From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jon Murphy To: development@lists.ipfire.org Subject: Re: [PATCH] (V3) Forcing DNS/NTP Date: Sat, 06 Mar 2021 15:29:30 -0600 Message-ID: <23184670-78D4-450D-8E32-D8E9BB8C8776@gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3415206712170726309==" List-Id: --===============3415206712170726309== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable But is it really needed and how is that determined? > On Mar 6, 2021, at 3:15 PM, Bernhard Bitsch wrot= e: >=20 > For forcing DNS we generate ( for example ) > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j = REDIRECT > To filter allowed DNS requests there is a rule > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -= m udp --dport 53 -j RETURN > To get ${GREEN_ADDRESS} dnsntp needs an additional > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) >=20 > Concerning performance, we want to minimize the rule set to the amount real= ly necessary. On the other hand, it may be quicker to do just a RETURN than a= REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should = be nearly 100%. DNS and NTP servrs are published by DHCP or should be configu= red in the static case. >=20 > Hope this makes it clear enough. >=20 > Best, > Bernhard >=20 >> Gesendet: Samstag, 06. M=C3=A4rz 2021 um 21:51 Uhr >> Von: "Jon Murphy" >> An: "Bernhard Bitsch" >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >>=20 >>> I mean the extra rules for requests client-->IPFire:53. >>> These are 'well-behaving' and must/should not be redirected. Didn't measu= re if the performance is equal with or without these extra rules. >>=20 >> How do we determine if a 'well-behaving' client is being redirected? Or h= ow do we measure performance? >>=20 >> When I tried to measure DNS "speed" in the past, the cache gets in there a= nd makes every look like 38 to 44 ms. >>=20 >>> On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch wr= ote: >>>=20 >>> Hi, >>>=20 >>>> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 23:49 Uhr >>>> Von: "Matthias Fischer" >>>> An: "Bernhard Bitsch" >>>> Cc: development(a)lists.ipfire.org >>>> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >>>>=20 >>>> Hi, >>>>=20 >>>> On 05.03.2021 21:45, Bernhard Bitsch wrote: >>>>> Hi, >>>>>=20 >>>>> at a first glance I think, the code implements the ideas of the communi= ty discussions. >>>>=20 >>>> Thanks - but unfortunately I'm not quite satisfied with my results yet >>>> because I didn't manage to merge the init and the ctrl-file in *one* C >>>> program. The whole is running as I want but... ;-) >>>>=20 >>>>> Just one annotation. As mentioned in a post, it could help to honor 'we= ll-behaving' requests ( to IPFire ) by a RETURN. >>>>=20 >>>> -v please. I don't know if I get this (the translation english =3D> >>>> german) right. >>>> If you mean that I asked for some tips and got some, than of course: >>>> many thanks to everybody! >>>>=20 >>> Sorry if I wasn't specific enough. >>> I mean the extra rules for requests client-->IPFire:53. >>> These are 'well-behaving' and must/should not be redirected. Didn't measu= re if the performance is equal with or without these extra rules. >>>=20 >>> Best, >>> Bernhard >>>> Best, >>>> Matthias >>>>=20 >>>>> Regards, >>>>> Bernhard >>>>>=20 >>>>>> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 20:40 Uhr >>>>>> Von: "Matthias Fischer" >>>>>> An: development(a)lists.ipfire.org >>>>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >>>>>>=20 >>>>>> Originally triggered by: >>>>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to= -the-firewall/3512 >>>>>>=20 >>>>>> Current discussion: >>>>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>>>>>=20 >>>>>> Summary and functionality: >>>>>> These patches are controlled through "Firewall Options". They add new >>>>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optio= nsfw/settings'. >>>>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl= file >>>>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/d= nsntp'). >>>>>>=20 >>>>>> Default of all new rules is OFF (set in 'lfs/configroot'). >>>>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the = DNS and NTP >>>>>> servers specified in IPFire. GUI links to DNS and NTP options were add= ed to make >>>>>> this more transparent. >>>>>>=20 >>>>>> Flaw/ToDo: >>>>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which= calls the actual >>>>>> init file, 'dnsntp'. This is actually an unnecessary detour. >>>>>> In fact I wanted to merge these two files in *one* C file, but this wa= s beyond my >>>>>> capabilities, perhaps "someone" else knows how to program this. >>>>>>=20 >>>>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>>>>> The corresponding interface options - including 'Masquerade ...' - are= only visible if >>>>>> the respective interface actually exists. >>>>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS= /NTP on BLUE' >>>>>> or logging options for BLUE available (e.g.). >>>>>> Added text colors for better readability and links to DNS and NTP GUI. >>>>>> Separated logging options per interface. >>>>>>=20 >>>>>> No reboot required: >>>>>> Rules can be switched ON/OFF without rebooting IPFire. >>>>>> Changes immedediatly take effect after clicking 'Save'. >>>>>>=20 >>>>>> Changes to '/etc/rc.d/init.d/firewall': >>>>>> To avoid collisions with possibly existing CUSTOM rules, I added a new= PREROUTING >>>>>> chain: DNS_NTP_REDIRECT. >>>>>> This chain is flushed by the init file before before the desired setti= ngs are applied. >>>>>> Corrected a 'trafic' typo. >>>>>>=20 >>>>>> Signed-off-by: Matthias Fischer >>>>>> --- >>>>>> config/rootfiles/common/aarch64/initscripts | 1 + >>>>>> config/rootfiles/common/armv5tel/initscripts | 1 + >>>>>> config/rootfiles/common/i586/initscripts | 1 + >>>>>> config/rootfiles/common/misc-progs | 1 + >>>>>> config/rootfiles/common/x86_64/initscripts | 1 + >>>>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>>>>> langs/de/cgi-bin/de.pl | 15 +++- >>>>>> langs/en/cgi-bin/en.pl | 15 +++- >>>>>> lfs/configroot | 4 + >>>>>> src/initscripts/system/dnsntp | 36 ++++++++ >>>>>> src/initscripts/system/firewall | 9 +- >>>>>> src/misc-progs/Makefile | 2 +- >>>>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>>>>> 13 files changed, 168 insertions(+), 29 deletions(-) >>>>>> create mode 100644 src/initscripts/system/dnsntp >>>>>> create mode 100644 src/misc-progs/dnsntpctrl.c >>>>>>=20 >>>>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/root= files/common/aarch64/initscripts >>>>>> index 800005966..f38a3a294 100644 >>>>>> --- a/config/rootfiles/common/aarch64/initscripts >>>>>> +++ b/config/rootfiles/common/aarch64/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/roo= tfiles/common/armv5tel/initscripts >>>>>> index 800005966..f38a3a294 100644 >>>>>> --- a/config/rootfiles/common/armv5tel/initscripts >>>>>> +++ b/config/rootfiles/common/armv5tel/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfil= es/common/i586/initscripts >>>>>> index 18c5a897a..a3a2b47f7 100644 >>>>>> --- a/config/rootfiles/common/i586/initscripts >>>>>> +++ b/config/rootfiles/common/i586/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/com= mon/misc-progs >>>>>> index d6594b3f8..4bcb94812 100644 >>>>>> --- a/config/rootfiles/common/misc-progs >>>>>> +++ b/config/rootfiles/common/misc-progs >>>>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>>>>> usr/local/bin/collectdctrl >>>>>> usr/local/bin/ddnsctrl >>>>>> usr/local/bin/dhcpctrl >>>>>> +usr/local/bin/dnsntpctrl >>>>>> usr/local/bin/extrahdctrl >>>>>> usr/local/bin/fireinfoctrl >>>>>> usr/local/bin/firewallctrl >>>>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootf= iles/common/x86_64/initscripts >>>>>> index 18c5a897a..a3a2b47f7 100644 >>>>>> --- a/config/rootfiles/common/x86_64/initscripts >>>>>> +++ b/config/rootfiles/common/x86_64/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>>>>> index 321642e82..3fc707e8b 100644 >>>>>> --- a/html/cgi-bin/optionsfw.cgi >>>>>> +++ b/html/cgi-bin/optionsfw.cgi >>>>>> @@ -2,7 +2,7 @@ >>>>>> ######################################################################= ######### >>>>>> # = # >>>>>> # IPFire.org - A linux based firewall = # >>>>>> -# Copyright (C) 2014-2020 IPFire Team = # >>>>>> +# Copyright (C) 2014-2021 IPFire Team = # >>>>>> # = # >>>>>> # This program is free software: you can redistribute it and/or modify= # >>>>>> # it under the terms of the GNU General Public License as published by= # >>>>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>>>>> $errormessage .=3D $Lang::tr{'new optionsfw later'}; >>>>>> &General::writehash($filename, \%settings); # Save good = settings >>>>>> system("/usr/local/bin/firewallctrl"); >>>>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>>>>> }else{ >>>>>> if ($settings{'POLICY'} ne ''){ >>>>>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; >>>>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>>>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfws= ettings); >>>>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwse= ttings); >>>>>> system("/usr/local/bin/firewallctrl"); >>>>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>>>>> } >>>>>> &General::readhash($filename, \%settings); # Load good se= ttings >>>>>> } >>>>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUER= ADE_ORANGE'}} =3D 'selected=3D"sele >>>>>> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >>>>>> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >>>>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'select= ed=3D"selected"'; >>>>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; >>>>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; >>>>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D "= checked=3D'checked'"; >>>>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; >>>>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; >>>>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "ch= ecked=3D'checked'"; >>>>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; >>>>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; >>>>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D "= checked=3D'checked'"; >>>>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; >>>>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; >>>>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "ch= ecked=3D'checked'"; >>>>>>=20 >>>>>> &Header::openbox('100%', 'center',); >>>>>> print "
"; >>>>>> @@ -189,13 +203,44 @@ END >>>>>> END >>>>>> } >>>>>>=20 >>>>>> - print <>>>>> +print <>>>>> + >>>>>> + >>>>>> + >>>>>> + >>>>>> + >>>>>> + >>>>>> + >>>>>> +END >>>>>> + >>>>>> + if (&Header::blue_used()) { >>>>>> + print <>>>>> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'= }$Lang::tr{'on'} / >>>>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'= }$Lang::tr{'on'} / >>>>>> + $Lang::tr{'off'}
>>>>>> + >>>>>> + >>>>>> + >>>>>> + = >>>>>> + = >>>>>> + <= td align=3D'left'>$Lang::tr{'on'} / >>>>>> + $Lang::tr{'off'} >>>>>> + <= td align=3D'left'>$Lang::tr{'on'} / >>>>>> + $Lang::tr{'off'} >>>>>> + >>>>>> + >>>>>> +END >>>>>> + } >>>>>> + >>>>>> + print <>>>>>
= $Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'= }$Lang::tr{'on'} / >>>>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'= }$Lang::tr{'on'} / >>>>>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}
$Lang::tr{'drop samba'}
>>>>>>=20 >>>>>> -
>>>>>> +
>>>>>>=20 >>>>>> - >>>>>> - >>>>>> +
$Lang::tr{'fw logging'}
>>>>>> + >>>>>> <= td align=3D'left'>$Lang::tr{'on'} / >>>>>> $Lang::tr{'off'} >>>>>> >>>>>> $Lang::tr{'on'} / >>>>>> $Lang::tr{'off'} >>>>>> -
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / >>>>>> @@ -206,21 +251,30 @@ END >>>>>> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}
$Lang::tr{'drop wirelessinput'}<= /td>$Lang::tr{'on'} / >>>>>> +END >>>>>> + >>>>>> + if (&Header::blue_used()) { >>>>>> + print <>>>>> +
>>>>>> + >>>>>> +
>>>>>> + >>>>>> + >>>>>> + >>>>>> + >>>>>> + <= /tr> >>>>>> - >>>>>> -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput= '}$Lang::tr{'on'} / >>>>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'= }$Lang::tr{'on'} / >>>>>> +
$Lang::tr{'drop wirelessforwa= rd'}$Lang::tr{'on'} / >>>>>> $Lang::tr{'off'}
>>>>>> -
>>>>>> + >>>>>> +END >>>>>> + } >>>>>> + >>>>>> + print <>>>>> + >>>>>> + >>>>>> +
>>>>>>=20 >>>>>> - >>>>>> - >>>>>> - >>>>>> - >>>>>> -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>>>>> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>>>>> - $Lang::tr{'off'}
>>>>>> -
>>>>>> >>>>>> >>>>>> >>>>>> END >>>>>> print "
= $Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / >>>>>> @@ -252,7 +306,7 @@ END >>>>>>=20 >>>>>>
>>>>>> >>>>>> - >>>>>>
>>>>>> +
>>>>>> >>>>>>
>>>>>> @@ -278,7 +332,7 @@ print <>>>>>
"; >>>>>> - print"

"; >>>>>> + print"

"; >>>>>> print <>>>>>
>>>>>> >>>>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>>>>> index 6a8133807..d6bb234fa 100644 >>>>>> --- a/langs/de/cgi-bin/de.pl >>>>>> +++ b/langs/de/cgi-bin/de.pl >>>>>> @@ -836,6 +836,8 @@ >>>>>> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren = DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe= !
Die eingegebene sekund=C3=A4ren DNS Server Adresse is= t jedoch g=C3=BCltig.
', >>>>>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3=A4= ren wie auch des sekund=C3=A4ren DNS-Servers sind n= icht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', >>>>>> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Einga= be!
Die eingegebene prim=C3=A4re DNS Server Adresse ist= jedoch g=C3=BCltig.', >>>>>> +'dns force on blue' =3D> 'Erzwinge lok= ale DNS-Server auf BLAU', >>>>>> +'dns force on green' =3D> 'Erzwinge lo= kale DNS-Server auf GR=C3=9CN', >>>>>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohle= n)', >>>>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', >>>>>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>>>>> @@ -1102,9 +1104,12 @@ >>>>>> 'from email server' =3D> 'Von E-Mail-Server', >>>>>> 'from email user' =3D> 'Von E-Mail-Benutzer', >>>>>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', >>>>>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', >>>>>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das BLAUE Interface', >>>>>> 'fw default drop' =3D> 'Firewallrichtlinie', >>>>>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', >>>>>> 'fw logging' =3D> 'Firewallprotokollierung', >>>>>> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', >>>>>> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', >>>>>> 'fw settings' =3D> 'Firewalleinstellungen', >>>>>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', >>>>>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite = anzeigen', >>>>>> @@ -1644,9 +1649,9 @@ >>>>>> 'map to guest' =3D> 'Map to Guest', >>>>>> 'march' =3D> 'M=C3=A4rz', >>>>>> 'marked' =3D> 'Markiert', >>>>>> -'masquerade blue' =3D> 'NAT auf BLAU', >>>>>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', >>>>>> -'masquerade orange' =3D> 'NAT auf ORANGE', >>>>>> +'masquerade blue' =3D> 'NAT auf BLAU', >>>>>> +'masquerade green' =3D> 'NAT auf GR=C3= =9CN', >>>>>> +'masquerade orange' =3D> 'NAT auf ORANG= E', >>>>>> 'masquerading' =3D> 'Masquerading/NAT', >>>>>> 'masquerading disabled' =3D> 'NAT ausgeschaltet', >>>>>> 'masquerading enabled' =3D> 'NAT eingeschaltet', >>>>>> @@ -1814,6 +1819,8 @@ >>>>>> 'november' =3D> 'November', >>>>>> 'ntp common settings' =3D> 'Allgemeine Einstellungen', >>>>>> 'ntp configuration' =3D> 'Zeitserverkonfiguration', >>>>>> +'ntp force on blue' =3D> 'Erzwinge lo= kale NTP-Server auf BLAU', >>>>>> +'ntp force on green' =3D> 'Erzwinge l= okale NTP-Server auf GR=C3=9CN', >>>>>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k= =C3=B6nnen, muss NTP vorher aktiviert sein.', >>>>>> 'ntp server' =3D> 'NTP-Server', >>>>>> 'ntp sync' =3D> 'Synchronisation', >>>>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>>>>> index 8f7e0c2cf..474612025 100644 >>>>>> --- a/langs/en/cgi-bin/en.pl >>>>>> +++ b/langs/en/cgi-bin/en.pl >>>>>> @@ -859,6 +859,8 @@ >>>>>> 'dns error 0' =3D> 'The IP address of the primary DNS= server is not valid, please check your entries!
The entered sec= ondary DNS server address is valid.', >>>>>> 'dns error 01' =3D> 'The entered IP address of the primary and secondary DNS server are not valid, please check y= our entries!', >>>>>> 'dns error 1' =3D> 'The IP address of the secondary D= NS server is not valid, please check your entries!
The entered p= rimary DNS server address is valid.', >>>>>> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', >>>>>> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', >>>>>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', >>>>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', >>>>>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', >>>>>> @@ -1128,9 +1130,12 @@ >>>>>> 'from email server' =3D> 'From Email server', >>>>>> 'from email user' =3D> 'From e-mail user', >>>>>> 'from warn email bad' =3D> 'From e-mail address is not valid', >>>>>> -'fw blue' =3D> 'Firewall options for BLUE interface', >>>>>> +'fw blue' =3D> 'Firewall options for BLUE Interface', >>>>>> 'fw default drop' =3D> 'Firewall policy', >>>>>> +'fw green' =3D> 'Firewall options for GREEN= Interface', >>>>>> 'fw logging' =3D> 'Firewall logging', >>>>>> +'fw logging blue' =3D> 'Firewall logging (B= LUE)', >>>>>> +'fw logging red' =3D> 'Firewall logging (RE= D)', >>>>>> 'fw settings' =3D> 'Firewall settings', >>>>>> 'fw settings color' =3D> 'Show colors in ruletable', >>>>>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', >>>>>> @@ -1672,9 +1677,9 @@ >>>>>> 'map to guest' =3D> 'Map to Guest', >>>>>> 'march' =3D> 'March', >>>>>> 'marked' =3D> 'Marked', >>>>>> -'masquerade blue' =3D> 'Masquerade BLUE', >>>>>> -'masquerade green' =3D> 'Masquerade GREEN', >>>>>> -'masquerade orange' =3D> 'Masquerade ORANGE', >>>>>> +'masquerade blue' =3D> 'Masquerade BLUE<= /font>', >>>>>> +'masquerade green' =3D> 'Masquerade GREE= N', >>>>>> +'masquerade orange' =3D> 'Masquerade ORA= NGE', >>>>>> 'masquerading' =3D> 'Masquerading', >>>>>> 'masquerading disabled' =3D> 'Masquerading disabled', >>>>>> 'masquerading enabled' =3D> 'Masquerading enabled', >>>>>> @@ -1844,6 +1849,8 @@ >>>>>> 'november' =3D> 'November', >>>>>> 'ntp common settings' =3D> 'Common settings', >>>>>> 'ntp configuration' =3D> 'NTP Configuration', >>>>>> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', >>>>>> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', >>>>>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to hav= e clients.', >>>>>> 'ntp server' =3D> 'NTP Server', >>>>>> 'ntp sync' =3D> 'Synchronization', >>>>>> diff --git a/lfs/configroot b/lfs/configroot >>>>>> index a3e474d70..622793b35 100644 >>>>>> --- a/lfs/configroot >>>>>> +++ b/lfs/configroot >>>>>> @@ -129,6 +129,10 @@ $(TARGET) : >>>>>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >>>>>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >>>>>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings >>>>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dn= sntp >>>>>> new file mode 100644 >>>>>> index 000000000..2eafa9d20 >>>>>> --- /dev/null >>>>>> +++ b/src/initscripts/system/dnsntp >>>>>> @@ -0,0 +1,36 @@ >>>>>> +#!/bin/sh >>>>>> +#####################################################################= ### >>>>>> +# Begin $rc_base/init.d/dnsntp >>>>>> +# >>>>>> +# Description : dnsntp init script for DNS/NTP rules only >>>>>> +# >>>>>> +#####################################################################= ### >>>>>> + >>>>>> +# flush chain >>>>>> +iptables -t nat -F DNS_NTP_REDIRECT >>>>>> + >>>>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>>>>> + >>>>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>>>>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport = 53 -j REDIRECT >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport = 53 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>>>>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 5= 3 -j REDIRECT >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 5= 3 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>>>>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport = 123 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>>>>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 1= 23 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# End $rc_base/init.d/dnsntp >>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/= firewall >>>>>> index 65f1c979b..43ae74113 100644 >>>>>> --- a/src/initscripts/system/firewall >>>>>> +++ b/src/initscripts/system/firewall >>>>>> @@ -169,6 +169,10 @@ iptables_init() { >>>>>> # Fix for braindead ISPs >>>>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-= mss-to-pmtu >>>>>>=20 >>>>>> + # DNS / NTP REDIRECT >>>>>> + iptables -t nat -N DNS_NTP_REDIRECT >>>>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>>>>> + >>>>>> # CUSTOM chains, can be used by the users themselves >>>>>> iptables -N CUSTOMINPUT >>>>>> iptables -A INPUT -j CUSTOMINPUT >>>>>> @@ -281,7 +285,7 @@ iptables_init() { >>>>>> iptables -A INPUT -j LOCATIONBLOCK >>>>>> iptables -A FORWARD -j LOCATIONBLOCK >>>>>>=20 >>>>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accep= t everything >>>>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" acce= pt everything >>>>>> iptables -N IPSECINPUT >>>>>> iptables -N IPSECFORWARD >>>>>> iptables -N IPSECOUTPUT >>>>>> @@ -389,6 +393,9 @@ iptables_init() { >>>>>> # run captivectrl >>>>>> /usr/local/bin/captivectrl >>>>>>=20 >>>>>> + # run dnsntpctrl >>>>>> + /usr/local/bin/dnsntpctrl >>>>>> + >>>>>> # POLICY CHAIN >>>>>> iptables -N POLICYIN >>>>>> iptables -A INPUT -j POLICYIN >>>>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>>>>> index 7c3ef7529..6f2733ef0 100644 >>>>>> --- a/src/misc-progs/Makefile >>>>>> +++ b/src/misc-progs/Makefile >>>>>> @@ -26,7 +26,7 @@ PROGS =3D iowrap >>>>>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ >>>>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>>>>> rebuildhosts backupctrl collectdctrl \ >>>>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>>>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>>>>> wirelessctrl getipstat qosctrl \ >>>>>> redctrl syslogdctrl extrahdctrl sambactrl \ >>>>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>>>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>>>>> new file mode 100644 >>>>>> index 000000000..f2a3b89e3 >>>>>> --- /dev/null >>>>>> +++ b/src/misc-progs/dnsntpctrl.c >>>>>> @@ -0,0 +1,19 @@ >>>>>> +/* This file is part of the IPFire Firewall. >>>>>> + * >>>>>> + * This program is distributed under the terms of the GNU General Pub= lic >>>>>> + * Licence. See the file COPYING for details. >>>>>> + * >>>>>> + */ >>>>>> + >>>>>> +#include >>>>>> +#include "setuid.h" >>>>>> + >>>>>> +int main(void) >>>>>> +{ >>>>>> + if (!(initsetuid())) >>>>>> + exit(1); >>>>>> + >>>>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>>>>> + >>>>>> + return 0; >>>>>> +} >>>>>> --=20 >>>>>> 2.18.0 >>>>>>=20 >>>>>>=20 >>>>>=20 >>>>=20 >>>>=20 >>=20 >>=20 --===============3415206712170726309==--