From mboxrd@z Thu Jan 1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Aw: Re: Re: [PATCH] (V3) Forcing DNS/NTP
Date: Sun, 07 Mar 2021 14:02:39 +0100
Message-ID: <07c19c6d-c49a-836a-40da-b9ba7ec5809f@ipfire.org>
In-Reply-To:
<trinity-e5e6c513-15ee-4f02-ba5d-06eab0854cd7-1615112411074@3c-app-gmx-bs69>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2366156729310704391=="
List-Id: <development.lists.ipfire.org>
--===============2366156729310704391==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Hi Bernhard,
On 07.03.2021 11:20, Bernhard Bitsch wrote:
> Hi Matthias,
>=20
> yes. You got it.
Very good. ;-)
> I use these rules now for some time, based on the scripts and discussions i=
n the community.
> The RETURN rules do not weaken the aim of REDIRECT rules.
Running here since ~12 hours. Absolutely no problems. Just for fun, I
even told Firefox to use DoH.
And: I told my client PC to use 1.2.3.4 as DNS-server. He had no chance.
DNS was still working as before.
Furthermore I can see the redirections from our blue clients (nasty
programmed apps).
Settings:
DNS-Server with nine DNSSEC-entries, status on 'dhcp.cgi' is "Working",
DNS-Protocol: TLS, QNAME-Minmisation: Strict. Running 'unbound 1.13.1'.
> Because I can do not know a measurement tool, I can't say something about p=
erformance.
What about something like this?
=3D> https://github.com/DNS-OARC/dnsperf/blob/master/README.md
> But I'll try to record the behaviour of those 'bad devices' through logging=
rules, both for REDIRECT and RETURN.
>>From time to time I take a look at the IPTables-GUI - right now its...:
Chain DNS_NTP_REDIRECT (1 references)
pkts bytes target prot opt in out source destination =09
=09
82 5532 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:53
24 1734 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 RETURN tcp -- green0 * 0.0.0.0/0 192.168.100.254 tcp dpt:53
0 0 REDIRECT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
459 31772 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:53
40 2861 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 RETURN tcp -- blue0 * 0.0.0.0/0 192.168.101.254 tcp dpt:53
0 0 REDIRECT tcp -- blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
983 74708 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:123
0 0 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:123
18 1368 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
Opinions?
Best,
Matthias
P.S.:
One (last?) thing to do would be to merge 'dnsntp' (init) and
'dnsntpctrl'.(c) into one C file to get rid of the still remaining
init-file. But sorry, that's for someone else, please...
>=20
> Best,
> Bernhard
>=20
>> Gesendet: Sonntag, 07. M=C3=A4rz 2021 um 09:06 Uhr
>> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
>> An: "Bernhard Bitsch" <Bernhard.Bitsch(a)gmx.de>, "Jon Murphy" <jcmurphy26=
(a)gmail.com>
>> Cc: "IPFire Development" <development(a)lists.ipfire.org>
>> Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP
>>
>> Hi Bernhard,
>>=20
>> Lol. Funny misunderstanding - I'll try to figure it out:
>>=20
>> On 06.03.2021 22:15, Bernhard Bitsch wrote:
>> > For forcing DNS we generate ( for example )
>> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 =
-j REDIRECT
>>=20
>> That's for *forcing* AKA *bad* requests that don't go the way we want.
>>=20
>> > To filter allowed DNS requests there is a rule
>> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p ud=
p -m udp --dport 53 -j RETURN
>>=20
>> That's for *well-behaving* requests.
>>=20
>> AH! I see. I think I know what you meant.
>>=20
>> > To get ${GREEN_ADDRESS} dnsntp needs an additional
>> > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>=20
>> Funny. I suddenly thought of doing something with
>> '.../ethernet/settings' while writing the v3-commit. But I didn't think
>> of RETURN.
>>=20
>> > Concerning performance, we want to minimize the rule set to the amount r=
eally necessary. On the other hand, it may be quicker to do just a RETURN tha=
n a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) shou=
ld be nearly 100%. DNS and NTP servrs are published by DHCP or should be conf=
igured in the static case.
>> >=20
>> > Hope this makes it clear enough.
>>=20
>> I - really - hope I got it right. ;-)
>>=20
>> To handle the well-behaving requests, I added RETURN rules prior to the
>> REDIRECT rules like this:
>>=20
>> ...
>> # Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>> if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then
>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p
>> udp -m udp --dport 53 -j RETURN
>>=20
>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53
>> -j REDIRECT
>>=20
>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p
>> tcp -m tcp --dport 53 -j RETURN
>>=20
>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53
>> -j REDIRECT
>> fi
>> ...
>>=20
>> Intention (explanation was translated from
>> https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html):
>> If the first - well-behaving - rule matches:
>> =3D> RETURN =3D> "Leave this chain and continue with the caller or execute
>> the chain's policy".
>>=20
>> Otherwise:
>> =3D> REDIRECT the packet. "This goal ensures that the package is delivered
>> to the local computer. This allows packets to "fantasy targets" to be
>> intercepted and dealt with locally."
>>=20
>> I'm still not 100 percent sure - but does this correspond to your intentio=
n?
>>=20
>> Best,
>> Matthias
>>=20
>> > Best,
>> > Bernhard
>> >=20
>> >> Gesendet: Samstag, 06. M=C3=A4rz 2021 um 21:51 Uhr
>> >> Von: "Jon Murphy" <jcmurphy26(a)gmail.com>
>> >> An: "Bernhard Bitsch" <Bernhard.Bitsch(a)gmx.de>
>> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP
>> >>
>> >> > I mean the extra rules for requests client-->IPFire:53.
>> >> > These are 'well-behaving' and must/should not be redirected. Didn't m=
easure if the performance is equal with or without these extra rules.
>> >>=20
>> >> How do we determine if a 'well-behaving' client is being redirected? O=
r how do we measure performance?
>> >>=20
>> >> When I tried to measure DNS "speed" in the past, the cache gets in ther=
e and makes every look like 38 to 44 ms.
>> >>=20
>> >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch(a)gmx.de=
> wrote:
>> >> >=20
>> >> > Hi,
>> >> >=20
>> >> >> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 23:49 Uhr
>> >> >> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
>> >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch(a)gmx.de>
>> >> >> Cc: development(a)lists.ipfire.org
>> >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP
>> >> >>=20
>> >> >> Hi,
>> >> >>=20
>> >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote:
>> >> >>> Hi,
>> >> >>>=20
>> >> >>> at a first glance I think, the code implements the ideas of the com=
munity discussions.
>> >> >>=20
>> >> >> Thanks - but unfortunately I'm not quite satisfied with my results y=
et
>> >> >> because I didn't manage to merge the init and the ctrl-file in *one*=
C
>> >> >> program. The whole is running as I want but... ;-)
>> >> >>=20
>> >> >>> Just one annotation. As mentioned in a post, it could help to honor=
'well-behaving' requests ( to IPFire ) by a RETURN.
>> >> >>=20
>> >> >> -v please. I don't know if I get this (the translation english =3D>
>> >> >> german) right.
>> >> >> If you mean that I asked for some tips and got some, than of course:
>> >> >> many thanks to everybody!
>> >> >>=20
>> >> > Sorry if I wasn't specific enough.
>> >> > I mean the extra rules for requests client-->IPFire:53.
>> >> > These are 'well-behaving' and must/should not be redirected. Didn't m=
easure if the performance is equal with or without these extra rules.
>> >> >=20
>> >> > Best,
>> >> > Bernhard
>> >> >> Best,
>> >> >> Matthias
>> >> >>=20
>> >> >>> Regards,
>> >> >>> Bernhard
>> >> >>>=20
>> >> >>>> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 20:40 Uhr
>> >> >>>> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
>> >> >>>> An: development(a)lists.ipfire.org
>> >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP
>> >> >>>>=20
>> >> >>>> Originally triggered by:
>> >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-la=
n-to-the-firewall/3512
>> >> >>>>=20
>> >> >>>> Current discussion:
>> >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3=
888
>> >> >>>>=20
>> >> >>>> Summary and functionality:
>> >> >>>> These patches are controlled through "Firewall Options". They add=
new
>> >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/=
optionsfw/settings'.
>> >> >>>> They activate/deactivate appropriate REDIRECT rules through a new=
ctrl file
>> >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/ini=
t.d/dnsntp').
>> >> >>>>=20
>> >> >>>> Default of all new rules is OFF (set in 'lfs/configroot').
>> >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to=
the DNS and NTP
>> >> >>>> servers specified in IPFire. GUI links to DNS and NTP options wer=
e added to make
>> >> >>>> this more transparent.
>> >> >>>>=20
>> >> >>>> Flaw/ToDo:
>> >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file =
which calls the actual
>> >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour.
>> >> >>>> In fact I wanted to merge these two files in *one* C file, but th=
is was beyond my
>> >> >>>> capabilities, perhaps "someone" else knows how to program this.
>> >> >>>>=20
>> >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>> >> >>>> The corresponding interface options - including 'Masquerade ...' =
- are only visible if
>> >> >>>> the respective interface actually exists.
>> >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for=
'DNS/NTP on BLUE'
>> >> >>>> or logging options for BLUE available (e.g.).
>> >> >>>> Added text colors for better readability and links to DNS and NTP=
GUI.
>> >> >>>> Separated logging options per interface.
>> >> >>>>=20
>> >> >>>> No reboot required:
>> >> >>>> Rules can be switched ON/OFF without rebooting IPFire.
>> >> >>>> Changes immedediatly take effect after clicking 'Save'.
>> >> >>>>=20
>> >> >>>> Changes to '/etc/rc.d/init.d/firewall':
>> >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added =
a new PREROUTING
>> >> >>>> chain: DNS_NTP_REDIRECT.
>> >> >>>> This chain is flushed by the init file before before the desired =
settings are applied.
>> >> >>>> Corrected a 'trafic' typo.
>> >> >>>>=20
>> >> >>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> >> >>>> ---
>> >> >>>> config/rootfiles/common/aarch64/initscripts | 1 +
>> >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 +
>> >> >>>> config/rootfiles/common/i586/initscripts | 1 +
>> >> >>>> config/rootfiles/common/misc-progs | 1 +
>> >> >>>> config/rootfiles/common/x86_64/initscripts | 1 +
>> >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++=
----
>> >> >>>> langs/de/cgi-bin/de.pl | 15 +++-
>> >> >>>> langs/en/cgi-bin/en.pl | 15 +++-
>> >> >>>> lfs/configroot | 4 +
>> >> >>>> src/initscripts/system/dnsntp | 36 ++++++++
>> >> >>>> src/initscripts/system/firewall | 9 +-
>> >> >>>> src/misc-progs/Makefile | 2 +-
>> >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++
>> >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-)
>> >> >>>> create mode 100644 src/initscripts/system/dnsntp
>> >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c
>> >> >>>>=20
>> >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/=
rootfiles/common/aarch64/initscripts
>> >> >>>> index 800005966..f38a3a294 100644
>> >> >>>> --- a/config/rootfiles/common/aarch64/initscripts
>> >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts
>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>> >> >>>> etc/rc.d/init.d/console
>> >> >>>> etc/rc.d/init.d/dhcp
>> >> >>>> etc/rc.d/init.d/dhcrelay
>> >> >>>> +etc/rc.d/init.d/dnsntp
>> >> >>>> etc/rc.d/init.d/fcron
>> >> >>>> etc/rc.d/init.d/fireinfo
>> >> >>>> etc/rc.d/init.d/firewall
>> >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config=
/rootfiles/common/armv5tel/initscripts
>> >> >>>> index 800005966..f38a3a294 100644
>> >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts
>> >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts
>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>> >> >>>> etc/rc.d/init.d/console
>> >> >>>> etc/rc.d/init.d/dhcp
>> >> >>>> etc/rc.d/init.d/dhcrelay
>> >> >>>> +etc/rc.d/init.d/dnsntp
>> >> >>>> etc/rc.d/init.d/fcron
>> >> >>>> etc/rc.d/init.d/fireinfo
>> >> >>>> etc/rc.d/init.d/firewall
>> >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/roo=
tfiles/common/i586/initscripts
>> >> >>>> index 18c5a897a..a3a2b47f7 100644
>> >> >>>> --- a/config/rootfiles/common/i586/initscripts
>> >> >>>> +++ b/config/rootfiles/common/i586/initscripts
>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>> >> >>>> etc/rc.d/init.d/console
>> >> >>>> etc/rc.d/init.d/dhcp
>> >> >>>> etc/rc.d/init.d/dhcrelay
>> >> >>>> +etc/rc.d/init.d/dnsntp
>> >> >>>> etc/rc.d/init.d/fcron
>> >> >>>> etc/rc.d/init.d/fireinfo
>> >> >>>> etc/rc.d/init.d/firewall
>> >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles=
/common/misc-progs
>> >> >>>> index d6594b3f8..4bcb94812 100644
>> >> >>>> --- a/config/rootfiles/common/misc-progs
>> >> >>>> +++ b/config/rootfiles/common/misc-progs
>> >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>> >> >>>> usr/local/bin/collectdctrl
>> >> >>>> usr/local/bin/ddnsctrl
>> >> >>>> usr/local/bin/dhcpctrl
>> >> >>>> +usr/local/bin/dnsntpctrl
>> >> >>>> usr/local/bin/extrahdctrl
>> >> >>>> usr/local/bin/fireinfoctrl
>> >> >>>> usr/local/bin/firewallctrl
>> >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/r=
ootfiles/common/x86_64/initscripts
>> >> >>>> index 18c5a897a..a3a2b47f7 100644
>> >> >>>> --- a/config/rootfiles/common/x86_64/initscripts
>> >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts
>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>> >> >>>> etc/rc.d/init.d/console
>> >> >>>> etc/rc.d/init.d/dhcp
>> >> >>>> etc/rc.d/init.d/dhcrelay
>> >> >>>> +etc/rc.d/init.d/dnsntp
>> >> >>>> etc/rc.d/init.d/fcron
>> >> >>>> etc/rc.d/init.d/fireinfo
>> >> >>>> etc/rc.d/init.d/firewall
>> >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.c=
gi
>> >> >>>> index 321642e82..3fc707e8b 100644
>> >> >>>> --- a/html/cgi-bin/optionsfw.cgi
>> >> >>>> +++ b/html/cgi-bin/optionsfw.cgi
>> >> >>>> @@ -2,7 +2,7 @@
>> >> >>>> ##################################################################=
#############
>> >> >>>> # =
#
>> >> >>>> # IPFire.org - A linux based firewall =
#
>> >> >>>> -# Copyright (C) 2014-2020 IPFire Team <info(a)ipfire.org> =
#
>> >> >>>> +# Copyright (C) 2014-2021 IPFire Team <info(a)ipfire.org> =
#
>> >> >>>> # =
#
>> >> >>>> # This program is free software: you can redistribute it and/or mo=
dify #
>> >> >>>> # it under the terms of the GNU General Public License as publishe=
d by #
>> >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>> >> >>>> $errormessage .=3D $Lang::tr{'new optionsfw later'};
>> >> >>>> &General::writehash($filename, \%settings); # Save g=
ood settings
>> >> >>>> system("/usr/local/bin/firewallctrl");
>> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>> >> >>>> }else{
>> >> >>>> if ($settings{'POLICY'} ne ''){
>> >> >>>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'};
>> >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>> >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fw=
dfwsettings);
>> >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwd=
fwsettings);
>> >> >>>> system("/usr/local/bin/firewallctrl");
>> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>> >> >>>> }
>> >> >>>> &General::readhash($filename, \%settings); # Load goo=
d settings
>> >> >>>> }
>> >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MAS=
QUERADE_ORANGE'}} =3D 'selected=3D"sele
>> >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} =3D '';
>> >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} =3D '';
>> >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'se=
lected=3D"selected"';
>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D '';
>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D '';
>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =
=3D "checked=3D'checked'";
>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D '';
>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D '';
>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D=
"checked=3D'checked'";
>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D '';
>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D '';
>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =
=3D "checked=3D'checked'";
>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D '';
>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D '';
>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D=
"checked=3D'checked'";
>> >> >>>>=20
>> >> >>>> &Header::openbox('100%', 'center',);
>> >> >>>> print "<form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>";
>> >> >>>> @@ -189,13 +203,44 @@ END
>> >> >>>> END
>> >> >>>> }
>> >> >>>>=20
>> >> >>>> - print <<END
>> >> >>>> +print <<END;
>> >> >>>> + <table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> + <tr bgcolor=3D'$color{'color20'}'></tr>
>> >> >>>> + <tr> </tr>
>> >> >>>> + <td colspan=3D'2' align=3D'left'><b>$Lang::tr{'fw green'}</b><=
/td>
>> >> >>>> + </tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'dns force on gr=
een'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DN=
S_FORCE_ON_GREEN' value=3D'on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>> >> >>>> + <input type=3D'radio' name=3D'DNS_FORCE_ON_=
GREEN' value=3D'off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'=
}</td></tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'ntp force on gr=
een'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'NT=
P_FORCE_ON_GREEN' value=3D'on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>> >> >>>> + <input type=3D'radio' name=3D'NTP_FORCE_ON_=
GREEN' value=3D'off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'=
}</td></tr>
>> >> >>>> +END
>> >> >>>> +
>> >> >>>> + if (&Header::blue_used()) {
>> >> >>>> + print <<END;
>> >> >>>> + <table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> + <tr bgcolor=3D'$color{'color20'}'><td colspan=3D'2' align=3D'le=
ft'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> >> >>>> + <tr> </tr>
>> >> >>>> + <tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'dns force on b=
lue'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DN=
S_FORCE_ON_BLUE' value=3D'on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>> >> >>>> + <input type=3D'radio' name=3D'DNS_FORCE_ON_=
BLUE' value=3D'off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}<=
/td></tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'ntp force on b=
lue'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'NT=
P_FORCE_ON_BLUE' value=3D'on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>> >> >>>> + <input type=3D'radio' name=3D'NTP_FORCE_ON_=
BLUE' value=3D'off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}<=
/td></tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop proxy'}</=
td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPPROXY=
' value=3D'on' $checked{'DROPPROXY'}{'on'} />/
>> >> >>>> + <input type=3D'radio' name=3D'DROPPROXY' va=
lue=3D'off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop samba'}</=
td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPSAMBA=
' value=3D'on' $checked{'DROPSAMBA'}{'on'} />/
>> >> >>>> + <input type=3D'radio' name=3D'DROPSAMBA' va=
lue=3D'off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> + </td>
>> >> >>>> + </tr>
>> >> >>>> +END
>> >> >>>> + }
>> >> >>>> +
>> >> >>>> + print <<END;
>> >> >>>> </table>
>> >> >>>>=20
>> >> >>>> - <br>
>> >> >>>> + <br />
>> >> >>>>=20
>> >> >>>> -<table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> -<tr bgcolor=3D'$color{'color20'}'><td colspan=3D'2' align=3D'left=
'><b>$Lang::tr{'fw logging'}</b></td></tr>
>> >> >>>> + <table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> +<tr bgcolor=3D'$color{'color20'}'><td colspan=3D'2' align=3D'left=
'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>> >> >>>> <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop newnotsyn'}</=
td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPNEWNO=
TSYN' value=3D'on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>> >> >>>> <input type=3D'radio' name=3D'DROPNEWNOTSYN'=
value=3D'off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop input'}</td><=
td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPINPUT' va=
lue=3D'on' $checked{'DROPINPUT'}{'on'} />/
>> >> >>>> @@ -206,21 +251,30 @@ END
>> >> >>>> <input type=3D'radio' name=3D'DROPOUTGOING' =
value=3D'off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop portscan'}</t=
d><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPPORTSC=
AN' value=3D'on' $checked{'DROPPORTSCAN'}{'on'} />/
>> >> >>>> <input type=3D'radio' name=3D'DROPPORTSCAN' =
value=3D'off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> -<tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop wirelessinpu=
t'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROP=
WIRELESSINPUT' value=3D'on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> >> >>>> +END
>> >> >>>> +
>> >> >>>> + if (&Header::blue_used()) {
>> >> >>>> + print <<END;
>> >> >>>> + </table>
>> >> >>>> +
>> >> >>>> + <br />
>> >> >>>> +
>> >> >>>> + <table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> +<tr bgcolor=3D'$color{'color20'}'><td colspan=3D'2' align=3D'left=
'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>> >> >>>> + <tr>
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop wirelessi=
nput'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'D=
ROPWIRELESSINPUT' value=3D'on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> >> >>>> <input type=3D'radio' name=3D'DROPWIRELESSIN=
PUT' value=3D'off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</=
td></tr>
>> >> >>>> -<tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop wirelessforw=
ard'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DR=
OPWIRELESSFORWARD' value=3D'on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> >> >>>> + <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop wirelessf=
orward'}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D=
'DROPWIRELESSFORWARD' value=3D'on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> >> >>>> <input type=3D'radio' name=3D'DROPWIRELESSFO=
RWARD' value=3D'off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off=
'}</td></tr>
>> >> >>>> -</table>
>> >> >>>> -<br/>
>> >> >>>> + </tr>
>> >> >>>> +END
>> >> >>>> + }
>> >> >>>> +
>> >> >>>> + print <<END;
>> >> >>>> + </table>
>> >> >>>> +
>> >> >>>> + <br />
>> >> >>>>=20
>> >> >>>> -<table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> -<tr bgcolor=3D'$color{'color20'}'><td colspan=3D'2' align=3D'left=
'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> >> >>>> -<tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop proxy'}</td>=
<td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPPROXY' v=
alue=3D'on' $checked{'DROPPROXY'}{'on'} />/
>> >> >>>> - <input type=3D'radio' name=3D'DROPPROXY' va=
lue=3D'off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> -<tr><td align=3D'left' width=3D'60%'>$Lang::tr{'drop samba'}</td>=
<td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'DROPSAMBA' v=
alue=3D'on' $checked{'DROPSAMBA'}{'on'} />/
>> >> >>>> - <input type=3D'radio' name=3D'DROPSAMBA' va=
lue=3D'off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> >> >>>> -</table>
>> >> >>>> -<br>
>> >> >>>> <table width=3D'95%' cellspacing=3D'0'>
>> >> >>>> <tr bgcolor=3D'$color{'color20'}'><td colspan=3D'2' align=3D'left'=
><b>$Lang::tr{'fw settings'}</b></td></tr>
>> >> >>>> <tr><td align=3D'left' width=3D'60%'>$Lang::tr{'fw settings color'=
}</td><td align=3D'left'>$Lang::tr{'on'} <input type=3D'radio' name=3D'SHOWCO=
LORS' value=3D'on' $checked{'SHOWCOLORS'}{'on'} />/
>> >> >>>> @@ -252,7 +306,7 @@ END
>> >> >>>>=20
>> >> >>>> <br />
>> >> >>>> <table width=3D'100%' cellspacing=3D'0'>
>> >> >>>> -<tr><td align=3D'right'><form method=3D'post' action=3D'$ENV{'SCR=
IPT_NAME'}'>
>> >> >>>> +<tr><td align=3D'center'><form method=3D'post' action=3D'$ENV{'SC=
RIPT_NAME'}'>
>> >> >>>> <input type=3D'submit' name=3D'ACTION' value=3D'$Lang::tr{'save'}'=
/>
>> >> >>>> </form></td></tr>
>> >> >>>> </table>
>> >> >>>> @@ -278,7 +332,7 @@ print <<END;
>> >> >>>> <input type=3D'submit' name=3D'ACTION' value=3D'$Lang::tr{'sa=
ve'}' /><input type=3D'hidden' name=3D'defpol' value=3D'1'></td>
>> >> >>>> END
>> >> >>>> print "</tr></table></form>";
>> >> >>>> - print"<br><br>";
>> >> >>>> + print"<br /><br />";
>> >> >>>> print <<END;
>> >> >>>> <form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>
>> >> >>>> <table width=3D'100%' border=3D'0'>
>> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> >> >>>> index 6a8133807..d6bb234fa 100644
>> >> >>>> --- a/langs/de/cgi-bin/de.pl
>> >> >>>> +++ b/langs/de/cgi-bin/de.pl
>> >> >>>> @@ -836,6 +836,8 @@
>> >> >>>> 'dns error 0' =3D> 'Die IP Adresse vom <strong>prim=C3=A4ren</stro=
ng> DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Ein=
gabe!<br />Die eingegebene <strong>sekund=C3=A4ren</strong> DNS Server Adress=
e ist jedoch g=C3=BCltig.<br />',
>> >> >>>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des <strong>prim=
=C3=A4ren</strong> wie auch des <strong>sekund=C3=A4ren</strong> DNS-Servers =
sind nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!',
>> >> >>>> 'dns error 1' =3D> 'Die IP Adresse vom <strong>sekund=C3=A4ren</st=
rong> DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre E=
ingabe!<br />Die eingegebene <strong>prim=C3=A4re</strong> DNS Server Adresse=
ist jedoch g=C3=BCltig.',
>> >> >>>> +'dns force on blue' =3D> 'Erzwinge <a href=3D\'/cgi-bin/dns.cgi\'=
>lokale DNS-Server</a> auf BLAU',
>> >> >>>> +'dns force on green' =3D> 'Erzwinge <a href=3D\'/cgi-bin/dns.cgi\=
'>lokale DNS-Server</a> auf GR=C3=9CN',
>> >> >>>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empf=
ohlen)',
>> >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)=
',
>> >> >>>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an re=
d0',
>> >> >>>> @@ -1102,9 +1104,12 @@
>> >> >>>> 'from email server' =3D> 'Von E-Mail-Server',
>> >> >>>> 'from email user' =3D> 'Von E-Mail-Benutzer',
>> >> >>>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BClt=
ig',
>> >> >>>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface',
>> >> >>>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das <font color=3D\'#00=
00FF\'>BLAUE</font> Interface',
>> >> >>>> 'fw default drop' =3D> 'Firewallrichtlinie',
>> >> >>>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das <font color=3D\'#3=
39933\'>GR=C3=9CNE</font> Interface',
>> >> >>>> 'fw logging' =3D> 'Firewallprotokollierung',
>> >> >>>> +'fw logging blue' =3D> 'Firewallprotokollierung (<font color=3D\'=
#0000FF\'>BLAU</font>)',
>> >> >>>> +'fw logging red' =3D> 'Firewallprotokollierung (<font color=3D\'#=
993333\'>ROT</font>)',
>> >> >>>> 'fw settings' =3D> 'Firewalleinstellungen',
>> >> >>>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen',
>> >> >>>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsse=
ite anzeigen',
>> >> >>>> @@ -1644,9 +1649,9 @@
>> >> >>>> 'map to guest' =3D> 'Map to Guest',
>> >> >>>> 'march' =3D> 'M=C3=A4rz',
>> >> >>>> 'marked' =3D> 'Markiert',
>> >> >>>> -'masquerade blue' =3D> 'NAT auf BLAU',
>> >> >>>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN',
>> >> >>>> -'masquerade orange' =3D> 'NAT auf ORANGE',
>> >> >>>> +'masquerade blue' =3D> 'NAT auf <b><font color=3D\'#0000FF\'>BLAU=
</font></b>',
>> >> >>>> +'masquerade green' =3D> 'NAT auf <b><font color=3D\'#339933\'>GR=
=C3=9CN</font></b>',
>> >> >>>> +'masquerade orange' =3D> 'NAT auf <b><font color =3D\'#FF9933\'>O=
RANGE</font></b>',
>> >> >>>> 'masquerading' =3D> 'Masquerading/NAT',
>> >> >>>> 'masquerading disabled' =3D> 'NAT ausgeschaltet',
>> >> >>>> 'masquerading enabled' =3D> 'NAT eingeschaltet',
>> >> >>>> @@ -1814,6 +1819,8 @@
>> >> >>>> 'november' =3D> 'November',
>> >> >>>> 'ntp common settings' =3D> 'Allgemeine Einstellungen',
>> >> >>>> 'ntp configuration' =3D> 'Zeitserverkonfiguration',
>> >> >>>> +'ntp force on blue' =3D> 'Erzwinge <a href=3D\'/cgi-bin/time.cgi\=
'>lokale NTP-Server</a> auf BLAU',
>> >> >>>> +'ntp force on green' =3D> 'Erzwinge <a href=3D\'/cgi-bin/time.cgi=
\'>lokale NTP-Server</a> auf GR=C3=9CN',
>> >> >>>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu=
k=C3=B6nnen, muss NTP vorher aktiviert sein.',
>> >> >>>> 'ntp server' =3D> 'NTP-Server',
>> >> >>>> 'ntp sync' =3D> 'Synchronisation',
>> >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> >> >>>> index 8f7e0c2cf..474612025 100644
>> >> >>>> --- a/langs/en/cgi-bin/en.pl
>> >> >>>> +++ b/langs/en/cgi-bin/en.pl
>> >> >>>> @@ -859,6 +859,8 @@
>> >> >>>> 'dns error 0' =3D> 'The IP address of the <strong>primary</strong>=
DNS server is not valid, please check your entries!<br />The entered <strong=
>secondary</strong> DNS server address is valid.',
>> >> >>>> 'dns error 01' =3D> 'The entered IP address of the <strong>primary=
</strong> and <strong>secondary</strong> DNS server are not valid, please che=
ck your entries!',
>> >> >>>> 'dns error 1' =3D> 'The IP address of the <strong>secondary</stron=
g> DNS server is not valid, please check your entries!<br />The entered <stro=
ng>primary</strong> DNS server address is valid.',
>> >> >>>> +'dns force on blue' =3D> 'Force DNS to use <a href=3D\'/cgi-bin/d=
ns.cgi\'>local DNS servers</a> on BLUE',
>> >> >>>> +'dns force on green' =3D> 'Force DNS to use <a href=3D\'/cgi-bin/=
dns.cgi\'>local DNS servers</a> on GREEN',
>> >> >>>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)',
>> >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)',
>> >> >>>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on re=
d0',
>> >> >>>> @@ -1128,9 +1130,12 @@
>> >> >>>> 'from email server' =3D> 'From Email server',
>> >> >>>> 'from email user' =3D> 'From e-mail user',
>> >> >>>> 'from warn email bad' =3D> 'From e-mail address is not valid',
>> >> >>>> -'fw blue' =3D> 'Firewall options for BLUE interface',
>> >> >>>> +'fw blue' =3D> 'Firewall options for <font color=3D\'#0000FF\'>BL=
UE</font> Interface',
>> >> >>>> 'fw default drop' =3D> 'Firewall policy',
>> >> >>>> +'fw green' =3D> 'Firewall options for <font color=3D\'#339933\'>G=
REEN</font> Interface',
>> >> >>>> 'fw logging' =3D> 'Firewall logging',
>> >> >>>> +'fw logging blue' =3D> 'Firewall logging (<font color=3D\'#0000FF=
\'>BLUE</font>)',
>> >> >>>> +'fw logging red' =3D> 'Firewall logging (<font color=3D\'#993333\=
'>RED</font>)',
>> >> >>>> 'fw settings' =3D> 'Firewall settings',
>> >> >>>> 'fw settings color' =3D> 'Show colors in ruletable',
>> >> >>>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation sit=
e',
>> >> >>>> @@ -1672,9 +1677,9 @@
>> >> >>>> 'map to guest' =3D> 'Map to Guest',
>> >> >>>> 'march' =3D> 'March',
>> >> >>>> 'marked' =3D> 'Marked',
>> >> >>>> -'masquerade blue' =3D> 'Masquerade BLUE',
>> >> >>>> -'masquerade green' =3D> 'Masquerade GREEN',
>> >> >>>> -'masquerade orange' =3D> 'Masquerade ORANGE',
>> >> >>>> +'masquerade blue' =3D> 'Masquerade <b><font color=3D\'#0000FF\'>B=
LUE</font></b>',
>> >> >>>> +'masquerade green' =3D> 'Masquerade <b><font color=3D\'#339933\'>=
GREEN</font></b>',
>> >> >>>> +'masquerade orange' =3D> 'Masquerade <b><font color=3D\'#FF9933\'=
>ORANGE</font></b>',
>> >> >>>> 'masquerading' =3D> 'Masquerading',
>> >> >>>> 'masquerading disabled' =3D> 'Masquerading disabled',
>> >> >>>> 'masquerading enabled' =3D> 'Masquerading enabled',
>> >> >>>> @@ -1844,6 +1849,8 @@
>> >> >>>> 'november' =3D> 'November',
>> >> >>>> 'ntp common settings' =3D> 'Common settings',
>> >> >>>> 'ntp configuration' =3D> 'NTP Configuration',
>> >> >>>> +'ntp force on blue' =3D> 'Force NTP to use <a href=3D\'/cgi-bin/t=
ime.cgi\'>local NTP servers</a> on BLUE',
>> >> >>>> +'ntp force on green' =3D> 'Force NTP to use <a href=3D\'/cgi-bin/=
time.cgi\'>local NTP servers</a> on GREEN',
>> >> >>>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to=
have clients.',
>> >> >>>> 'ntp server' =3D> 'NTP Server',
>> >> >>>> 'ntp sync' =3D> 'Synchronization',
>> >> >>>> diff --git a/lfs/configroot b/lfs/configroot
>> >> >>>> index a3e474d70..622793b35 100644
>> >> >>>> --- a/lfs/configroot
>> >> >>>> +++ b/lfs/configroot
>> >> >>>> @@ -129,6 +129,10 @@ $(TARGET) :
>> >> >>>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings
>> >> >>>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settin=
gs
>> >> >>>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/sett=
ings
>> >> >>>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/set=
tings
>> >> >>>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/sett=
ings
>> >> >>>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/set=
tings
>> >> >>>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/sett=
ings
>> >> >>>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings
>> >> >>>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings
>> >> >>>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings
>> >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/syste=
m/dnsntp
>> >> >>>> new file mode 100644
>> >> >>>> index 000000000..2eafa9d20
>> >> >>>> --- /dev/null
>> >> >>>> +++ b/src/initscripts/system/dnsntp
>> >> >>>> @@ -0,0 +1,36 @@
>> >> >>>> +#!/bin/sh
>> >> >>>> +#################################################################=
#######
>> >> >>>> +# Begin $rc_base/init.d/dnsntp
>> >> >>>> +#
>> >> >>>> +# Description : dnsntp init script for DNS/NTP rules only
>> >> >>>> +#
>> >> >>>> +#################################################################=
#######
>> >> >>>> +
>> >> >>>> +# flush chain
>> >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT
>> >> >>>> +
>> >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>> >> >>>> +
>> >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>> >> >>>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then
>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dp=
ort 53 -j REDIRECT
>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dp=
ort 53 -j REDIRECT
>> >> >>>> +fi
>> >> >>>> +
>> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>> >> >>>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then
>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dpo=
rt 53 -j REDIRECT
>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dpo=
rt 53 -j REDIRECT
>> >> >>>> +fi
>> >> >>>> +
>> >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>> >> >>>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then
>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dp=
ort 123 -j REDIRECT
>> >> >>>> +fi
>> >> >>>> +
>> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>> >> >>>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then
>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dpo=
rt 123 -j REDIRECT
>> >> >>>> +fi
>> >> >>>> +
>> >> >>>> +# End $rc_base/init.d/dnsntp
>> >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/sys=
tem/firewall
>> >> >>>> index 65f1c979b..43ae74113 100644
>> >> >>>> --- a/src/initscripts/system/firewall
>> >> >>>> +++ b/src/initscripts/system/firewall
>> >> >>>> @@ -169,6 +169,10 @@ iptables_init() {
>> >> >>>> # Fix for braindead ISPs
>> >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --cl=
amp-mss-to-pmtu
>> >> >>>>=20
>> >> >>>> + # DNS / NTP REDIRECT
>> >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT
>> >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>> >> >>>> +
>> >> >>>> # CUSTOM chains, can be used by the users themselves
>> >> >>>> iptables -N CUSTOMINPUT
>> >> >>>> iptables -A INPUT -j CUSTOMINPUT
>> >> >>>> @@ -281,7 +285,7 @@ iptables_init() {
>> >> >>>> iptables -A INPUT -j LOCATIONBLOCK
>> >> >>>> iptables -A FORWARD -j LOCATIONBLOCK
>> >> >>>>=20
>> >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" a=
ccept everything
>> >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" =
accept everything
>> >> >>>> iptables -N IPSECINPUT
>> >> >>>> iptables -N IPSECFORWARD
>> >> >>>> iptables -N IPSECOUTPUT
>> >> >>>> @@ -389,6 +393,9 @@ iptables_init() {
>> >> >>>> # run captivectrl
>> >> >>>> /usr/local/bin/captivectrl
>> >> >>>>=20
>> >> >>>> + # run dnsntpctrl
>> >> >>>> + /usr/local/bin/dnsntpctrl
>> >> >>>> +
>> >> >>>> # POLICY CHAIN
>> >> >>>> iptables -N POLICYIN
>> >> >>>> iptables -A INPUT -j POLICYIN
>> >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>> >> >>>> index 7c3ef7529..6f2733ef0 100644
>> >> >>>> --- a/src/misc-progs/Makefile
>> >> >>>> +++ b/src/misc-progs/Makefile
>> >> >>>> @@ -26,7 +26,7 @@ PROGS =3D iowrap
>> >> >>>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \
>> >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \
>> >> >>>> rebuildhosts backupctrl collectdctrl \
>> >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \
>> >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
>> >> >>>> wirelessctrl getipstat qosctrl \
>> >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \
>> >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>> >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpct=
rl.c
>> >> >>>> new file mode 100644
>> >> >>>> index 000000000..f2a3b89e3
>> >> >>>> --- /dev/null
>> >> >>>> +++ b/src/misc-progs/dnsntpctrl.c
>> >> >>>> @@ -0,0 +1,19 @@
>> >> >>>> +/* This file is part of the IPFire Firewall.
>> >> >>>> + *
>> >> >>>> + * This program is distributed under the terms of the GNU General=
Public
>> >> >>>> + * Licence. See the file COPYING for details.
>> >> >>>> + *
>> >> >>>> + */
>> >> >>>> +
>> >> >>>> +#include <stdlib.h>
>> >> >>>> +#include "setuid.h"
>> >> >>>> +
>> >> >>>> +int main(void)
>> >> >>>> +{
>> >> >>>> + if (!(initsetuid()))
>> >> >>>> + exit(1);
>> >> >>>> +
>> >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>> >> >>>> +
>> >> >>>> + return 0;
>> >> >>>> +}
>> >> >>>> --=20
>> >> >>>> 2.18.0
>> >> >>>>=20
>> >> >>>>=20
>> >> >>>=20
>> >> >>=20
>> >> >>=20
>> >>=20
>> >>
>> >=20
>>=20
>>
>=20
--===============2366156729310704391==--