auf GR=C3=9CN', >> >> >>>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu= k=C3=B6nnen, muss NTP vorher aktiviert sein.', >> >> >>>> 'ntp server' =3D> 'NTP-Server', >> >> >>>> 'ntp sync' =3D> 'Synchronisation', >> >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> >> >>>> index 8f7e0c2cf..474612025 100644 >> >> >>>> --- a/langs/en/cgi-bin/en.pl >> >> >>>> +++ b/langs/en/cgi-bin/en.pl >> >> >>>> @@ -859,6 +859,8 @@ >> >> >>>> 'dns error 0' =3D> 'The IP address of the primary= DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', >> >> >>>> 'dns error 01' =3D> 'The entered IP address of the primary= and secondary DNS server are not valid, please che= ck your entries!', >> >> >>>> 'dns error 1' =3D> 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', >> >> >>>> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', >> >> >>>> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', >> >> >>>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', >> >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', >> >> >>>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on re= d0', >> >> >>>> @@ -1128,9 +1130,12 @@ >> >> >>>> 'from email server' =3D> 'From Email server', >> >> >>>> 'from email user' =3D> 'From e-mail user', >> >> >>>> 'from warn email bad' =3D> 'From e-mail address is not valid', >> >> >>>> -'fw blue' =3D> 'Firewall options for BLUE interface', >> >> >>>> +'fw blue' =3D> 'Firewall options for BL= UE Interface', >> >> >>>> 'fw default drop' =3D> 'Firewall policy', >> >> >>>> +'fw green' =3D> 'Firewall options for G= REEN Interface', >> >> >>>> 'fw logging' =3D> 'Firewall logging', >> >> >>>> +'fw logging blue' =3D> 'Firewall logging (BLUE)', >> >> >>>> +'fw logging red' =3D> 'Firewall logging (RED)', >> >> >>>> 'fw settings' =3D> 'Firewall settings', >> >> >>>> 'fw settings color' =3D> 'Show colors in ruletable', >> >> >>>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation sit= e', >> >> >>>> @@ -1672,9 +1677,9 @@ >> >> >>>> 'map to guest' =3D> 'Map to Guest', >> >> >>>> 'march' =3D> 'March', >> >> >>>> 'marked' =3D> 'Marked', >> >> >>>> -'masquerade blue' =3D> 'Masquerade BLUE', >> >> >>>> -'masquerade green' =3D> 'Masquerade GREEN', >> >> >>>> -'masquerade orange' =3D> 'Masquerade ORANGE', >> >> >>>> +'masquerade blue' =3D> 'Masquerade B= LUE', >> >> >>>> +'masquerade green' =3D> 'Masquerade = GREEN', >> >> >>>> +'masquerade orange' =3D> 'Masquerade ORANGE', >> >> >>>> 'masquerading' =3D> 'Masquerading', >> >> >>>> 'masquerading disabled' =3D> 'Masquerading disabled', >> >> >>>> 'masquerading enabled' =3D> 'Masquerading enabled', >> >> >>>> @@ -1844,6 +1849,8 @@ >> >> >>>> 'november' =3D> 'November', >> >> >>>> 'ntp common settings' =3D> 'Common settings', >> >> >>>> 'ntp configuration' =3D> 'NTP Configuration', >> >> >>>> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', >> >> >>>> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', >> >> >>>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to= have clients.', >> >> >>>> 'ntp server' =3D> 'NTP Server', >> >> >>>> 'ntp sync' =3D> 'Synchronization', >> >> >>>> diff --git a/lfs/configroot b/lfs/configroot >> >> >>>> index a3e474d70..622793b35 100644 >> >> >>>> --- a/lfs/configroot >> >> >>>> +++ b/lfs/configroot >> >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : >> >> >>>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settin= gs >> >> >>>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/sett= ings >> >> >>>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/set= tings >> >> >>>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/sett= ings >> >> >>>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/set= tings >> >> >>>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/sett= ings >> >> >>>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >> >> >>>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >> >> >>>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings >> >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/syste= m/dnsntp >> >> >>>> new file mode 100644 >> >> >>>> index 000000000..2eafa9d20 >> >> >>>> --- /dev/null >> >> >>>> +++ b/src/initscripts/system/dnsntp >> >> >>>> @@ -0,0 +1,36 @@ >> >> >>>> +#!/bin/sh >> >> >>>> +#################################################################= ####### >> >> >>>> +# Begin $rc_base/init.d/dnsntp >> >> >>>> +# >> >> >>>> +# Description : dnsntp init script for DNS/NTP rules only >> >> >>>> +# >> >> >>>> +#################################################################= ####### >> >> >>>> + >> >> >>>> +# flush chain >> >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT >> >> >>>> + >> >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> >> >>>> + >> >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> >> >>>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dp= ort 53 -j REDIRECT >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dp= ort 53 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> >> >>>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dpo= rt 53 -j REDIRECT >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dpo= rt 53 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >> >> >>>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dp= ort 123 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >> >> >>>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dpo= rt 123 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# End $rc_base/init.d/dnsntp >> >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/sys= tem/firewall >> >> >>>> index 65f1c979b..43ae74113 100644 >> >> >>>> --- a/src/initscripts/system/firewall >> >> >>>> +++ b/src/initscripts/system/firewall >> >> >>>> @@ -169,6 +169,10 @@ iptables_init() { >> >> >>>> # Fix for braindead ISPs >> >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --cl= amp-mss-to-pmtu >> >> >>>>=20 >> >> >>>> + # DNS / NTP REDIRECT >> >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT >> >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> >> >>>> + >> >> >>>> # CUSTOM chains, can be used by the users themselves >> >> >>>> iptables -N CUSTOMINPUT >> >> >>>> iptables -A INPUT -j CUSTOMINPUT >> >> >>>> @@ -281,7 +285,7 @@ iptables_init() { >> >> >>>> iptables -A INPUT -j LOCATIONBLOCK >> >> >>>> iptables -A FORWARD -j LOCATIONBLOCK >> >> >>>>=20 >> >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" a= ccept everything >> >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" = accept everything >> >> >>>> iptables -N IPSECINPUT >> >> >>>> iptables -N IPSECFORWARD >> >> >>>> iptables -N IPSECOUTPUT >> >> >>>> @@ -389,6 +393,9 @@ iptables_init() { >> >> >>>> # run captivectrl >> >> >>>> /usr/local/bin/captivectrl >> >> >>>>=20 >> >> >>>> + # run dnsntpctrl >> >> >>>> + /usr/local/bin/dnsntpctrl >> >> >>>> + >> >> >>>> # POLICY CHAIN >> >> >>>> iptables -N POLICYIN >> >> >>>> iptables -A INPUT -j POLICYIN >> >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> >> >>>> index 7c3ef7529..6f2733ef0 100644 >> >> >>>> --- a/src/misc-progs/Makefile >> >> >>>> +++ b/src/misc-progs/Makefile >> >> >>>> @@ -26,7 +26,7 @@ PROGS =3D iowrap >> >> >>>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ >> >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >> >> >>>> rebuildhosts backupctrl collectdctrl \ >> >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> >> >>>> wirelessctrl getipstat qosctrl \ >> >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ >> >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpct= rl.c >> >> >>>> new file mode 100644 >> >> >>>> index 000000000..f2a3b89e3 >> >> >>>> --- /dev/null >> >> >>>> +++ b/src/misc-progs/dnsntpctrl.c >> >> >>>> @@ -0,0 +1,19 @@ >> >> >>>> +/* This file is part of the IPFire Firewall. >> >> >>>> + * >> >> >>>> + * This program is distributed under the terms of the GNU General= Public >> >> >>>> + * Licence. See the file COPYING for details. >> >> >>>> + * >> >> >>>> + */ >> >> >>>> + >> >> >>>> +#include >> >> >>>> +#include "setuid.h" >> >> >>>> + >> >> >>>> +int main(void) >> >> >>>> +{ >> >> >>>> + if (!(initsetuid())) >> >> >>>> + exit(1); >> >> >>>> + >> >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> >> >>>> + >> >> >>>> + return 0; >> >> >>>> +} >> >> >>>> --=20 >> >> >>>> 2.18.0 >> >> >>>>=20 >> >> >>>>=20 >> >> >>>=20 >> >> >>=20 >> >> >>=20 >> >>=20 >> >> >> >=20 >>=20 >> >=20 --===============2366156729310704391==--