Re: [PATCH] (V4) Forcing DNS/NTP

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 28647 bytes --]

Hi,

many thanks for the discussion, I see a bit clearer now... ;-)

I added my comments and the last status below.

On 10.06.2021 11:16, Michael Tremer wrote:
> Hello,
> 
>> On 4 Jun 2021, at 13:17, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> There was not much feedback on the list, so I send this now. This is V4 - open for
>> discussion, opinions or (perhaps ;-) ) changes:
>> 
>> Originally triggered by:
>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>> 
>> Discussion:
>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>> 
>> Could fix(?):
>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>> 
>> Changelog since V3:
>> 
>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>>  values are read from '/var/ipfire/ethernet/settings', thanks
>>  to "someone" for the hint (sorry, I didn't find the author)! ;-)
>> 
>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>> 
>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>>  handled through RETURN rules, others through REDIRECT.
>> 
>> Background (cited from BB, 06.03.2021):
>> "Concerning performance, we want to minimize the rule set to the amount
>> really necessary. On the other hand, it may be quicker to do just
>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>> by DHCP or should be configured in the static case."
>> 
>> I made it that way. Statistics during the last 62 days show that this
>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>> everyone could take a look.
>> 
>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>> 
>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>> '# WIRELESS chains'
>> 
>> Summary and functionality:
>>  These patches are controlled through "Firewall Options". They add new
>>  firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>  They activate/deactivate appropriate RETURN and REDIRECT rules through
>>  a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>>  ('/etc/rc.d/init.d/dnsntp').
>> 
>>  Default of all new rules is OFF (set in 'lfs/configroot').

Fixed in upcoming V5 [Thanks ML ;-) ]:
'lfs/configroot' is not needed anymore.

For this I added in 'optionsfw.cgi' at the right place:
...
if (!$settings{'NTP_FORCE_ON_GREEN'}) {
$settings{'NTP_FORCE_ON_GREEN'}="off" };
if (!$settings{'NTP_FORCE_ON_BLUE'}) {
$settings{'NTP_FORCE_ON_BLUE'}="off" };
...
and so on ...

>>  If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>  servers specified in IPFire.
>> 
>>  Flaw/ToDo:
>>  To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>  init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>>  In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>  capabilities, perhaps "someone" else knows how to program this.
>> 
>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:

Fixed in upcoming V5:
I removed all "color=\'#..." translation strings and now use "<font
color= ...>" in 'optionsfw.cgi'. Looks the same. Only two new lang
strings are now necessary.
[Thanks to ML - again... ;-) ]

>>  The corresponding interface options - including 'Masquerade ...' - are only visible if
>>  the respective interface actually exists.
>>  E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>>  for 'DNS/NTP on BLUE' or logging options for BLUE available.
>>  Added text colors for better readability.
>>  Separated logging options per interface.
>> 
>> No reboot required:
>>  Rules can be switched ON/OFF without rebooting IPFire.
>>  Changes immedediately take effect after clicking 'Save'.

This requires the call of 'dnsntpctrl' in 'optionsfw.cgi'. Until now.
See below.

>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>>  Fixed a 'trafic' typo.
>>  To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>>  chain: 'DNS_NTP_REDIRECT'.
>>  This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>> 
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>> config/rootfiles/common/misc-progs |  1 +
>> html/cgi-bin/optionsfw.cgi         | 90 ++++++++++++++++++++++++------
>> langs/de/cgi-bin/de.pl             | 15 +++--
>> langs/en/cgi-bin/en.pl             | 15 +++--
>> lfs/configroot                     |  6 +-
>> src/initscripts/system/dnsntp      | 43 ++++++++++++++
>> src/initscripts/system/firewall    |  9 ++-
>> src/misc-progs/Makefile            |  2 +-
>> src/misc-progs/dnsntpctrl.c        | 19 +++++++
>> 9 files changed, 171 insertions(+), 29 deletions(-)
>> create mode 100644 src/initscripts/system/dnsntp
>> create mode 100644 src/misc-progs/dnsntpctrl.c
>> 
>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
>> index d6594b3f8..4bcb94812 100644
>> --- a/config/rootfiles/common/misc-progs
>> +++ b/config/rootfiles/common/misc-progs
>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>> usr/local/bin/collectdctrl
>> usr/local/bin/ddnsctrl
>> usr/local/bin/dhcpctrl
>> +usr/local/bin/dnsntpctrl
>> usr/local/bin/extrahdctrl
>> usr/local/bin/fireinfoctrl
>> usr/local/bin/firewallctrl
>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>> index 321642e82..2059a03b3 100644
>> --- a/html/cgi-bin/optionsfw.cgi
>> +++ b/html/cgi-bin/optionsfw.cgi
>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>> 		$errormessage .= $Lang::tr{'new optionsfw later'};
>> 		&General::writehash($filename, \%settings);             # Save good settings
>> 		system("/usr/local/bin/firewallctrl");
>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>> 	}else{
>> 		if ($settings{'POLICY'} ne ''){
>> 			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>> 		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>> 		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>> 		system("/usr/local/bin/firewallctrl");
>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>> 	}
> 
> Isn’t calling dnsntpctrl redundant here? It is already being called in the firewall initscript.

Just tested this. I must call 'dnsntpctrl' here. Without it, the needed
rule changes are not applied immediately and you need to restart
'/etc/rc.d/init.d/firewall' through console.

> 
>> 	&General::readhash($filename, \%settings);             # Load good settings
>> }
>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>> $selected{'MASQUERADE_BLUE'}{'off'} = '';
>> $selected{'MASQUERADE_BLUE'}{'on'} = '';
>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>> 
>> &Header::openbox('100%', 'center',);
>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>> @@ -189,13 +203,44 @@ END
>> END
>> 	}
>> 
>> -	print <<END
>> +print <<END;
>> +	<table width='95%' cellspacing='0'>
>> +		<tr bgcolor='$color{'color20'}'></tr>
>> +		<tr>&nbsp;</tr>
>> +			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
>> +		</tr>
>> +		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>> +																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>> +																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +END
>> +
>> +	if (&Header::blue_used()) {
>> +		print <<END;
>> +		<table width='95%' cellspacing='0'>
>> +		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> +		<tr>&nbsp;</tr>
>> +			<tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>> +																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>> +																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> +																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> +																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			</td>
>> +			</tr>
>> +END
>> +	}
>> +
>> +	print <<END;
>> 	</table>
>> 
>> -	<br>
>> +	<br />
>> 
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
>> +		<table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>> 																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
>> @@ -206,21 +251,30 @@ END
>> 																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>> 																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> +END
>> +
>> +	if (&Header::blue_used()) {
>> +		print <<END;
>> +	</table>
>> +
>> +	<br />
>> +
>> +		<table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>> +			<tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> 																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> 																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br/>
>> +			</tr>
>> +END
>> +	}
>> +
>> +	print <<END;
>> +	</table>
>> +
>> +	<br />
>> 
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> -																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> -																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br>
>> <table width='95%' cellspacing='0'>
>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
>> @@ -252,7 +306,7 @@ END
>> 
>> <br />
>> <table width='100%' cellspacing='0'>
>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>> </form></td></tr>
>> </table>
>> @@ -278,7 +332,7 @@ print <<END;
>> 	    <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>> END
>> 	print "</tr></table></form>";
>> -	print"<br><br>";
>> +	print"<br /><br />";
>> 	print <<END;
>> 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> 	<table width='100%' border='0'>
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 0bc579cd2..51e65b903 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -835,6 +835,8 @@
>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
>> +'dns force on blue' => 'Erzwinge lokale DNS-Server',
>> +'dns force on green' => 'Erzwinge lokale DNS-Server',
>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
>> @@ -1101,9 +1103,12 @@
>> 'from email server' => 'Von E-Mail-Server',
>> 'from email user' => 'Von E-Mail-Benutzer',
>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',

Removed (here and in en.pl):
>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',

>> 'fw default drop' => 'Firewallrichtlinie',

Removed:
>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',

>> 'fw logging' => 'Firewallprotokollierung',

Removed:
>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',

>> 'fw settings' => 'Firewalleinstellungen',
>> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
>> @@ -1643,9 +1648,9 @@
>> 'map to guest' => 'Map to Guest',
>> 'march' => 'März',
>> 'marked' => 'Markiert',
>> -'masquerade blue' => 'NAT auf BLAU',
>> -'masquerade green' => 'NAT auf GRÜN',
>> -'masquerade orange' => 'NAT auf ORANGE',

Removed/changed:
>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',

Which is still not quite clear to me before (and after) we removed the
ALGs => possible "ToDo":
Which option changes require a restart? I think we should mark these.
Because whatever which option you change the warning message appears,
restart needed or not.

Best,
Matthias

>> 'masquerading' => 'Masquerading/NAT',
>> 'masquerading disabled' => 'NAT ausgeschaltet',
>> 'masquerading enabled' => 'NAT eingeschaltet',
>> @@ -1813,6 +1818,8 @@
>> 'november' => 'November',
>> 'ntp common settings' => 'Allgemeine Einstellungen',
>> 'ntp configuration' => 'Zeitserverkonfiguration',
>> +'ntp force on blue' => 'Erzwinge lokale NTP-Server',
>> +'ntp force on green' => 'Erzwinge lokale NTP-Server',
>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>> 'ntp server' => 'NTP-Server',
>> 'ntp sync' => 'Synchronisation',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index 1c69b3798..390b2d026 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -858,6 +858,8 @@
>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
>> +'dns force on blue' => 'Force DNS to use local DNS servers',
>> +'dns force on green' => 'Force DNS to use local DNS servers',
>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
>> @@ -1128,9 +1130,12 @@
>> 'from email server' => 'From Email server',
>> 'from email user' => 'From e-mail user',
>> 'from warn email bad' => 'From e-mail address is not valid',
>> -'fw blue' => 'Firewall options for BLUE interface',
>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>> 'fw default drop' => 'Firewall policy',
>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>> 'fw logging' => 'Firewall logging',
>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>> 'fw settings' => 'Firewall settings',
>> 'fw settings color' => 'Show colors in ruletable',
>> 'fw settings dropdown' => 'Show all networks on rulecreation site',
>> @@ -1675,9 +1680,9 @@
>> 'map to guest' => 'Map to Guest',
>> 'march' => 'March',
>> 'marked' => 'Marked',
>> -'masquerade blue' => 'Masquerade BLUE',
>> -'masquerade green' => 'Masquerade GREEN',
>> -'masquerade orange' => 'Masquerade ORANGE',
>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>> 'masquerading' => 'Masquerading',
>> 'masquerading disabled' => 'Masquerading disabled',
>> 'masquerading enabled' => 'Masquerading enabled',
>> @@ -1847,6 +1852,8 @@
>> 'november' => 'November',
>> 'ntp common settings' => 'Common settings',
>> 'ntp configuration' => 'NTP Configuration',
>> +'ntp force on blue' => 'Force NTP to use local NTP servers',
>> +'ntp force on green' => 'Force NTP to use local NTP servers',
>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>> 'ntp server' => 'NTP Server',
>> 'ntp sync' => 'Synchronization',
>> diff --git a/lfs/configroot b/lfs/configroot
>> index c528bd6d9..6cc376ff0 100644
>> --- a/lfs/configroot
>> +++ b/lfs/configroot
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
>> +# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -129,6 +129,10 @@ $(TARGET) :
>> 	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> 	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>> 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "DNS_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "DNS_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "NTP_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "NTP_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>> 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>> 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>> new file mode 100644
>> index 000000000..54fdfc685
>> --- /dev/null
>> +++ b/src/initscripts/system/dnsntp
>> @@ -0,0 +1,43 @@
>> +#!/bin/sh
>> +########################################################################
>> +# Begin $rc_base/init.d/dnsntp
>> +#
>> +# Description : dnsntp init script for DNS/NTP rules only
>> +#
>> +########################################################################
>> +
>> +# flush chain
>> +iptables -t nat -F DNS_NTP_REDIRECT
>> +
>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>> +
>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>> +fi
>> +
>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>> +fi
>> +
>> +# End $rc_base/init.d/dnsntp
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 1e558ee86..047946a86 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -218,7 +218,7 @@ iptables_init() {
>> 	iptables -A INPUT -j LOCATIONBLOCK
>> 	iptables -A FORWARD -j LOCATIONBLOCK
>> 
>> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>> 	iptables -N IPSECINPUT
>> 	iptables -N IPSECFORWARD
>> 	iptables -N IPSECOUTPUT
>> @@ -242,6 +242,10 @@ iptables_init() {
>> 	iptables -N WIRELESSFORWARD
>> 	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>> 
>> +	# Redirecting DNS and NTP requests
>> +	iptables -t nat -N DNS_NTP_REDIRECT
>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>> +
>> 	# OpenVPN
>> 	iptables -N OVPNINPUT
>> 	iptables -A INPUT -j OVPNINPUT
>> @@ -320,6 +324,9 @@ iptables_init() {
>> 	# run captivectrl
>> 	/usr/local/bin/captivectrl
>> 
>> +	# run dnsntpctrl
>> +	/usr/local/bin/dnsntpctrl
>> +
>> 	# POLICY CHAIN
>> 	iptables -N POLICYIN
>> 	iptables -A INPUT -j POLICYIN
>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>> index 7c3ef7529..229d122d6 100644
>> --- a/src/misc-progs/Makefile
>> +++ b/src/misc-progs/Makefile
>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>> 	wirelessctrl getipstat qosctrl \
>> 	redctrl syslogdctrl extrahdctrl sambactrl \
>> 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>> 	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>> 	captivectrl
>> 
>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>> new file mode 100644
>> index 000000000..f2a3b89e3
>> --- /dev/null
>> +++ b/src/misc-progs/dnsntpctrl.c
>> @@ -0,0 +1,19 @@
>> +/* This file is part of the IPFire Firewall.
>> + *
>> + * This program is distributed under the terms of the GNU General Public
>> + * Licence.  See the file COPYING for details.
>> + *
>> + */
>> +
>> +#include <stdlib.h>
>> +#include "setuid.h"
>> +
>> +int main(void)
>> +{
>> +	if (!(initsetuid()))
>> +		exit(1);
>> +
>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>> +
>> +	return 0;
>> +}
>> -- 
>> 2.18.0
>> 
>