Re: [PATCH] (V3) Forcing DNS/NTP

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 31798 bytes --]

Hello,

> On 2 Apr 2021, at 00:18, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> I added my comments / questions below:
> 
> On 01.04.2021 12:29, Michael Tremer wrote:
>> Hello,
>> 
>> Please see my other email about *why* we need this.
>> 
>> I will reply to some technical things on here...
>> 
>>> On 5 Mar 2021, at 19:40, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> Originally triggered by:
>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>> 
>>> Current discussion:
>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>> 
>>> Summary and functionality:
>>> These patches are controlled through "Firewall Options". They add new
>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file
>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
>>> 
>>> Default of all new rules is OFF (set in 'lfs/configroot').
>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make
>>> this more transparent.
>>> 
>>> Flaw/ToDo:
>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>> init file, 'dnsntp'. This is actually an unnecessary detour.
>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>> capabilities, perhaps "someone" else knows how to program this.
> 
> The idea of using a *single* C file came up because I wasn't able to
> load and delete the needed iptable rules by calling
> '/etc/init.d/rc.d/dnsntp' directly from 'optionsfw.cgi'. It just doesn't
> work. Actually Stefan gave me some hints for the current version:
> => https://lists.ipfire.org/pipermail/development/2021-January/009087.html

You will be able to call a script, just as a non-privileged user which obviously cannot alter the iptables ruleset.

>> Why is this not part of the regular firewall scripts and being reloading with them? That would avoid the extra SUID binary.
> 
> I'd really like to do so, but couldn't get it to work.
> 
>> “ipsec-policy” is for example something that is an extra script.
> 
> Yes. But.
> Tried. Failed. Nothing happens. Rules won't be added or deleted.
> 
> As a test, I moved '/etc/init.d/rc.d/dnsntp' to '/usr/lib/firewall/dnsntp'.
> - Changed 'optionsfw.cgi' to call '/usr/lib/firewall/dnsntp'.
> - Checked rights.
> 
> No luck.

You would change the firewall scripts to call your scripts and the CGI script would call firewallctrl.

That is the way to go.

> Results:
> To change the iptable rules according to the choosen DNS/NTP settings, I
> still need an administrative console or a reboot. It is not possible to
> add or delete specific iptable rules by calling an init script through
> 'optionsfw.cgi' without an extra SUID binary.

Exactly.

> If someone has another idea or a hint, I would be thankful.
> 
>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>> The corresponding interface options - including 'Masquerade ...' - are only visible if
>>> the respective interface actually exists.
>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
>>> or logging options for BLUE available (e.g.).
>>> Added text colors for better readability and links to DNS and NTP GUI.
>>> Separated logging options per interface.
>>> 
>>> No reboot required:
>>> Rules can be switched ON/OFF without rebooting IPFire.
>>> Changes immedediatly take effect after clicking 'Save'.
>>> 
>>> Changes to '/etc/rc.d/init.d/firewall':
>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
>>> chain: DNS_NTP_REDIRECT.
>>> This chain is flushed by the init file before before the desired settings are applied.
>>> Corrected a 'trafic' typo.
>>> 
>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> ---
>>> config/rootfiles/common/aarch64/initscripts  |  1 +
>>> config/rootfiles/common/armv5tel/initscripts |  1 +
>>> config/rootfiles/common/i586/initscripts     |  1 +
>>> config/rootfiles/common/misc-progs           |  1 +
>>> config/rootfiles/common/x86_64/initscripts   |  1 +
>>> html/cgi-bin/optionsfw.cgi                   | 92 ++++++++++++++++----
>>> langs/de/cgi-bin/de.pl                       | 15 +++-
>>> langs/en/cgi-bin/en.pl                       | 15 +++-
>>> lfs/configroot                               |  4 +
>>> src/initscripts/system/dnsntp                | 36 ++++++++
>>> src/initscripts/system/firewall              |  9 +-
>>> src/misc-progs/Makefile                      |  2 +-
>>> src/misc-progs/dnsntpctrl.c                  | 19 ++++
>>> 13 files changed, 168 insertions(+), 29 deletions(-)
>>> create mode 100644 src/initscripts/system/dnsntp
>>> create mode 100644 src/misc-progs/dnsntpctrl.c
>>> 
>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
>>> index 800005966..f38a3a294 100644
>>> --- a/config/rootfiles/common/aarch64/initscripts
>>> +++ b/config/rootfiles/common/aarch64/initscripts
>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> etc/rc.d/init.d/console
>>> etc/rc.d/init.d/dhcp
>>> etc/rc.d/init.d/dhcrelay
>>> +etc/rc.d/init.d/dnsntp
>>> etc/rc.d/init.d/fcron
>>> etc/rc.d/init.d/fireinfo
>>> etc/rc.d/init.d/firewall
>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
>>> index 800005966..f38a3a294 100644
>>> --- a/config/rootfiles/common/armv5tel/initscripts
>>> +++ b/config/rootfiles/common/armv5tel/initscripts
>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> etc/rc.d/init.d/console
>>> etc/rc.d/init.d/dhcp
>>> etc/rc.d/init.d/dhcrelay
>>> +etc/rc.d/init.d/dnsntp
>>> etc/rc.d/init.d/fcron
>>> etc/rc.d/init.d/fireinfo
>>> etc/rc.d/init.d/firewall
>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
>>> index 18c5a897a..a3a2b47f7 100644
>>> --- a/config/rootfiles/common/i586/initscripts
>>> +++ b/config/rootfiles/common/i586/initscripts
>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> etc/rc.d/init.d/console
>>> etc/rc.d/init.d/dhcp
>>> etc/rc.d/init.d/dhcrelay
>>> +etc/rc.d/init.d/dnsntp
>>> etc/rc.d/init.d/fcron
>>> etc/rc.d/init.d/fireinfo
>>> etc/rc.d/init.d/firewall
>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
>>> index d6594b3f8..4bcb94812 100644
>>> --- a/config/rootfiles/common/misc-progs
>>> +++ b/config/rootfiles/common/misc-progs
>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>>> usr/local/bin/collectdctrl
>>> usr/local/bin/ddnsctrl
>>> usr/local/bin/dhcpctrl
>>> +usr/local/bin/dnsntpctrl
>>> usr/local/bin/extrahdctrl
>>> usr/local/bin/fireinfoctrl
>>> usr/local/bin/firewallctrl
>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
>>> index 18c5a897a..a3a2b47f7 100644
>>> --- a/config/rootfiles/common/x86_64/initscripts
>>> +++ b/config/rootfiles/common/x86_64/initscripts
>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> etc/rc.d/init.d/console
>>> etc/rc.d/init.d/dhcp
>>> etc/rc.d/init.d/dhcrelay
>>> +etc/rc.d/init.d/dnsntp
>>> etc/rc.d/init.d/fcron
>>> etc/rc.d/init.d/fireinfo
>>> etc/rc.d/init.d/firewall
>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>>> index 321642e82..3fc707e8b 100644
>>> --- a/html/cgi-bin/optionsfw.cgi
>>> +++ b/html/cgi-bin/optionsfw.cgi
>>> @@ -2,7 +2,7 @@
>>> ###############################################################################
>>> #                                                                             #
>>> # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2014-2020  IPFire Team  <info(a)ipfire.org>                     #
>>> +# Copyright (C) 2014-2021  IPFire Team  <info(a)ipfire.org>                     #
>>> #                                                                             #
>>> # This program is free software: you can redistribute it and/or modify        #
>>> # it under the terms of the GNU General Public License as published by        #
>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>> 		$errormessage .= $Lang::tr{'new optionsfw later'};
>>> 		&General::writehash($filename, \%settings);             # Save good settings
>>> 		system("/usr/local/bin/firewallctrl");
>>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>> 	}else{
>>> 		if ($settings{'POLICY'} ne ''){
>>> 			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>> 		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>> 		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>> 		system("/usr/local/bin/firewallctrl");
>>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>> 	}
>>> 	&General::readhash($filename, \%settings);             # Load good settings
>>> }
>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>>> $selected{'MASQUERADE_BLUE'}{'off'} = '';
>>> $selected{'MASQUERADE_BLUE'}{'on'} = '';
>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>>> 
>>> &Header::openbox('100%', 'center',);
>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>>> @@ -189,13 +203,44 @@ END
>>> END
>>> 	}
>>> 
>>> -	print <<END
>>> +print <<END;
>>> +	<table width='95%' cellspacing='0'>
>>> +		<tr bgcolor='$color{'color20'}'></tr>
>>> +		<tr>&nbsp;</tr>
>>> +			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
>>> +		</tr>
>>> +		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>>> +																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> +		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>>> +																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> +END
>>> +
>>> +	if (&Header::blue_used()) {
>>> +		print <<END;
>>> +		<table width='95%' cellspacing='0'>
>>> +		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>>> +		<tr>&nbsp;</tr>
>>> +			<tr>
>>> +			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>>> +																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> +			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>>> +																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>>> +																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>>> +																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> +			</td>
>>> +			</tr>
>>> +END
>>> +	}
>>> +
>>> +	print <<END;
>>> 	</table>
>>> 
>>> -	<br>
>>> +	<br />
>>> 
>>> -<table width='95%' cellspacing='0'>
>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
>>> +		<table width='95%' cellspacing='0'>
>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>>> 																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
>>> @@ -206,21 +251,30 @@ END
>>> 																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>>> 																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>>> +END
>>> +
>>> +	if (&Header::blue_used()) {
>>> +		print <<END;
>>> +	</table>
>>> +
>>> +	<br />
>>> +
>>> +		<table width='95%' cellspacing='0'>
>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>>> +			<tr>
>>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>>> 																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>>> 																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> -</table>
>>> -<br/>
>>> +			</tr>
>>> +END
>>> +	}
>>> +
>>> +	print <<END;
>>> +	</table>
>>> +
>>> +	<br />
>>> 
>>> -<table width='95%' cellspacing='0'>
>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>>> -																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>>> -																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> -</table>
>>> -<br>
>>> <table width='95%' cellspacing='0'>
>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
>>> @@ -252,7 +306,7 @@ END
>>> 
>>> <br />
>>> <table width='100%' cellspacing='0'>
>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>>> </form></td></tr>
>>> </table>
>>> @@ -278,7 +332,7 @@ print <<END;
>>> 	    <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>>> END
>>> 	print "</tr></table></form>";
>>> -	print"<br><br>";
>>> +	print"<br /><br />";
>>> 	print <<END;
>>> 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>> 	<table width='100%' border='0'>
>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>>> index 6a8133807..d6bb234fa 100644
>>> --- a/langs/de/cgi-bin/de.pl
>>> +++ b/langs/de/cgi-bin/de.pl
>>> @@ -836,6 +836,8 @@
>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU',
>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN',
>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
>>> @@ -1102,9 +1104,12 @@
>>> 'from email server' => 'Von E-Mail-Server',
>>> 'from email user' => 'Von E-Mail-Benutzer',
>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
>>> 'fw default drop' => 'Firewallrichtlinie',
>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
>>> 'fw logging' => 'Firewallprotokollierung',
>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
>>> 'fw settings' => 'Firewalleinstellungen',
>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
>>> @@ -1644,9 +1649,9 @@
>>> 'map to guest' => 'Map to Guest',
>>> 'march' => 'März',
>>> 'marked' => 'Markiert',
>>> -'masquerade blue' => 'NAT auf BLAU',
>>> -'masquerade green' => 'NAT auf GRÜN',
>>> -'masquerade orange' => 'NAT auf ORANGE',
>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
>>> 'masquerading' => 'Masquerading/NAT',
>>> 'masquerading disabled' => 'NAT ausgeschaltet',
>>> 'masquerading enabled' => 'NAT eingeschaltet',
>>> @@ -1814,6 +1819,8 @@
>>> 'november' => 'November',
>>> 'ntp common settings' => 'Allgemeine Einstellungen',
>>> 'ntp configuration' => 'Zeitserverkonfiguration',
>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU',
>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN',
>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>>> 'ntp server' => 'NTP-Server',
>>> 'ntp sync' => 'Synchronisation',
>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>>> index 8f7e0c2cf..474612025 100644
>>> --- a/langs/en/cgi-bin/en.pl
>>> +++ b/langs/en/cgi-bin/en.pl
>>> @@ -859,6 +859,8 @@
>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE',
>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN',
>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
>>> @@ -1128,9 +1130,12 @@
>>> 'from email server' => 'From Email server',
>>> 'from email user' => 'From e-mail user',
>>> 'from warn email bad' => 'From e-mail address is not valid',
>>> -'fw blue' => 'Firewall options for BLUE interface',
>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>>> 'fw default drop' => 'Firewall policy',
>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>>> 'fw logging' => 'Firewall logging',
>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>>> 'fw settings' => 'Firewall settings',
>>> 'fw settings color' => 'Show colors in ruletable',
>>> 'fw settings dropdown' => 'Show all networks on rulecreation site',
>>> @@ -1672,9 +1677,9 @@
>>> 'map to guest' => 'Map to Guest',
>>> 'march' => 'March',
>>> 'marked' => 'Marked',
>>> -'masquerade blue' => 'Masquerade BLUE',
>>> -'masquerade green' => 'Masquerade GREEN',
>>> -'masquerade orange' => 'Masquerade ORANGE',
>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>>> 'masquerading' => 'Masquerading',
>>> 'masquerading disabled' => 'Masquerading disabled',
>>> 'masquerading enabled' => 'Masquerading enabled',
>>> @@ -1844,6 +1849,8 @@
>>> 'november' => 'November',
>>> 'ntp common settings' => 'Common settings',
>>> 'ntp configuration' => 'NTP Configuration',
>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE',
>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN',
>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>>> 'ntp server' => 'NTP Server',
>>> 'ntp sync' => 'Synchronization',
>>> diff --git a/lfs/configroot b/lfs/configroot
>>> index a3e474d70..622793b35 100644
>>> --- a/lfs/configroot
>>> +++ b/lfs/configroot
>>> @@ -129,6 +129,10 @@ $(TARGET) :
>>> 	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> 	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> +	echo  "DNS_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> +	echo  "DNS_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> +	echo  "NTP_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> +	echo  "NTP_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>> 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>>> 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>>> 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>>> new file mode 100644
>>> index 000000000..2eafa9d20
>>> --- /dev/null
>>> +++ b/src/initscripts/system/dnsntp
>>> @@ -0,0 +1,36 @@
>>> +#!/bin/sh
>>> +########################################################################
>>> +# Begin $rc_base/init.d/dnsntp
>>> +#
>>> +# Description : dnsntp init script for DNS/NTP rules only
>>> +#
>>> +########################################################################
>>> +
>>> +# flush chain
>>> +iptables -t nat -F DNS_NTP_REDIRECT
>>> +
>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>> +
>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
>>> +fi
>>> +
>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
>>> +fi
>>> +
>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT
>>> +fi
>>> +
>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT
>>> +fi
>>> +
>>> +# End $rc_base/init.d/dnsntp
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> 
>> This script hardcodes the interface names which should be read from /var/ipfire/ethernet/settings instead.
>> 
>> They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but you can never be too sure.
> 
> I thought of this, but had something on my eyes. Added ${GREEN/BLUE_DEV}
> variables. Thanks. ;-)
> 
>> This script is also hardcoding the port numbers. I am not sure what users might expect here when you say “DNS”. Does that include DoT and DoH? Those can obviously not be redirected, but shouldn’t they be blocked instead?
> 
> Hm. At the moment I don't know how to do this.

Doing what?

>>> index 65f1c979b..43ae74113 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -169,6 +169,10 @@ iptables_init() {
>>> 	# Fix for braindead ISPs
>>> 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>>> 
>>> +	# DNS / NTP REDIRECT
>>> +	iptables -t nat -N DNS_NTP_REDIRECT
>>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>>> +
>> 
>> The CUSTOM* chains are always the first ones.
>> 
>> The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do not have to send every single packet through them. This would have a massive performance impact on really fast networks.
>> 
>> Those rules should also come after suricata so that the IPS can scan NTP and DNS traffic.
>> 
>> How about before/after WIRELESSFORWARD?
> 
> Sorry, if this sounds naive, but I'm a bit puzzled and not 100% familiar
> with the different chains and the sequences in the firewall init.

No problems. That is why we have this list, so that we can all combine our brains :)

> If I get you right, then this means that you would prefer to move the
> following code block in '/etc/init.d/rc.d/firewall'?
> 
> Move:
> ...
> # DNS / NTP REDIRECT
> iptables -t nat -N DNS_NTP_REDIRECT
> iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
> ...
> 
> *Behind* this block:
> 
> ...
> # WIRELESS chains
> iptables -N WIRELESSINPUT
> iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
> iptables -N WIRELESSFORWARD
> iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
> 
> ...
> 
> Is this what you meant!?

Yes.

>>> 	# CUSTOM chains, can be used by the users themselves
>>> 	iptables -N CUSTOMINPUT
>>> 	iptables -A INPUT -j CUSTOMINPUT
>>> @@ -281,7 +285,7 @@ iptables_init() {
>>> 	iptables -A INPUT -j LOCATIONBLOCK
>>> 	iptables -A FORWARD -j LOCATIONBLOCK
>>> 
>>> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>> 	iptables -N IPSECINPUT
>>> 	iptables -N IPSECFORWARD
>>> 	iptables -N IPSECOUTPUT
>>> @@ -389,6 +393,9 @@ iptables_init() {
>>> 	# run captivectrl
>>> 	/usr/local/bin/captivectrl
>>> 
>>> +	# run dnsntpctrl
>>> +	/usr/local/bin/dnsntpctrl
>>> +
>>> 	# POLICY CHAIN
>>> 	iptables -N POLICYIN
>>> 	iptables -A INPUT -j POLICYIN
>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>>> index 7c3ef7529..6f2733ef0 100644
>>> --- a/src/misc-progs/Makefile
>>> +++ b/src/misc-progs/Makefile
>>> @@ -26,7 +26,7 @@ PROGS = iowrap
>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>> 	ipsecctrl timectrl dhcpctrl suricatactrl \
>>> 	rebuildhosts backupctrl collectdctrl \
>>> -	logwatch wioscan wiohelper openvpnctrl firewallctrl \
>>> +	logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
>>> 	wirelessctrl getipstat qosctrl \
>>> 	redctrl syslogdctrl extrahdctrl sambactrl \
>>> 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>>> new file mode 100644
>>> index 000000000..f2a3b89e3
>>> --- /dev/null
>>> +++ b/src/misc-progs/dnsntpctrl.c
>>> @@ -0,0 +1,19 @@
>>> +/* This file is part of the IPFire Firewall.
>>> + *
>>> + * This program is distributed under the terms of the GNU General Public
>>> + * Licence.  See the file COPYING for details.
>>> + *
>>> + */
>>> +
>>> +#include <stdlib.h>
>>> +#include "setuid.h"
>>> +
>>> +int main(void)
>>> +{
>>> +	if (!(initsetuid()))
>>> +		exit(1);
>>> +
>>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>>> +
>>> +	return 0;
>>> +}
>>> -- 
>>> 2.18.0
>>> 
>> 
>> -Michael