Hi,
many thanks for the discussion, I see a bit clearer now... ;-)
I added my comments and the last status below.
On 10.06.2021 11:16, Michael Tremer wrote:
> Hello,
>
>> On 4 Jun 2021, at 13:17, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>
>> There was not much feedback on the list, so I send this now. This is V4 - open for
>> discussion, opinions or (perhaps ;-) ) changes:
>>
>> Originally triggered by:
>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>
>> Discussion:
>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>
>> Could fix(?):
>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>>
>> Changelog since V3:
>>
>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>> values are read from '/var/ipfire/ethernet/settings', thanks
>> to "someone" for the hint (sorry, I didn't find the author)! ;-)
>>
>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>>
>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>> handled through RETURN rules, others through REDIRECT.
>>
>> Background (cited from BB, 06.03.2021):
>> "Concerning performance, we want to minimize the rule set to the amount
>> really necessary. On the other hand, it may be quicker to do just
>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>> by DHCP or should be configured in the static case."
>>
>> I made it that way. Statistics during the last 62 days show that this
>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>> everyone could take a look.
>>
>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>>
>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>> '# WIRELESS chains'
>>
>> Summary and functionality:
>> These patches are controlled through "Firewall Options". They add new
>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>> They activate/deactivate appropriate RETURN and REDIRECT rules through
>> a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>> ('/etc/rc.d/init.d/dnsntp').
>>
>> Default of all new rules is OFF (set in 'lfs/configroot').
Fixed in upcoming V5 [Thanks ML ;-) ]:
'lfs/configroot' is not needed anymore.
For this I added in 'optionsfw.cgi' at the right place:
...
if (!$settings{'NTP_FORCE_ON_GREEN'}) {
$settings{'NTP_FORCE_ON_GREEN'}="off" };
if (!$settings{'NTP_FORCE_ON_BLUE'}) {
$settings{'NTP_FORCE_ON_BLUE'}="off" };
...
and so on ...
>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>> servers specified in IPFire.
>>
>> Flaw/ToDo:
>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>> init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>> In fact I wanted to merge these two files in *one* C file, but this was beyond my
>> capabilities, perhaps "someone" else knows how to program this.
>>
>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
Fixed in upcoming V5:
I removed all "color=\'#..." translation strings and now use "<font
color= ...>" in 'optionsfw.cgi'. Looks the same. Only two new lang
strings are now necessary.
[Thanks to ML - again... ;-) ]
>> The corresponding interface options - including 'Masquerade ...' - are only visible if
>> the respective interface actually exists.
>> E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>> for 'DNS/NTP on BLUE' or logging options for BLUE available.
>> Added text colors for better readability.
>> Separated logging options per interface.
>>
>> No reboot required:
>> Rules can be switched ON/OFF without rebooting IPFire.
>> Changes immedediately take effect after clicking 'Save'.
This requires the call of 'dnsntpctrl' in 'optionsfw.cgi'. Until now.
See below.
>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>> Fixed a 'trafic' typo.
>> To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>> chain: 'DNS_NTP_REDIRECT'.
>> This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>>
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>> config/rootfiles/common/misc-progs | 1 +
>> html/cgi-bin/optionsfw.cgi | 90 ++++++++++++++++++++++++------
>> langs/de/cgi-bin/de.pl | 15 +++--
>> langs/en/cgi-bin/en.pl | 15 +++--
>> lfs/configroot | 6 +-
>> src/initscripts/system/dnsntp | 43 ++++++++++++++
>> src/initscripts/system/firewall | 9 ++-
>> src/misc-progs/Makefile | 2 +-
>> src/misc-progs/dnsntpctrl.c | 19 +++++++
>> 9 files changed, 171 insertions(+), 29 deletions(-)
>> create mode 100644 src/initscripts/system/dnsntp
>> create mode 100644 src/misc-progs/dnsntpctrl.c
>>
>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
>> index d6594b3f8..4bcb94812 100644
>> --- a/config/rootfiles/common/misc-progs
>> +++ b/config/rootfiles/common/misc-progs
>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>> usr/local/bin/collectdctrl
>> usr/local/bin/ddnsctrl
>> usr/local/bin/dhcpctrl
>> +usr/local/bin/dnsntpctrl
>> usr/local/bin/extrahdctrl
>> usr/local/bin/fireinfoctrl
>> usr/local/bin/firewallctrl
>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>> index 321642e82..2059a03b3 100644
>> --- a/html/cgi-bin/optionsfw.cgi
>> +++ b/html/cgi-bin/optionsfw.cgi
>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>> $errormessage .= $Lang::tr{'new optionsfw later'};
>> &General::writehash($filename, \%settings); # Save good settings
>> system("/usr/local/bin/firewallctrl");
>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>> }else{
>> if ($settings{'POLICY'} ne ''){
>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>> system("/usr/local/bin/firewallctrl");
>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>> }
>
> Isn’t calling dnsntpctrl redundant here? It is already being called in the firewall initscript.
Just tested this. I must call 'dnsntpctrl' here. Without it, the needed
rule changes are not applied immediately and you need to restart
'/etc/rc.d/init.d/firewall' through console.
>
>> &General::readhash($filename, \%settings); # Load good settings
>> }
>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>> $selected{'MASQUERADE_BLUE'}{'off'} = '';
>> $selected{'MASQUERADE_BLUE'}{'on'} = '';
>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>>
>> &Header::openbox('100%', 'center',);
>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>> @@ -189,13 +203,44 @@ END
>> END
>> }
>>
>> - print <<END
>> +print <<END;
>> + <table width='95%' cellspacing='0'>
>> + <tr bgcolor='$color{'color20'}'></tr>
>> + <tr> </tr>
>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
>> + </tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +END
>> +
>> + if (&Header::blue_used()) {
>> + print <<END;
>> + <table width='95%' cellspacing='0'>
>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> + <tr> </tr>
>> + <tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> + </td>
>> + </tr>
>> +END
>> + }
>> +
>> + print <<END;
>> </table>
>>
>> - <br>
>> + <br />
>>
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
>> + <table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
>> @@ -206,21 +251,30 @@ END
>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> +END
>> +
>> + if (&Header::blue_used()) {
>> + print <<END;
>> + </table>
>> +
>> + <br />
>> +
>> + <table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>> + <tr>
>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br/>
>> + </tr>
>> +END
>> + }
>> +
>> + print <<END;
>> + </table>
>> +
>> + <br />
>>
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br>
>> <table width='95%' cellspacing='0'>
>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
>> @@ -252,7 +306,7 @@ END
>>
>> <br />
>> <table width='100%' cellspacing='0'>
>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>> </form></td></tr>
>> </table>
>> @@ -278,7 +332,7 @@ print <<END;
>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>> END
>> print "</tr></table></form>";
>> - print"<br><br>";
>> + print"<br /><br />";
>> print <<END;
>> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> <table width='100%' border='0'>
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 0bc579cd2..51e65b903 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -835,6 +835,8 @@
>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
>> +'dns force on blue' => 'Erzwinge lokale DNS-Server',
>> +'dns force on green' => 'Erzwinge lokale DNS-Server',
>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
>> @@ -1101,9 +1103,12 @@
>> 'from email server' => 'Von E-Mail-Server',
>> 'from email user' => 'Von E-Mail-Benutzer',
>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
Removed (here and in en.pl):
>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
>> 'fw default drop' => 'Firewallrichtlinie',
Removed:
>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
>> 'fw logging' => 'Firewallprotokollierung',
Removed:
>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
>> 'fw settings' => 'Firewalleinstellungen',
>> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
>> @@ -1643,9 +1648,9 @@
>> 'map to guest' => 'Map to Guest',
>> 'march' => 'März',
>> 'marked' => 'Markiert',
>> -'masquerade blue' => 'NAT auf BLAU',
>> -'masquerade green' => 'NAT auf GRÜN',
>> -'masquerade orange' => 'NAT auf ORANGE',
Removed/changed:
>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
Which is still not quite clear to me before (and after) we removed the
ALGs => possible "ToDo":
Which option changes require a restart? I think we should mark these.
Because whatever which option you change the warning message appears,
restart needed or not.
Best,
Matthias
>> 'masquerading' => 'Masquerading/NAT',
>> 'masquerading disabled' => 'NAT ausgeschaltet',
>> 'masquerading enabled' => 'NAT eingeschaltet',
>> @@ -1813,6 +1818,8 @@
>> 'november' => 'November',
>> 'ntp common settings' => 'Allgemeine Einstellungen',
>> 'ntp configuration' => 'Zeitserverkonfiguration',
>> +'ntp force on blue' => 'Erzwinge lokale NTP-Server',
>> +'ntp force on green' => 'Erzwinge lokale NTP-Server',
>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>> 'ntp server' => 'NTP-Server',
>> 'ntp sync' => 'Synchronisation',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index 1c69b3798..390b2d026 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -858,6 +858,8 @@
>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
>> +'dns force on blue' => 'Force DNS to use local DNS servers',
>> +'dns force on green' => 'Force DNS to use local DNS servers',
>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
>> @@ -1128,9 +1130,12 @@
>> 'from email server' => 'From Email server',
>> 'from email user' => 'From e-mail user',
>> 'from warn email bad' => 'From e-mail address is not valid',
>> -'fw blue' => 'Firewall options for BLUE interface',
>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>> 'fw default drop' => 'Firewall policy',
>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>> 'fw logging' => 'Firewall logging',
>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>> 'fw settings' => 'Firewall settings',
>> 'fw settings color' => 'Show colors in ruletable',
>> 'fw settings dropdown' => 'Show all networks on rulecreation site',
>> @@ -1675,9 +1680,9 @@
>> 'map to guest' => 'Map to Guest',
>> 'march' => 'March',
>> 'marked' => 'Marked',
>> -'masquerade blue' => 'Masquerade BLUE',
>> -'masquerade green' => 'Masquerade GREEN',
>> -'masquerade orange' => 'Masquerade ORANGE',
>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>> 'masquerading' => 'Masquerading',
>> 'masquerading disabled' => 'Masquerading disabled',
>> 'masquerading enabled' => 'Masquerading enabled',
>> @@ -1847,6 +1852,8 @@
>> 'november' => 'November',
>> 'ntp common settings' => 'Common settings',
>> 'ntp configuration' => 'NTP Configuration',
>> +'ntp force on blue' => 'Force NTP to use local NTP servers',
>> +'ntp force on green' => 'Force NTP to use local NTP servers',
>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>> 'ntp server' => 'NTP Server',
>> 'ntp sync' => 'Synchronization',
>> diff --git a/lfs/configroot b/lfs/configroot
>> index c528bd6d9..6cc376ff0 100644
>> --- a/lfs/configroot
>> +++ b/lfs/configroot
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> # #
>> # IPFire.org - A linux based firewall #
>> -# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> #
>> +# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
>> # #
>> # This program is free software: you can redistribute it and/or modify #
>> # it under the terms of the GNU General Public License as published by #
>> @@ -129,6 +129,10 @@ $(TARGET) :
>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>> new file mode 100644
>> index 000000000..54fdfc685
>> --- /dev/null
>> +++ b/src/initscripts/system/dnsntp
>> @@ -0,0 +1,43 @@
>> +#!/bin/sh
>> +########################################################################
>> +# Begin $rc_base/init.d/dnsntp
>> +#
>> +# Description : dnsntp init script for DNS/NTP rules only
>> +#
>> +########################################################################
>> +
>> +# flush chain
>> +iptables -t nat -F DNS_NTP_REDIRECT
>> +
>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>> +
>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>> +fi
>> +
>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>> + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>> +fi
>> +
>> +# End $rc_base/init.d/dnsntp
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 1e558ee86..047946a86 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -218,7 +218,7 @@ iptables_init() {
>> iptables -A INPUT -j LOCATIONBLOCK
>> iptables -A FORWARD -j LOCATIONBLOCK
>>
>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>> iptables -N IPSECINPUT
>> iptables -N IPSECFORWARD
>> iptables -N IPSECOUTPUT
>> @@ -242,6 +242,10 @@ iptables_init() {
>> iptables -N WIRELESSFORWARD
>> iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>>
>> + # Redirecting DNS and NTP requests
>> + iptables -t nat -N DNS_NTP_REDIRECT
>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>> +
>> # OpenVPN
>> iptables -N OVPNINPUT
>> iptables -A INPUT -j OVPNINPUT
>> @@ -320,6 +324,9 @@ iptables_init() {
>> # run captivectrl
>> /usr/local/bin/captivectrl
>>
>> + # run dnsntpctrl
>> + /usr/local/bin/dnsntpctrl
>> +
>> # POLICY CHAIN
>> iptables -N POLICYIN
>> iptables -A INPUT -j POLICYIN
>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>> index 7c3ef7529..229d122d6 100644
>> --- a/src/misc-progs/Makefile
>> +++ b/src/misc-progs/Makefile
>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>> wirelessctrl getipstat qosctrl \
>> redctrl syslogdctrl extrahdctrl sambactrl \
>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>> - setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>> + setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>> getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>> captivectrl
>>
>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>> new file mode 100644
>> index 000000000..f2a3b89e3
>> --- /dev/null
>> +++ b/src/misc-progs/dnsntpctrl.c
>> @@ -0,0 +1,19 @@
>> +/* This file is part of the IPFire Firewall.
>> + *
>> + * This program is distributed under the terms of the GNU General Public
>> + * Licence. See the file COPYING for details.
>> + *
>> + */
>> +
>> +#include <stdlib.h>
>> +#include "setuid.h"
>> +
>> +int main(void)
>> +{
>> + if (!(initsetuid()))
>> + exit(1);
>> +
>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>> +
>> + return 0;
>> +}
>> --
>> 2.18.0
>>
>