From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [PATCH] (V3) Forcing DNS/NTP Date: Sun, 30 May 2021 17:51:09 +0200 Message-ID: <4b0141d3-f002-56ff-1dc6-53075f8feecf@ipfire.org> In-Reply-To: <1986FF60-9E5F-4CA1-AC49-AB3E1DFC6106@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1346878542305545561==" List-Id: --===============1346878542305545561== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On 01.04.2021 12:22, Michael Tremer wrote: > Hello, >=20 > I did not have a look at this because I got last in the last conversation a= bout this. >=20 > I still do not understand why this would be necessary functionality and why= we did not go with adding support for REDIRECT rules to the existing UI whic= h could then be used for all sorts of protocols and won=E2=80=99t be hardcode= d to just those two. Any new opinions on this? Because: My programming skills were enough for these DNS and NTP and adding the functionalitiy you mention above is perhaps wanted (is it!?). But adding rules for REDIRECTing or RETURNing all sort of protocols seems a bit too much for me, sorry. I'm a little too cautious to experiment to this extent with such a complicated interface as the firewall UI and the underlying rules. I have my current solution - with a few minor changes - now running for over 60 days with no seen problems. In MY configuration, of course. Would it make sense to push this so that "someone" else can test/tune/discuss this version or should I wait? Best, Matthias >=20 > -Michael >=20 >> On 29 Mar 2021, at 22:34, Jon Murphy wrote: >>=20 >> Hello! Hope everyone is healthy! >>=20 >> I am just curious if this was approved by the Developers? >>=20 >> Jon >>=20 >>> On Mar 5, 2021, at 1:40 PM, Matthias Fischer wrote: >>>=20 >>> Originally triggered by: >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-th= e-firewall/3512 >>>=20 >>> Current discussion: >>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>>=20 >>> Summary and functionality: >>> These patches are controlled through "Firewall Options". They add new >>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsf= w/settings'. >>> They activate/deactivate appropriate REDIRECT rules through a new ctrl fi= le >>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsn= tp'). >>>=20 >>> Default of all new rules is OFF (set in 'lfs/configroot'). >>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS= and NTP >>> servers specified in IPFire. GUI links to DNS and NTP options were added = to make >>> this more transparent. >>>=20 >>> Flaw/ToDo: >>> To make things work as I wanted I had to add a 'dnsntpctrl' file which ca= lls the actual >>> init file, 'dnsntp'. This is actually an unnecessary detour. >>> In fact I wanted to merge these two files in *one* C file, but this was b= eyond my >>> capabilities, perhaps "someone" else knows how to program this. >>>=20 >>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>> The corresponding interface options - including 'Masquerade ...' - are on= ly visible if >>> the respective interface actually exists. >>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NT= P on BLUE' >>> or logging options for BLUE available (e.g.). >>> Added text colors for better readability and links to DNS and NTP GUI. >>> Separated logging options per interface. >>>=20 >>> No reboot required: >>> Rules can be switched ON/OFF without rebooting IPFire. >>> Changes immedediatly take effect after clicking 'Save'. >>>=20 >>> Changes to '/etc/rc.d/init.d/firewall': >>> To avoid collisions with possibly existing CUSTOM rules, I added a new PR= EROUTING >>> chain: DNS_NTP_REDIRECT. >>> This chain is flushed by the init file before before the desired settings= are applied. >>> Corrected a 'trafic' typo. >>>=20 >>> Signed-off-by: Matthias Fischer >>> --- >>> config/rootfiles/common/aarch64/initscripts | 1 + >>> config/rootfiles/common/armv5tel/initscripts | 1 + >>> config/rootfiles/common/i586/initscripts | 1 + >>> config/rootfiles/common/misc-progs | 1 + >>> config/rootfiles/common/x86_64/initscripts | 1 + >>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>> langs/de/cgi-bin/de.pl | 15 +++- >>> langs/en/cgi-bin/en.pl | 15 +++- >>> lfs/configroot | 4 + >>> src/initscripts/system/dnsntp | 36 ++++++++ >>> src/initscripts/system/firewall | 9 +- >>> src/misc-progs/Makefile | 2 +- >>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>> 13 files changed, 168 insertions(+), 29 deletions(-) >>> create mode 100644 src/initscripts/system/dnsntp >>> create mode 100644 src/misc-progs/dnsntpctrl.c >>>=20 >>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfil= es/common/aarch64/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/aarch64/initscripts >>> +++ b/config/rootfiles/common/aarch64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfi= les/common/armv5tel/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/armv5tel/initscripts >>> +++ b/config/rootfiles/common/armv5tel/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/= common/i586/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/i586/initscripts >>> +++ b/config/rootfiles/common/i586/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common= /misc-progs >>> index d6594b3f8..4bcb94812 100644 >>> --- a/config/rootfiles/common/misc-progs >>> +++ b/config/rootfiles/common/misc-progs >>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>> usr/local/bin/collectdctrl >>> usr/local/bin/ddnsctrl >>> usr/local/bin/dhcpctrl >>> +usr/local/bin/dnsntpctrl >>> usr/local/bin/extrahdctrl >>> usr/local/bin/fireinfoctrl >>> usr/local/bin/firewallctrl >>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfile= s/common/x86_64/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/x86_64/initscripts >>> +++ b/config/rootfiles/common/x86_64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>> index 321642e82..3fc707e8b 100644 >>> --- a/html/cgi-bin/optionsfw.cgi >>> +++ b/html/cgi-bin/optionsfw.cgi >>> @@ -2,7 +2,7 @@ >>> #########################################################################= ###### >>> # = # >>> # IPFire.org - A linux based firewall = # >>> -# Copyright (C) 2014-2020 IPFire Team = # >>> +# Copyright (C) 2014-2021 IPFire Team = # >>> # = # >>> # This program is free software: you can redistribute it and/or modify = # >>> # it under the terms of the GNU General Public License as published by = # >>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> $errormessage .=3D $Lang::tr{'new optionsfw later'}; >>> &General::writehash($filename, \%settings); # Save good set= tings >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> }else{ >>> if ($settings{'POLICY'} ne ''){ >>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; >>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsett= ings); >>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsetti= ngs); >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> } >>> &General::readhash($filename, \%settings); # Load good setti= ngs >>> } >>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE= _ORANGE'}} =3D 'selected=3D"sele >>> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >>> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selected= =3D"selected"'; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D "che= cked=3D'checked'"; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "check= ed=3D'checked'"; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D "che= cked=3D'checked'"; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "check= ed=3D'checked'"; >>>=20 >>> &Header::openbox('100%', 'center',); >>> print "
"; >>> @@ -189,13 +203,44 @@ END >>> END >>> } >>>=20 >>> - print <>> +print <>> + >>> + >>> +   >>> + >>> + >>> + <= /tr> >>> + <= /tr> >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <>> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
>>> + >>> +   >>> + >>> + >>> + >>> + >>> + >>> + >>> + >>> +END >>> + } >>> + >>> + print <>>
= $Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
>>>=20 >>> -
>>> +
>>>=20 >>> - >>> - >>> +
$L= ang::tr{'fw logging'}
>>> + >>> >>> >>> >>> -
$L= ang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / >>> @@ -206,21 +251,30 @@ END >>> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <>> +
>>> + >>> +
>>> + >>> + >>> + >>> + >>> + >>> -= >>> -
$L= ang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}<= /td>$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / >>> +
$Lang::tr{'drop wirelessforward'= }$Lang::tr{'on'} / >>> $Lang::tr{'off'}
>>> -
>>> + >>> +END >>> + } >>> + >>> + print <>> + >>> + >>> +
>>>=20 >>> - >>> - >>> - >>> - >>> -
$L= ang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>> - $Lang::tr{'off'}
>>> -
>>> >>> >>> <= td align=3D'left'>$Lang::tr{'on'} / >>> @@ -252,7 +306,7 @@ END >>>=20 >>>
>>>
$La= ng::tr{'fw settings'}
$Lang::tr{'fw settings color'}
>>> - >>>
>>> +
>>> >>>
>>> @@ -278,7 +332,7 @@ print <>> >>> END >>> print ""; >>> - print"

"; >>> + print"

"; >>> print <>>
>>> >>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> index 6a8133807..d6bb234fa 100644 >>> --- a/langs/de/cgi-bin/de.pl >>> +++ b/langs/de/cgi-bin/de.pl >>> @@ -836,6 +836,8 @@ >>> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren DNS= Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!Die eingegebene sekund=C3=A4ren DNS Server Adresse ist j= edoch g=C3=BCltig.
', >>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3=A4ren= wie auch des sekund=C3=A4ren DNS-Servers sind nich= t g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', >>> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren D= NS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!=
Die eingegebene prim=C3=A4re DNS Server Adresse ist je= doch g=C3=BCltig.', >>> +'dns force on blue' =3D> 'Erzwinge lokale= DNS-Server auf BLAU', >>> +'dns force on green' =3D> 'Erzwinge lokal= e DNS-Server auf GR=C3=9CN', >>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohlen)', >>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', >>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>> @@ -1102,9 +1104,12 @@ >>> 'from email server' =3D> 'Von E-Mail-Server', >>> 'from email user' =3D> 'Von E-Mail-Benutzer', >>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', >>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', >>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das = BLAUE Interface', >>> 'fw default drop' =3D> 'Firewallrichtlinie', >>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', >>> 'fw logging' =3D> 'Firewallprotokollierung', >>> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', >>> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', >>> 'fw settings' =3D> 'Firewalleinstellungen', >>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', >>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite anz= eigen', >>> @@ -1644,9 +1649,9 @@ >>> 'map to guest' =3D> 'Map to Guest', >>> 'march' =3D> 'M=C3=A4rz', >>> 'marked' =3D> 'Markiert', >>> -'masquerade blue' =3D> 'NAT auf BLAU', >>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', >>> -'masquerade orange' =3D> 'NAT auf ORANGE', >>> +'masquerade blue' =3D> 'NAT auf BLAU= ', >>> +'masquerade green' =3D> 'NAT auf GR=C3=9CN<= /font>', >>> +'masquerade orange' =3D> 'NAT auf ORANGE', >>> 'masquerading' =3D> 'Masquerading/NAT', >>> 'masquerading disabled' =3D> 'NAT ausgeschaltet', >>> 'masquerading enabled' =3D> 'NAT eingeschaltet', >>> @@ -1814,6 +1819,8 @@ >>> 'november' =3D> 'November', >>> 'ntp common settings' =3D> 'Allgemeine Einstellungen', >>> 'ntp configuration' =3D> 'Zeitserverkonfiguration', >>> +'ntp force on blue' =3D> 'Erzwinge lokal= e NTP-Server auf BLAU', >>> +'ntp force on green' =3D> 'Erzwinge loka= le NTP-Server auf GR=C3=9CN', >>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k=C3= =B6nnen, muss NTP vorher aktiviert sein.', >>> 'ntp server' =3D> 'NTP-Server', >>> 'ntp sync' =3D> 'Synchronisation', >>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> index 8f7e0c2cf..474612025 100644 >>> --- a/langs/en/cgi-bin/en.pl >>> +++ b/langs/en/cgi-bin/en.pl >>> @@ -859,6 +859,8 @@ >>> 'dns error 0' =3D> 'The IP address of the primary DNS se= rver is not valid, please check your entries!
The entered second= ary DNS server address is valid.', >>> 'dns error 01' =3D> 'The entered IP address of the primary and secondary DNS server are not valid, please check your= entries!', >>> 'dns error 1' =3D> 'The IP address of the secondary DNS = server is not valid, please check your entries!
The entered prim= ary DNS server address is valid.', >>> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', >>> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', >>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', >>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', >>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', >>> @@ -1128,9 +1130,12 @@ >>> 'from email server' =3D> 'From Email server', >>> 'from email user' =3D> 'From e-mail user', >>> 'from warn email bad' =3D> 'From e-mail address is not valid', >>> -'fw blue' =3D> 'Firewall options for BLUE interface', >>> +'fw blue' =3D> 'Firewall options for BLUE Interface', >>> 'fw default drop' =3D> 'Firewall policy', >>> +'fw green' =3D> 'Firewall options for GREEN Interface', >>> 'fw logging' =3D> 'Firewall logging', >>> +'fw logging blue' =3D> 'Firewall logging (BLUE= )', >>> +'fw logging red' =3D> 'Firewall logging (RED)', >>> 'fw settings' =3D> 'Firewall settings', >>> 'fw settings color' =3D> 'Show colors in ruletable', >>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', >>> @@ -1672,9 +1677,9 @@ >>> 'map to guest' =3D> 'Map to Guest', >>> 'march' =3D> 'March', >>> 'marked' =3D> 'Marked', >>> -'masquerade blue' =3D> 'Masquerade BLUE', >>> -'masquerade green' =3D> 'Masquerade GREEN', >>> -'masquerade orange' =3D> 'Masquerade ORANGE', >>> +'masquerade blue' =3D> 'Masquerade BLUE', >>> +'masquerade green' =3D> 'Masquerade GREEN', >>> +'masquerade orange' =3D> 'Masquerade ORANGE= ', >>> 'masquerading' =3D> 'Masquerading', >>> 'masquerading disabled' =3D> 'Masquerading disabled', >>> 'masquerading enabled' =3D> 'Masquerading enabled', >>> @@ -1844,6 +1849,8 @@ >>> 'november' =3D> 'November', >>> 'ntp common settings' =3D> 'Common settings', >>> 'ntp configuration' =3D> 'NTP Configuration', >>> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', >>> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', >>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to have c= lients.', >>> 'ntp server' =3D> 'NTP Server', >>> 'ntp sync' =3D> 'Synchronization', >>> diff --git a/lfs/configroot b/lfs/configroot >>> index a3e474d70..622793b35 100644 >>> --- a/lfs/configroot >>> +++ b/lfs/configroot >>> @@ -129,6 +129,10 @@ $(TARGET) : >>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings >>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>> new file mode 100644 >>> index 000000000..2eafa9d20 >>> --- /dev/null >>> +++ b/src/initscripts/system/dnsntp >>> @@ -0,0 +1,36 @@ >>> +#!/bin/sh >>> +######################################################################## >>> +# Begin $rc_base/init.d/dnsntp >>> +# >>> +# Description : dnsntp init script for DNS/NTP rules only >>> +# >>> +######################################################################## >>> + >>> +# flush chain >>> +iptables -t nat -F DNS_NTP_REDIRECT >>> + >>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>> + >>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 = -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 = -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -= j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -= j REDIRECT >>> +fi >>> + >>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123= -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 = -j REDIRECT >>> +fi >>> + >>> +# End $rc_base/init.d/dnsntp >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fir= ewall >>> index 65f1c979b..43ae74113 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -169,6 +169,10 @@ iptables_init() { >>> # Fix for braindead ISPs >>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss= -to-pmtu >>>=20 >>> + # DNS / NTP REDIRECT >>> + iptables -t nat -N DNS_NTP_REDIRECT >>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>> + >>> # CUSTOM chains, can be used by the users themselves >>> iptables -N CUSTOMINPUT >>> iptables -A INPUT -j CUSTOMINPUT >>> @@ -281,7 +285,7 @@ iptables_init() { >>> iptables -A INPUT -j LOCATIONBLOCK >>> iptables -A FORWARD -j LOCATIONBLOCK >>>=20 >>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept e= verything >>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept = everything >>> iptables -N IPSECINPUT >>> iptables -N IPSECFORWARD >>> iptables -N IPSECOUTPUT >>> @@ -389,6 +393,9 @@ iptables_init() { >>> # run captivectrl >>> /usr/local/bin/captivectrl >>>=20 >>> + # run dnsntpctrl >>> + /usr/local/bin/dnsntpctrl >>> + >>> # POLICY CHAIN >>> iptables -N POLICYIN >>> iptables -A INPUT -j POLICYIN >>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>> index 7c3ef7529..6f2733ef0 100644 >>> --- a/src/misc-progs/Makefile >>> +++ b/src/misc-progs/Makefile >>> @@ -26,7 +26,7 @@ PROGS =3D iowrap >>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ >>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>> rebuildhosts backupctrl collectdctrl \ >>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>> wirelessctrl getipstat qosctrl \ >>> redctrl syslogdctrl extrahdctrl sambactrl \ >>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>> new file mode 100644 >>> index 000000000..f2a3b89e3 >>> --- /dev/null >>> +++ b/src/misc-progs/dnsntpctrl.c >>> @@ -0,0 +1,19 @@ >>> +/* This file is part of the IPFire Firewall. >>> + * >>> + * This program is distributed under the terms of the GNU General Public >>> + * Licence. See the file COPYING for details. >>> + * >>> + */ >>> + >>> +#include >>> +#include "setuid.h" >>> + >>> +int main(void) >>> +{ >>> + if (!(initsetuid())) >>> + exit(1); >>> + >>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>> + >>> + return 0; >>> +} >>> --=20 >>> 2.18.0 >>>=20 >>=20 >=20 --===============1346878542305545561==--