Hello, > On 2 Apr 2021, at 00:18, Matthias Fischer wrote: > > Hi, > > I added my comments / questions below: > > On 01.04.2021 12:29, Michael Tremer wrote: >> Hello, >> >> Please see my other email about *why* we need this. >> >> I will reply to some technical things on here... >> >>> On 5 Mar 2021, at 19:40, Matthias Fischer wrote: >>> >>> Originally triggered by: >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>> >>> Current discussion: >>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>> >>> Summary and functionality: >>> These patches are controlled through "Firewall Options". They add new >>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >>> >>> Default of all new rules is OFF (set in 'lfs/configroot'). >>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >>> this more transparent. >>> >>> Flaw/ToDo: >>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >>> init file, 'dnsntp'. This is actually an unnecessary detour. >>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >>> capabilities, perhaps "someone" else knows how to program this. > > The idea of using a *single* C file came up because I wasn't able to > load and delete the needed iptable rules by calling > '/etc/init.d/rc.d/dnsntp' directly from 'optionsfw.cgi'. It just doesn't > work. Actually Stefan gave me some hints for the current version: > => https://lists.ipfire.org/pipermail/development/2021-January/009087.html You will be able to call a script, just as a non-privileged user which obviously cannot alter the iptables ruleset. >> Why is this not part of the regular firewall scripts and being reloading with them? That would avoid the extra SUID binary. > > I'd really like to do so, but couldn't get it to work. > >> “ipsec-policy” is for example something that is an extra script. > > Yes. But. > Tried. Failed. Nothing happens. Rules won't be added or deleted. > > As a test, I moved '/etc/init.d/rc.d/dnsntp' to '/usr/lib/firewall/dnsntp'. > - Changed 'optionsfw.cgi' to call '/usr/lib/firewall/dnsntp'. > - Checked rights. > > No luck. You would change the firewall scripts to call your scripts and the CGI script would call firewallctrl. That is the way to go. > Results: > To change the iptable rules according to the choosen DNS/NTP settings, I > still need an administrative console or a reboot. It is not possible to > add or delete specific iptable rules by calling an init script through > 'optionsfw.cgi' without an extra SUID binary. Exactly. > If someone has another idea or a hint, I would be thankful. > >>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>> The corresponding interface options - including 'Masquerade ...' - are only visible if >>> the respective interface actually exists. >>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >>> or logging options for BLUE available (e.g.). >>> Added text colors for better readability and links to DNS and NTP GUI. >>> Separated logging options per interface. >>> >>> No reboot required: >>> Rules can be switched ON/OFF without rebooting IPFire. >>> Changes immedediatly take effect after clicking 'Save'. >>> >>> Changes to '/etc/rc.d/init.d/firewall': >>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >>> chain: DNS_NTP_REDIRECT. >>> This chain is flushed by the init file before before the desired settings are applied. >>> Corrected a 'trafic' typo. >>> >>> Signed-off-by: Matthias Fischer >>> --- >>> config/rootfiles/common/aarch64/initscripts | 1 + >>> config/rootfiles/common/armv5tel/initscripts | 1 + >>> config/rootfiles/common/i586/initscripts | 1 + >>> config/rootfiles/common/misc-progs | 1 + >>> config/rootfiles/common/x86_64/initscripts | 1 + >>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>> langs/de/cgi-bin/de.pl | 15 +++- >>> langs/en/cgi-bin/en.pl | 15 +++- >>> lfs/configroot | 4 + >>> src/initscripts/system/dnsntp | 36 ++++++++ >>> src/initscripts/system/firewall | 9 +- >>> src/misc-progs/Makefile | 2 +- >>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>> 13 files changed, 168 insertions(+), 29 deletions(-) >>> create mode 100644 src/initscripts/system/dnsntp >>> create mode 100644 src/misc-progs/dnsntpctrl.c >>> >>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/aarch64/initscripts >>> +++ b/config/rootfiles/common/aarch64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/armv5tel/initscripts >>> +++ b/config/rootfiles/common/armv5tel/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/i586/initscripts >>> +++ b/config/rootfiles/common/i586/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >>> index d6594b3f8..4bcb94812 100644 >>> --- a/config/rootfiles/common/misc-progs >>> +++ b/config/rootfiles/common/misc-progs >>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>> usr/local/bin/collectdctrl >>> usr/local/bin/ddnsctrl >>> usr/local/bin/dhcpctrl >>> +usr/local/bin/dnsntpctrl >>> usr/local/bin/extrahdctrl >>> usr/local/bin/fireinfoctrl >>> usr/local/bin/firewallctrl >>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/x86_64/initscripts >>> +++ b/config/rootfiles/common/x86_64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>> index 321642e82..3fc707e8b 100644 >>> --- a/html/cgi-bin/optionsfw.cgi >>> +++ b/html/cgi-bin/optionsfw.cgi >>> @@ -2,7 +2,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2014-2020 IPFire Team # >>> +# Copyright (C) 2014-2021 IPFire Team # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> $errormessage .= $Lang::tr{'new optionsfw later'}; >>> &General::writehash($filename, \%settings); # Save good settings >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> }else{ >>> if ($settings{'POLICY'} ne ''){ >>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> } >>> &General::readhash($filename, \%settings); # Load good settings >>> } >>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >>> >>> &Header::openbox('100%', 'center',); >>> print "
"; >>> @@ -189,13 +203,44 @@ END >>> END >>> } >>> >>> - print <>> +print <>> + >>> + >>> +   >>> + >>> + >>> + >>> + >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <>> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
>>> + >>> +   >>> + >>> + >>> + >>> + >>> + >>> + >>> + >>> +END >>> + } >>> + >>> + print <>>
$Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
>>> >>> -
>>> +
>>> >>> - >>> - >>> +
$Lang::tr{'fw logging'}
>>> + >>> >>> >>> >>> -
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / >>> @@ -206,21 +251,30 @@ END >>> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <>> +
>>> + >>> +
>>> + >>> + >>> + >>> + >>> + >>> - >>> -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / >>> +
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
>>> -
>>> + >>> +END >>> + } >>> + >>> + print <>> + >>> + >>> +
>>> >>> - >>> - >>> - >>> - >>> -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>> - $Lang::tr{'off'}
>>> -
>>> >>> >>> >>> END >>> print "
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / >>> @@ -252,7 +306,7 @@ END >>> >>>
>>> >>> - >>>
>>> +
>>> >>>
>>> @@ -278,7 +332,7 @@ print <>>
"; >>> - print"

"; >>> + print"

"; >>> print <>>
>>> >>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> index 6a8133807..d6bb234fa 100644 >>> --- a/langs/de/cgi-bin/de.pl >>> +++ b/langs/de/cgi-bin/de.pl >>> @@ -836,6 +836,8 @@ >>> 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', >>> 'dns error 01' => 'Die eingegebene IP Adresse des primären wie auch des sekundären DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >>> 'dns error 1' => 'Die IP Adresse vom sekundären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene primäre DNS Server Adresse ist jedoch gültig.', >>> +'dns force on blue' => 'Erzwinge lokale DNS-Server auf BLAU', >>> +'dns force on green' => 'Erzwinge lokale DNS-Server auf GRÜN', >>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>> @@ -1102,9 +1104,12 @@ >>> 'from email server' => 'Von E-Mail-Server', >>> 'from email user' => 'Von E-Mail-Benutzer', >>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >>> +'fw blue' => 'Firewalloptionen für das BLAUE Interface', >>> 'fw default drop' => 'Firewallrichtlinie', >>> +'fw green' => 'Firewalloptionen für das GRÜNE Interface', >>> 'fw logging' => 'Firewallprotokollierung', >>> +'fw logging blue' => 'Firewallprotokollierung (BLAU)', >>> +'fw logging red' => 'Firewallprotokollierung (ROT)', >>> 'fw settings' => 'Firewalleinstellungen', >>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >>> @@ -1644,9 +1649,9 @@ >>> 'map to guest' => 'Map to Guest', >>> 'march' => 'März', >>> 'marked' => 'Markiert', >>> -'masquerade blue' => 'NAT auf BLAU', >>> -'masquerade green' => 'NAT auf GRÜN', >>> -'masquerade orange' => 'NAT auf ORANGE', >>> +'masquerade blue' => 'NAT auf BLAU', >>> +'masquerade green' => 'NAT auf GRÜN', >>> +'masquerade orange' => 'NAT auf ORANGE', >>> 'masquerading' => 'Masquerading/NAT', >>> 'masquerading disabled' => 'NAT ausgeschaltet', >>> 'masquerading enabled' => 'NAT eingeschaltet', >>> @@ -1814,6 +1819,8 @@ >>> 'november' => 'November', >>> 'ntp common settings' => 'Allgemeine Einstellungen', >>> 'ntp configuration' => 'Zeitserverkonfiguration', >>> +'ntp force on blue' => 'Erzwinge lokale NTP-Server auf BLAU', >>> +'ntp force on green' => 'Erzwinge lokale NTP-Server auf GRÜN', >>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >>> 'ntp server' => 'NTP-Server', >>> 'ntp sync' => 'Synchronisation', >>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> index 8f7e0c2cf..474612025 100644 >>> --- a/langs/en/cgi-bin/en.pl >>> +++ b/langs/en/cgi-bin/en.pl >>> @@ -859,6 +859,8 @@ >>> 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', >>> 'dns error 01' => 'The entered IP address of the primary and secondary DNS server are not valid, please check your entries!', >>> 'dns error 1' => 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', >>> +'dns force on blue' => 'Force DNS to use local DNS servers on BLUE', >>> +'dns force on green' => 'Force DNS to use local DNS servers on GREEN', >>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >>> @@ -1128,9 +1130,12 @@ >>> 'from email server' => 'From Email server', >>> 'from email user' => 'From e-mail user', >>> 'from warn email bad' => 'From e-mail address is not valid', >>> -'fw blue' => 'Firewall options for BLUE interface', >>> +'fw blue' => 'Firewall options for BLUE Interface', >>> 'fw default drop' => 'Firewall policy', >>> +'fw green' => 'Firewall options for GREEN Interface', >>> 'fw logging' => 'Firewall logging', >>> +'fw logging blue' => 'Firewall logging (BLUE)', >>> +'fw logging red' => 'Firewall logging (RED)', >>> 'fw settings' => 'Firewall settings', >>> 'fw settings color' => 'Show colors in ruletable', >>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >>> @@ -1672,9 +1677,9 @@ >>> 'map to guest' => 'Map to Guest', >>> 'march' => 'March', >>> 'marked' => 'Marked', >>> -'masquerade blue' => 'Masquerade BLUE', >>> -'masquerade green' => 'Masquerade GREEN', >>> -'masquerade orange' => 'Masquerade ORANGE', >>> +'masquerade blue' => 'Masquerade BLUE', >>> +'masquerade green' => 'Masquerade GREEN', >>> +'masquerade orange' => 'Masquerade ORANGE', >>> 'masquerading' => 'Masquerading', >>> 'masquerading disabled' => 'Masquerading disabled', >>> 'masquerading enabled' => 'Masquerading enabled', >>> @@ -1844,6 +1849,8 @@ >>> 'november' => 'November', >>> 'ntp common settings' => 'Common settings', >>> 'ntp configuration' => 'NTP Configuration', >>> +'ntp force on blue' => 'Force NTP to use local NTP servers on BLUE', >>> +'ntp force on green' => 'Force NTP to use local NTP servers on GREEN', >>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >>> 'ntp server' => 'NTP Server', >>> 'ntp sync' => 'Synchronization', >>> diff --git a/lfs/configroot b/lfs/configroot >>> index a3e474d70..622793b35 100644 >>> --- a/lfs/configroot >>> +++ b/lfs/configroot >>> @@ -129,6 +129,10 @@ $(TARGET) : >>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>> new file mode 100644 >>> index 000000000..2eafa9d20 >>> --- /dev/null >>> +++ b/src/initscripts/system/dnsntp >>> @@ -0,0 +1,36 @@ >>> +#!/bin/sh >>> +######################################################################## >>> +# Begin $rc_base/init.d/dnsntp >>> +# >>> +# Description : dnsntp init script for DNS/NTP rules only >>> +# >>> +######################################################################## >>> + >>> +# flush chain >>> +iptables -t nat -F DNS_NTP_REDIRECT >>> + >>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>> + >>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >>> +fi >>> + >>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >>> +fi >>> + >>> +# End $rc_base/init.d/dnsntp >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> >> This script hardcodes the interface names which should be read from /var/ipfire/ethernet/settings instead. >> >> They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but you can never be too sure. > > I thought of this, but had something on my eyes. Added ${GREEN/BLUE_DEV} > variables. Thanks. ;-) > >> This script is also hardcoding the port numbers. I am not sure what users might expect here when you say “DNS”. Does that include DoT and DoH? Those can obviously not be redirected, but shouldn’t they be blocked instead? > > Hm. At the moment I don't know how to do this. Doing what? >>> index 65f1c979b..43ae74113 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -169,6 +169,10 @@ iptables_init() { >>> # Fix for braindead ISPs >>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>> >>> + # DNS / NTP REDIRECT >>> + iptables -t nat -N DNS_NTP_REDIRECT >>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>> + >> >> The CUSTOM* chains are always the first ones. >> >> The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do not have to send every single packet through them. This would have a massive performance impact on really fast networks. >> >> Those rules should also come after suricata so that the IPS can scan NTP and DNS traffic. >> >> How about before/after WIRELESSFORWARD? > > Sorry, if this sounds naive, but I'm a bit puzzled and not 100% familiar > with the different chains and the sequences in the firewall init. No problems. That is why we have this list, so that we can all combine our brains :) > If I get you right, then this means that you would prefer to move the > following code block in '/etc/init.d/rc.d/firewall'? > > Move: > ... > # DNS / NTP REDIRECT > iptables -t nat -N DNS_NTP_REDIRECT > iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > ... > > *Behind* this block: > > ... > # WIRELESS chains > iptables -N WIRELESSINPUT > iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT > iptables -N WIRELESSFORWARD > iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD > > ... > > Is this what you meant!? Yes. >>> # CUSTOM chains, can be used by the users themselves >>> iptables -N CUSTOMINPUT >>> iptables -A INPUT -j CUSTOMINPUT >>> @@ -281,7 +285,7 @@ iptables_init() { >>> iptables -A INPUT -j LOCATIONBLOCK >>> iptables -A FORWARD -j LOCATIONBLOCK >>> >>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> iptables -N IPSECINPUT >>> iptables -N IPSECFORWARD >>> iptables -N IPSECOUTPUT >>> @@ -389,6 +393,9 @@ iptables_init() { >>> # run captivectrl >>> /usr/local/bin/captivectrl >>> >>> + # run dnsntpctrl >>> + /usr/local/bin/dnsntpctrl >>> + >>> # POLICY CHAIN >>> iptables -N POLICYIN >>> iptables -A INPUT -j POLICYIN >>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>> index 7c3ef7529..6f2733ef0 100644 >>> --- a/src/misc-progs/Makefile >>> +++ b/src/misc-progs/Makefile >>> @@ -26,7 +26,7 @@ PROGS = iowrap >>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>> rebuildhosts backupctrl collectdctrl \ >>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>> wirelessctrl getipstat qosctrl \ >>> redctrl syslogdctrl extrahdctrl sambactrl \ >>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>> new file mode 100644 >>> index 000000000..f2a3b89e3 >>> --- /dev/null >>> +++ b/src/misc-progs/dnsntpctrl.c >>> @@ -0,0 +1,19 @@ >>> +/* This file is part of the IPFire Firewall. >>> + * >>> + * This program is distributed under the terms of the GNU General Public >>> + * Licence. See the file COPYING for details. >>> + * >>> + */ >>> + >>> +#include >>> +#include "setuid.h" >>> + >>> +int main(void) >>> +{ >>> + if (!(initsetuid())) >>> + exit(1); >>> + >>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>> + >>> + return 0; >>> +} >>> -- >>> 2.18.0 >>> >> >> -Michael