From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] (V3) Forcing DNS/NTP
Date: Fri, 05 Mar 2021 20:40:17 +0100 [thread overview]
Message-ID: <20210305194017.7114-1-matthias.fischer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 26179 bytes --]
Originally triggered by:
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
Current discussion:
https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
Summary and functionality:
These patches are controlled through "Firewall Options". They add new
firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
They activate/deactivate appropriate REDIRECT rules through a new ctrl file
('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
Default of all new rules is OFF (set in 'lfs/configroot').
If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
servers specified in IPFire. GUI links to DNS and NTP options were added to make
this more transparent.
Flaw/ToDo:
To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
init file, 'dnsntp'. This is actually an unnecessary detour.
In fact I wanted to merge these two files in *one* C file, but this was beyond my
capabilities, perhaps "someone" else knows how to program this.
Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
The corresponding interface options - including 'Masquerade ...' - are only visible if
the respective interface actually exists.
If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
or logging options for BLUE available (e.g.).
Added text colors for better readability and links to DNS and NTP GUI.
Separated logging options per interface.
No reboot required:
Rules can be switched ON/OFF without rebooting IPFire.
Changes immedediatly take effect after clicking 'Save'.
Changes to '/etc/rc.d/init.d/firewall':
To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
chain: DNS_NTP_REDIRECT.
This chain is flushed by the init file before before the desired settings are applied.
Corrected a 'trafic' typo.
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
config/rootfiles/common/aarch64/initscripts | 1 +
config/rootfiles/common/armv5tel/initscripts | 1 +
config/rootfiles/common/i586/initscripts | 1 +
config/rootfiles/common/misc-progs | 1 +
config/rootfiles/common/x86_64/initscripts | 1 +
html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++----
langs/de/cgi-bin/de.pl | 15 +++-
langs/en/cgi-bin/en.pl | 15 +++-
lfs/configroot | 4 +
src/initscripts/system/dnsntp | 36 ++++++++
src/initscripts/system/firewall | 9 +-
src/misc-progs/Makefile | 2 +-
src/misc-progs/dnsntpctrl.c | 19 ++++
13 files changed, 168 insertions(+), 29 deletions(-)
create mode 100644 src/initscripts/system/dnsntp
create mode 100644 src/misc-progs/dnsntpctrl.c
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 800005966..f38a3a294 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
+etc/rc.d/init.d/dnsntp
etc/rc.d/init.d/fcron
etc/rc.d/init.d/fireinfo
etc/rc.d/init.d/firewall
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 800005966..f38a3a294 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
+etc/rc.d/init.d/dnsntp
etc/rc.d/init.d/fcron
etc/rc.d/init.d/fireinfo
etc/rc.d/init.d/firewall
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 18c5a897a..a3a2b47f7 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
+etc/rc.d/init.d/dnsntp
etc/rc.d/init.d/fcron
etc/rc.d/init.d/fireinfo
etc/rc.d/init.d/firewall
diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
index d6594b3f8..4bcb94812 100644
--- a/config/rootfiles/common/misc-progs
+++ b/config/rootfiles/common/misc-progs
@@ -5,6 +5,7 @@ usr/local/bin/captivectrl
usr/local/bin/collectdctrl
usr/local/bin/ddnsctrl
usr/local/bin/dhcpctrl
+usr/local/bin/dnsntpctrl
usr/local/bin/extrahdctrl
usr/local/bin/fireinfoctrl
usr/local/bin/firewallctrl
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 18c5a897a..a3a2b47f7 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
+etc/rc.d/init.d/dnsntp
etc/rc.d/init.d/fcron
etc/rc.d/init.d/fireinfo
etc/rc.d/init.d/firewall
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 321642e82..3fc707e8b 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2014-2020 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2014-2021 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
$errormessage .= $Lang::tr{'new optionsfw later'};
&General::writehash($filename, \%settings); # Save good settings
system("/usr/local/bin/firewallctrl");
+ system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
}else{
if ($settings{'POLICY'} ne ''){
$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
@@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
system("/usr/local/bin/firewallctrl");
+ system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
}
&General::readhash($filename, \%settings); # Load good settings
}
@@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
$selected{'MASQUERADE_BLUE'}{'off'} = '';
$selected{'MASQUERADE_BLUE'}{'on'} = '';
$selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
+$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
+$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
+$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
+$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
+$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
+$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
+$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
+$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
+$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
+$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
+$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
+$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
&Header::openbox('100%', 'center',);
print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
@@ -189,13 +203,44 @@ END
END
}
- print <<END
+print <<END;
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'></tr>
+ <tr> </tr>
+ <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
+ </tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
+ <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
+ <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
+END
+
+ if (&Header::blue_used()) {
+ print <<END;
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+ <tr> </tr>
+ <tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
+ <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
+ <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+ <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+ <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ </td>
+ </tr>
+END
+ }
+
+ print <<END;
</table>
- <br>
+ <br />
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
+ <table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
@@ -206,21 +251,30 @@ END
<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
+END
+
+ if (&Header::blue_used()) {
+ print <<END;
+ </table>
+
+ <br />
+
+ <table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
+ <tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br/>
+ </tr>
+END
+ }
+
+ print <<END;
+ </table>
+
+ <br />
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
- <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
- <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br>
<table width='95%' cellspacing='0'>
<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
@@ -252,7 +306,7 @@ END
<br />
<table width='100%' cellspacing='0'>
-<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
</form></td></tr>
</table>
@@ -278,7 +332,7 @@ print <<END;
<input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
END
print "</tr></table></form>";
- print"<br><br>";
+ print"<br /><br />";
print <<END;
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%' border='0'>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 6a8133807..d6bb234fa 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -836,6 +836,8 @@
'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
+'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU',
+'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN',
'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
@@ -1102,9 +1104,12 @@
'from email server' => 'Von E-Mail-Server',
'from email user' => 'Von E-Mail-Benutzer',
'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
-'fw blue' => 'Firewalloptionen für das Blaue Interface',
+'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
'fw default drop' => 'Firewallrichtlinie',
+'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
'fw logging' => 'Firewallprotokollierung',
+'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
+'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
'fw settings' => 'Firewalleinstellungen',
'fw settings color' => 'Farben in Regeltabelle anzeigen',
'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
@@ -1644,9 +1649,9 @@
'map to guest' => 'Map to Guest',
'march' => 'März',
'marked' => 'Markiert',
-'masquerade blue' => 'NAT auf BLAU',
-'masquerade green' => 'NAT auf GRÜN',
-'masquerade orange' => 'NAT auf ORANGE',
+'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
+'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
+'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
'masquerading' => 'Masquerading/NAT',
'masquerading disabled' => 'NAT ausgeschaltet',
'masquerading enabled' => 'NAT eingeschaltet',
@@ -1814,6 +1819,8 @@
'november' => 'November',
'ntp common settings' => 'Allgemeine Einstellungen',
'ntp configuration' => 'Zeitserverkonfiguration',
+'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU',
+'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN',
'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
'ntp server' => 'NTP-Server',
'ntp sync' => 'Synchronisation',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 8f7e0c2cf..474612025 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -859,6 +859,8 @@
'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
+'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE',
+'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN',
'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
'dns header' => 'Assign DNS server addresses only for DHCP on red0',
@@ -1128,9 +1130,12 @@
'from email server' => 'From Email server',
'from email user' => 'From e-mail user',
'from warn email bad' => 'From e-mail address is not valid',
-'fw blue' => 'Firewall options for BLUE interface',
+'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
'fw default drop' => 'Firewall policy',
+'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
'fw logging' => 'Firewall logging',
+'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
+'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
'fw settings' => 'Firewall settings',
'fw settings color' => 'Show colors in ruletable',
'fw settings dropdown' => 'Show all networks on rulecreation site',
@@ -1672,9 +1677,9 @@
'map to guest' => 'Map to Guest',
'march' => 'March',
'marked' => 'Marked',
-'masquerade blue' => 'Masquerade BLUE',
-'masquerade green' => 'Masquerade GREEN',
-'masquerade orange' => 'Masquerade ORANGE',
+'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
+'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
+'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
'masquerading' => 'Masquerading',
'masquerading disabled' => 'Masquerading disabled',
'masquerading enabled' => 'Masquerading enabled',
@@ -1844,6 +1849,8 @@
'november' => 'November',
'ntp common settings' => 'Common settings',
'ntp configuration' => 'NTP Configuration',
+'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE',
+'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN',
'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
'ntp server' => 'NTP Server',
'ntp sync' => 'Synchronization',
diff --git a/lfs/configroot b/lfs/configroot
index a3e474d70..622793b35 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -129,6 +129,10 @@ $(TARGET) :
echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
new file mode 100644
index 000000000..2eafa9d20
--- /dev/null
+++ b/src/initscripts/system/dnsntp
@@ -0,0 +1,36 @@
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/dnsntp
+#
+# Description : dnsntp init script for DNS/NTP rules only
+#
+########################################################################
+
+# flush chain
+iptables -t nat -F DNS_NTP_REDIRECT
+
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
+ iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
+ iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
+fi
+
+# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
+ iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
+ iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
+fi
+
+# Force NTP REDIRECTs on GREEN (udp, 123)
+if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
+ iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT
+fi
+
+# Force DNS REDIRECTs on BLUE (udp, 123)
+if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
+ iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT
+fi
+
+# End $rc_base/init.d/dnsntp
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 65f1c979b..43ae74113 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -169,6 +169,10 @@ iptables_init() {
# Fix for braindead ISPs
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ # DNS / NTP REDIRECT
+ iptables -t nat -N DNS_NTP_REDIRECT
+ iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
+
# CUSTOM chains, can be used by the users themselves
iptables -N CUSTOMINPUT
iptables -A INPUT -j CUSTOMINPUT
@@ -281,7 +285,7 @@ iptables_init() {
iptables -A INPUT -j LOCATIONBLOCK
iptables -A FORWARD -j LOCATIONBLOCK
- # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
+ # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
iptables -N IPSECOUTPUT
@@ -389,6 +393,9 @@ iptables_init() {
# run captivectrl
/usr/local/bin/captivectrl
+ # run dnsntpctrl
+ /usr/local/bin/dnsntpctrl
+
# POLICY CHAIN
iptables -N POLICYIN
iptables -A INPUT -j POLICYIN
diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
index 7c3ef7529..6f2733ef0 100644
--- a/src/misc-progs/Makefile
+++ b/src/misc-progs/Makefile
@@ -26,7 +26,7 @@ PROGS = iowrap
SUID_PROGS = squidctrl sshctrl ipfirereboot \
ipsecctrl timectrl dhcpctrl suricatactrl \
rebuildhosts backupctrl collectdctrl \
- logwatch wioscan wiohelper openvpnctrl firewallctrl \
+ logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
wirelessctrl getipstat qosctrl \
redctrl syslogdctrl extrahdctrl sambactrl \
smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
new file mode 100644
index 000000000..f2a3b89e3
--- /dev/null
+++ b/src/misc-progs/dnsntpctrl.c
@@ -0,0 +1,19 @@
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence. See the file COPYING for details.
+ *
+ */
+
+#include <stdlib.h>
+#include "setuid.h"
+
+int main(void)
+{
+ if (!(initsetuid()))
+ exit(1);
+
+ safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
+
+ return 0;
+}
--
2.18.0
next reply other threads:[~2021-03-05 19:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 19:40 Matthias Fischer [this message]
2021-03-05 20:45 ` Aw: " Bernhard Bitsch
2021-03-05 22:49 ` Matthias Fischer
2021-03-06 19:47 ` Aw: " Bernhard Bitsch
2021-03-29 21:34 ` Jon Murphy
2021-04-01 10:22 ` Michael Tremer
2021-05-30 15:51 ` Matthias Fischer
2021-04-01 10:29 ` Michael Tremer
2021-04-01 23:18 ` Matthias Fischer
2021-04-07 20:47 ` Michael Tremer
2021-03-06 21:15 Aw: " Bernhard Bitsch
2021-03-06 21:29 ` Jon Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210305194017.7114-1-matthias.fischer@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox