From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] (V3) Forcing DNS/NTP Date: Wed, 07 Apr 2021 21:47:07 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4188936524002282309==" List-Id: --===============4188936524002282309== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 2 Apr 2021, at 00:18, Matthias Fischer w= rote: >=20 > Hi, >=20 > I added my comments / questions below: >=20 > On 01.04.2021 12:29, Michael Tremer wrote: >> Hello, >>=20 >> Please see my other email about *why* we need this. >>=20 >> I will reply to some technical things on here... >>=20 >>> On 5 Mar 2021, at 19:40, Matthias Fischer = wrote: >>>=20 >>> Originally triggered by: >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-th= e-firewall/3512 >>>=20 >>> Current discussion: >>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>>=20 >>> Summary and functionality: >>> These patches are controlled through "Firewall Options". They add new >>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsf= w/settings'. >>> They activate/deactivate appropriate REDIRECT rules through a new ctrl fi= le >>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsn= tp'). >>>=20 >>> Default of all new rules is OFF (set in 'lfs/configroot'). >>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS= and NTP >>> servers specified in IPFire. GUI links to DNS and NTP options were added = to make >>> this more transparent. >>>=20 >>> Flaw/ToDo: >>> To make things work as I wanted I had to add a 'dnsntpctrl' file which ca= lls the actual >>> init file, 'dnsntp'. This is actually an unnecessary detour. >>> In fact I wanted to merge these two files in *one* C file, but this was b= eyond my >>> capabilities, perhaps "someone" else knows how to program this. >=20 > The idea of using a *single* C file came up because I wasn't able to > load and delete the needed iptable rules by calling > '/etc/init.d/rc.d/dnsntp' directly from 'optionsfw.cgi'. It just doesn't > work. Actually Stefan gave me some hints for the current version: > =3D> https://lists.ipfire.org/pipermail/development/2021-January/009087.html You will be able to call a script, just as a non-privileged user which obviou= sly cannot alter the iptables ruleset. >> Why is this not part of the regular firewall scripts and being reloading w= ith them? That would avoid the extra SUID binary. >=20 > I'd really like to do so, but couldn't get it to work. >=20 >> =E2=80=9Cipsec-policy=E2=80=9D is for example something that is an extra s= cript. >=20 > Yes. But. > Tried. Failed. Nothing happens. Rules won't be added or deleted. >=20 > As a test, I moved '/etc/init.d/rc.d/dnsntp' to '/usr/lib/firewall/dnsntp'. > - Changed 'optionsfw.cgi' to call '/usr/lib/firewall/dnsntp'. > - Checked rights. >=20 > No luck. You would change the firewall scripts to call your scripts and the CGI script= would call firewallctrl. That is the way to go. > Results: > To change the iptable rules according to the choosen DNS/NTP settings, I > still need an administrative console or a reboot. It is not possible to > add or delete specific iptable rules by calling an init script through > 'optionsfw.cgi' without an extra SUID binary. Exactly. > If someone has another idea or a hint, I would be thankful. >=20 >>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>> The corresponding interface options - including 'Masquerade ...' - are on= ly visible if >>> the respective interface actually exists. >>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NT= P on BLUE' >>> or logging options for BLUE available (e.g.). >>> Added text colors for better readability and links to DNS and NTP GUI. >>> Separated logging options per interface. >>>=20 >>> No reboot required: >>> Rules can be switched ON/OFF without rebooting IPFire. >>> Changes immedediatly take effect after clicking 'Save'. >>>=20 >>> Changes to '/etc/rc.d/init.d/firewall': >>> To avoid collisions with possibly existing CUSTOM rules, I added a new PR= EROUTING >>> chain: DNS_NTP_REDIRECT. >>> This chain is flushed by the init file before before the desired settings= are applied. >>> Corrected a 'trafic' typo. >>>=20 >>> Signed-off-by: Matthias Fischer >>> --- >>> config/rootfiles/common/aarch64/initscripts | 1 + >>> config/rootfiles/common/armv5tel/initscripts | 1 + >>> config/rootfiles/common/i586/initscripts | 1 + >>> config/rootfiles/common/misc-progs | 1 + >>> config/rootfiles/common/x86_64/initscripts | 1 + >>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>> langs/de/cgi-bin/de.pl | 15 +++- >>> langs/en/cgi-bin/en.pl | 15 +++- >>> lfs/configroot | 4 + >>> src/initscripts/system/dnsntp | 36 ++++++++ >>> src/initscripts/system/firewall | 9 +- >>> src/misc-progs/Makefile | 2 +- >>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>> 13 files changed, 168 insertions(+), 29 deletions(-) >>> create mode 100644 src/initscripts/system/dnsntp >>> create mode 100644 src/misc-progs/dnsntpctrl.c >>>=20 >>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfil= es/common/aarch64/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/aarch64/initscripts >>> +++ b/config/rootfiles/common/aarch64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfi= les/common/armv5tel/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/armv5tel/initscripts >>> +++ b/config/rootfiles/common/armv5tel/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/= common/i586/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/i586/initscripts >>> +++ b/config/rootfiles/common/i586/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common= /misc-progs >>> index d6594b3f8..4bcb94812 100644 >>> --- a/config/rootfiles/common/misc-progs >>> +++ b/config/rootfiles/common/misc-progs >>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>> usr/local/bin/collectdctrl >>> usr/local/bin/ddnsctrl >>> usr/local/bin/dhcpctrl >>> +usr/local/bin/dnsntpctrl >>> usr/local/bin/extrahdctrl >>> usr/local/bin/fireinfoctrl >>> usr/local/bin/firewallctrl >>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfile= s/common/x86_64/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/x86_64/initscripts >>> +++ b/config/rootfiles/common/x86_64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>> index 321642e82..3fc707e8b 100644 >>> --- a/html/cgi-bin/optionsfw.cgi >>> +++ b/html/cgi-bin/optionsfw.cgi >>> @@ -2,7 +2,7 @@ >>> #########################################################################= ###### >>> # = # >>> # IPFire.org - A linux based firewall = # >>> -# Copyright (C) 2014-2020 IPFire Team = # >>> +# Copyright (C) 2014-2021 IPFire Team = # >>> # = # >>> # This program is free software: you can redistribute it and/or modify = # >>> # it under the terms of the GNU General Public License as published by = # >>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> $errormessage .=3D $Lang::tr{'new optionsfw later'}; >>> &General::writehash($filename, \%settings); # Save good set= tings >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> }else{ >>> if ($settings{'POLICY'} ne ''){ >>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; >>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsett= ings); >>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsetti= ngs); >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> } >>> &General::readhash($filename, \%settings); # Load good setti= ngs >>> } >>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE= _ORANGE'}} =3D 'selected=3D"sele >>> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >>> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selected= =3D"selected"'; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D "che= cked=3D'checked'"; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "check= ed=3D'checked'"; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D "che= cked=3D'checked'"; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "check= ed=3D'checked'"; >>>=20 >>> &Header::openbox('100%', 'center',); >>> print "
"; >>> @@ -189,13 +203,44 @@ END >>> END >>> } >>>=20 >>> - print <>> +print <>> + >>> + >>> +   >>> + >>> + >>> + <= /tr> >>> + <= /tr> >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <>> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
>>> + >>> +   >>> + >>> + >>> + >>> + >>> + >>> + >>> + >>> +END >>> + } >>> + >>> + print <>>
= $Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>> + $Lang::tr{'off'}
>>>=20 >>> -
>>> +
>>>=20 >>> - >>> - >>> +
$L= ang::tr{'fw logging'}
>>> + >>> >>> >>> >>> -
$L= ang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / >>> @@ -206,21 +251,30 @@ END >>> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <>> +
>>> + >>> +
>>> + >>> + >>> + >>> + >>> + >>> -= >>> -
$L= ang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}<= /td>$Lang::tr{'on'} / >>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / >>> +
$Lang::tr{'drop wirelessforward'= }$Lang::tr{'on'} / >>> $Lang::tr{'off'}
>>> -
>>> + >>> +END >>> + } >>> + >>> + print <>> + >>> + >>> +
>>>=20 >>> - >>> - >>> - >>> - >>> -
$L= ang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >>> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >>> - $Lang::tr{'off'}
>>> -
>>> >>> >>> <= td align=3D'left'>$Lang::tr{'on'} / >>> @@ -252,7 +306,7 @@ END >>>=20 >>>
>>>
$La= ng::tr{'fw settings'}
$Lang::tr{'fw settings color'}
>>> - >>>
>>> +
>>> >>>
>>> @@ -278,7 +332,7 @@ print <>> >>> END >>> print ""; >>> - print"

"; >>> + print"

"; >>> print <>>
>>> >>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> index 6a8133807..d6bb234fa 100644 >>> --- a/langs/de/cgi-bin/de.pl >>> +++ b/langs/de/cgi-bin/de.pl >>> @@ -836,6 +836,8 @@ >>> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren DNS= Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!Die eingegebene sekund=C3=A4ren DNS Server Adresse ist j= edoch g=C3=BCltig.
', >>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3=A4ren= wie auch des sekund=C3=A4ren DNS-Servers sind nich= t g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', >>> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren D= NS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!=
Die eingegebene prim=C3=A4re DNS Server Adresse ist je= doch g=C3=BCltig.', >>> +'dns force on blue' =3D> 'Erzwinge lokale= DNS-Server auf BLAU', >>> +'dns force on green' =3D> 'Erzwinge lokal= e DNS-Server auf GR=C3=9CN', >>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohlen)', >>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', >>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>> @@ -1102,9 +1104,12 @@ >>> 'from email server' =3D> 'Von E-Mail-Server', >>> 'from email user' =3D> 'Von E-Mail-Benutzer', >>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', >>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', >>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das = BLAUE Interface', >>> 'fw default drop' =3D> 'Firewallrichtlinie', >>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', >>> 'fw logging' =3D> 'Firewallprotokollierung', >>> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', >>> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', >>> 'fw settings' =3D> 'Firewalleinstellungen', >>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', >>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite anz= eigen', >>> @@ -1644,9 +1649,9 @@ >>> 'map to guest' =3D> 'Map to Guest', >>> 'march' =3D> 'M=C3=A4rz', >>> 'marked' =3D> 'Markiert', >>> -'masquerade blue' =3D> 'NAT auf BLAU', >>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', >>> -'masquerade orange' =3D> 'NAT auf ORANGE', >>> +'masquerade blue' =3D> 'NAT auf BLAU= ', >>> +'masquerade green' =3D> 'NAT auf GR=C3=9CN<= /font>', >>> +'masquerade orange' =3D> 'NAT auf ORANGE', >>> 'masquerading' =3D> 'Masquerading/NAT', >>> 'masquerading disabled' =3D> 'NAT ausgeschaltet', >>> 'masquerading enabled' =3D> 'NAT eingeschaltet', >>> @@ -1814,6 +1819,8 @@ >>> 'november' =3D> 'November', >>> 'ntp common settings' =3D> 'Allgemeine Einstellungen', >>> 'ntp configuration' =3D> 'Zeitserverkonfiguration', >>> +'ntp force on blue' =3D> 'Erzwinge lokal= e NTP-Server auf BLAU', >>> +'ntp force on green' =3D> 'Erzwinge loka= le NTP-Server auf GR=C3=9CN', >>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k=C3= =B6nnen, muss NTP vorher aktiviert sein.', >>> 'ntp server' =3D> 'NTP-Server', >>> 'ntp sync' =3D> 'Synchronisation', >>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> index 8f7e0c2cf..474612025 100644 >>> --- a/langs/en/cgi-bin/en.pl >>> +++ b/langs/en/cgi-bin/en.pl >>> @@ -859,6 +859,8 @@ >>> 'dns error 0' =3D> 'The IP address of the primary DNS se= rver is not valid, please check your entries!
The entered second= ary DNS server address is valid.', >>> 'dns error 01' =3D> 'The entered IP address of the primary and secondary DNS server are not valid, please check your= entries!', >>> 'dns error 1' =3D> 'The IP address of the secondary DNS = server is not valid, please check your entries!
The entered prim= ary DNS server address is valid.', >>> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', >>> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', >>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', >>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', >>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', >>> @@ -1128,9 +1130,12 @@ >>> 'from email server' =3D> 'From Email server', >>> 'from email user' =3D> 'From e-mail user', >>> 'from warn email bad' =3D> 'From e-mail address is not valid', >>> -'fw blue' =3D> 'Firewall options for BLUE interface', >>> +'fw blue' =3D> 'Firewall options for BLUE Interface', >>> 'fw default drop' =3D> 'Firewall policy', >>> +'fw green' =3D> 'Firewall options for GREEN Interface', >>> 'fw logging' =3D> 'Firewall logging', >>> +'fw logging blue' =3D> 'Firewall logging (BLUE= )', >>> +'fw logging red' =3D> 'Firewall logging (RED)', >>> 'fw settings' =3D> 'Firewall settings', >>> 'fw settings color' =3D> 'Show colors in ruletable', >>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', >>> @@ -1672,9 +1677,9 @@ >>> 'map to guest' =3D> 'Map to Guest', >>> 'march' =3D> 'March', >>> 'marked' =3D> 'Marked', >>> -'masquerade blue' =3D> 'Masquerade BLUE', >>> -'masquerade green' =3D> 'Masquerade GREEN', >>> -'masquerade orange' =3D> 'Masquerade ORANGE', >>> +'masquerade blue' =3D> 'Masquerade BLUE', >>> +'masquerade green' =3D> 'Masquerade GREEN', >>> +'masquerade orange' =3D> 'Masquerade ORANGE= ', >>> 'masquerading' =3D> 'Masquerading', >>> 'masquerading disabled' =3D> 'Masquerading disabled', >>> 'masquerading enabled' =3D> 'Masquerading enabled', >>> @@ -1844,6 +1849,8 @@ >>> 'november' =3D> 'November', >>> 'ntp common settings' =3D> 'Common settings', >>> 'ntp configuration' =3D> 'NTP Configuration', >>> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', >>> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', >>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to have c= lients.', >>> 'ntp server' =3D> 'NTP Server', >>> 'ntp sync' =3D> 'Synchronization', >>> diff --git a/lfs/configroot b/lfs/configroot >>> index a3e474d70..622793b35 100644 >>> --- a/lfs/configroot >>> +++ b/lfs/configroot >>> @@ -129,6 +129,10 @@ $(TARGET) : >>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings >>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>> new file mode 100644 >>> index 000000000..2eafa9d20 >>> --- /dev/null >>> +++ b/src/initscripts/system/dnsntp >>> @@ -0,0 +1,36 @@ >>> +#!/bin/sh >>> +######################################################################## >>> +# Begin $rc_base/init.d/dnsntp >>> +# >>> +# Description : dnsntp init script for DNS/NTP rules only >>> +# >>> +######################################################################## >>> + >>> +# flush chain >>> +iptables -t nat -F DNS_NTP_REDIRECT >>> + >>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>> + >>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 = -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 = -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -= j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -= j REDIRECT >>> +fi >>> + >>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123= -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 = -j REDIRECT >>> +fi >>> + >>> +# End $rc_base/init.d/dnsntp >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fir= ewall >>=20 >> This script hardcodes the interface names which should be read from /var/i= pfire/ethernet/settings instead. >>=20 >> They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but= you can never be too sure. >=20 > I thought of this, but had something on my eyes. Added ${GREEN/BLUE_DEV} > variables. Thanks. ;-) >=20 >> This script is also hardcoding the port numbers. I am not sure what users = might expect here when you say =E2=80=9CDNS=E2=80=9D. Does that include DoT a= nd DoH? Those can obviously not be redirected, but shouldn=E2=80=99t they be = blocked instead? >=20 > Hm. At the moment I don't know how to do this. Doing what? >>> index 65f1c979b..43ae74113 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -169,6 +169,10 @@ iptables_init() { >>> # Fix for braindead ISPs >>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss= -to-pmtu >>>=20 >>> + # DNS / NTP REDIRECT >>> + iptables -t nat -N DNS_NTP_REDIRECT >>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>> + >>=20 >> The CUSTOM* chains are always the first ones. >>=20 >> The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do = not have to send every single packet through them. This would have a massive = performance impact on really fast networks. >>=20 >> Those rules should also come after suricata so that the IPS can scan NTP a= nd DNS traffic. >>=20 >> How about before/after WIRELESSFORWARD? >=20 > Sorry, if this sounds naive, but I'm a bit puzzled and not 100% familiar > with the different chains and the sequences in the firewall init. No problems. That is why we have this list, so that we can all combine our br= ains :) > If I get you right, then this means that you would prefer to move the > following code block in '/etc/init.d/rc.d/firewall'? >=20 > Move: > ... > # DNS / NTP REDIRECT > iptables -t nat -N DNS_NTP_REDIRECT > iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > ... >=20 > *Behind* this block: >=20 > ... > # WIRELESS chains > iptables -N WIRELESSINPUT > iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT > iptables -N WIRELESSFORWARD > iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD >=20 > ... >=20 > Is this what you meant!? Yes. >>> # CUSTOM chains, can be used by the users themselves >>> iptables -N CUSTOMINPUT >>> iptables -A INPUT -j CUSTOMINPUT >>> @@ -281,7 +285,7 @@ iptables_init() { >>> iptables -A INPUT -j LOCATIONBLOCK >>> iptables -A FORWARD -j LOCATIONBLOCK >>>=20 >>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept e= verything >>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept = everything >>> iptables -N IPSECINPUT >>> iptables -N IPSECFORWARD >>> iptables -N IPSECOUTPUT >>> @@ -389,6 +393,9 @@ iptables_init() { >>> # run captivectrl >>> /usr/local/bin/captivectrl >>>=20 >>> + # run dnsntpctrl >>> + /usr/local/bin/dnsntpctrl >>> + >>> # POLICY CHAIN >>> iptables -N POLICYIN >>> iptables -A INPUT -j POLICYIN >>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>> index 7c3ef7529..6f2733ef0 100644 >>> --- a/src/misc-progs/Makefile >>> +++ b/src/misc-progs/Makefile >>> @@ -26,7 +26,7 @@ PROGS =3D iowrap >>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ >>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>> rebuildhosts backupctrl collectdctrl \ >>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>> wirelessctrl getipstat qosctrl \ >>> redctrl syslogdctrl extrahdctrl sambactrl \ >>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>> new file mode 100644 >>> index 000000000..f2a3b89e3 >>> --- /dev/null >>> +++ b/src/misc-progs/dnsntpctrl.c >>> @@ -0,0 +1,19 @@ >>> +/* This file is part of the IPFire Firewall. >>> + * >>> + * This program is distributed under the terms of the GNU General Public >>> + * Licence. See the file COPYING for details. >>> + * >>> + */ >>> + >>> +#include >>> +#include "setuid.h" >>> + >>> +int main(void) >>> +{ >>> + if (!(initsetuid())) >>> + exit(1); >>> + >>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>> + >>> + return 0; >>> +} >>> --=20 >>> 2.18.0 >>>=20 >>=20 >> -Michael --===============4188936524002282309==--