From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [PATCH] (V3) Forcing DNS/NTP Date: Fri, 02 Apr 2021 01:18:39 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2831606125611793312==" List-Id: --===============2831606125611793312== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I added my comments / questions below: On 01.04.2021 12:29, Michael Tremer wrote: > Hello, >=20 > Please see my other email about *why* we need this. >=20 > I will reply to some technical things on here... >=20 >> On 5 Mar 2021, at 19:40, Matthias Fischer = wrote: >>=20 >> Originally triggered by: >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the= -firewall/3512 >>=20 >> Current discussion: >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>=20 >> Summary and functionality: >> These patches are controlled through "Firewall Options". They add new >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsf= w/settings'. >> They activate/deactivate appropriate REDIRECT rules through a new ctrl fi= le >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsn= tp'). >>=20 >> Default of all new rules is OFF (set in 'lfs/configroot'). >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS= and NTP >> servers specified in IPFire. GUI links to DNS and NTP options were added = to make >> this more transparent. >>=20 >> Flaw/ToDo: >> To make things work as I wanted I had to add a 'dnsntpctrl' file which ca= lls the actual >> init file, 'dnsntp'. This is actually an unnecessary detour. >> In fact I wanted to merge these two files in *one* C file, but this was b= eyond my >> capabilities, perhaps "someone" else knows how to program this. The idea of using a *single* C file came up because I wasn't able to load and delete the needed iptable rules by calling '/etc/init.d/rc.d/dnsntp' directly from 'optionsfw.cgi'. It just doesn't work. Actually Stefan gave me some hints for the current version: =3D> https://lists.ipfire.org/pipermail/development/2021-January/009087.html > Why is this not part of the regular firewall scripts and being reloading wi= th them? That would avoid the extra SUID binary. I'd really like to do so, but couldn't get it to work. > =E2=80=9Cipsec-policy=E2=80=9D is for example something that is an extra sc= ript. Yes. But. Tried. Failed. Nothing happens. Rules won't be added or deleted. As a test, I moved '/etc/init.d/rc.d/dnsntp' to '/usr/lib/firewall/dnsntp'. - Changed 'optionsfw.cgi' to call '/usr/lib/firewall/dnsntp'. - Checked rights. No luck. Results: To change the iptable rules according to the choosen DNS/NTP settings, I still need an administrative console or a reboot. It is not possible to add or delete specific iptable rules by calling an init script through 'optionsfw.cgi' without an extra SUID binary. If someone has another idea or a hint, I would be thankful. >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> The corresponding interface options - including 'Masquerade ...' - are on= ly visible if >> the respective interface actually exists. >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NT= P on BLUE' >> or logging options for BLUE available (e.g.). >> Added text colors for better readability and links to DNS and NTP GUI. >> Separated logging options per interface. >>=20 >> No reboot required: >> Rules can be switched ON/OFF without rebooting IPFire. >> Changes immedediatly take effect after clicking 'Save'. >>=20 >> Changes to '/etc/rc.d/init.d/firewall': >> To avoid collisions with possibly existing CUSTOM rules, I added a new PR= EROUTING >> chain: DNS_NTP_REDIRECT. >> This chain is flushed by the init file before before the desired settings= are applied. >> Corrected a 'trafic' typo. >>=20 >> Signed-off-by: Matthias Fischer >> --- >> config/rootfiles/common/aarch64/initscripts | 1 + >> config/rootfiles/common/armv5tel/initscripts | 1 + >> config/rootfiles/common/i586/initscripts | 1 + >> config/rootfiles/common/misc-progs | 1 + >> config/rootfiles/common/x86_64/initscripts | 1 + >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> langs/de/cgi-bin/de.pl | 15 +++- >> langs/en/cgi-bin/en.pl | 15 +++- >> lfs/configroot | 4 + >> src/initscripts/system/dnsntp | 36 ++++++++ >> src/initscripts/system/firewall | 9 +- >> src/misc-progs/Makefile | 2 +- >> src/misc-progs/dnsntpctrl.c | 19 ++++ >> 13 files changed, 168 insertions(+), 29 deletions(-) >> create mode 100644 src/initscripts/system/dnsntp >> create mode 100644 src/misc-progs/dnsntpctrl.c >>=20 >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfile= s/common/aarch64/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/aarch64/initscripts >> +++ b/config/rootfiles/common/aarch64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfil= es/common/armv5tel/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/armv5tel/initscripts >> +++ b/config/rootfiles/common/armv5tel/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/c= ommon/i586/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/i586/initscripts >> +++ b/config/rootfiles/common/i586/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/= misc-progs >> index d6594b3f8..4bcb94812 100644 >> --- a/config/rootfiles/common/misc-progs >> +++ b/config/rootfiles/common/misc-progs >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> usr/local/bin/collectdctrl >> usr/local/bin/ddnsctrl >> usr/local/bin/dhcpctrl >> +usr/local/bin/dnsntpctrl >> usr/local/bin/extrahdctrl >> usr/local/bin/fireinfoctrl >> usr/local/bin/firewallctrl >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles= /common/x86_64/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/x86_64/initscripts >> +++ b/config/rootfiles/common/x86_64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> index 321642e82..3fc707e8b 100644 >> --- a/html/cgi-bin/optionsfw.cgi >> +++ b/html/cgi-bin/optionsfw.cgi >> @@ -2,7 +2,7 @@ >> ##########################################################################= ##### >> # = # >> # IPFire.org - A linux based firewall = # >> -# Copyright (C) 2014-2020 IPFire Team = # >> +# Copyright (C) 2014-2021 IPFire Team = # >> # = # >> # This program is free software: you can redistribute it and/or modify = # >> # it under the terms of the GNU General Public License as published by = # >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> $errormessage .=3D $Lang::tr{'new optionsfw later'}; >> &General::writehash($filename, \%settings); # Save good sett= ings >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> }else{ >> if ($settings{'POLICY'} ne ''){ >> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsetti= ngs); >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettin= gs); >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> } >> &General::readhash($filename, \%settings); # Load good settin= gs >> } >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_= ORANGE'}} =3D 'selected=3D"sele >> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selected= =3D"selected"'; >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D "chec= ked=3D'checked'"; >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "checke= d=3D'checked'"; >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D "chec= ked=3D'checked'"; >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "checke= d=3D'checked'"; >>=20 >> &Header::openbox('100%', 'center',); >> print "
"; >> @@ -189,13 +203,44 @@ END >> END >> } >>=20 >> - print <> +print <> + >> + >> +   >> + >> + >> + >> + >> +END >> + >> + if (&Header::blue_used()) { >> + print <> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}$Lang::tr{'on'} / >> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}$Lang::tr{'on'} / >> + $Lang::tr{'off'}
>> + >> +   >> + >> + >> + >> + >> + >> + >> + >> +END >> + } >> + >> + print <>
$= Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}$Lang::tr{'on'} / >> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / >> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >> + $Lang::tr{'off'}
>>=20 >> -
>> +
>>=20 >> - >> - >> +
$La= ng::tr{'fw logging'}
>> + >> >> >> >> -=
$La= ng::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / >> $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / >> @@ -206,21 +251,30 @@ END >> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / >> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / >> +END >> + >> + if (&Header::blue_used()) { >> + print <> +
>> + >> +
>> + >> + >> + >> + >> + >> -<= /tr> >> -
$La= ng::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / >> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / >> +
$Lang::tr{'drop wirelessforward'}= $Lang::tr{'on'} / >> $Lang::tr{'off'}
>> -
>> + >> +END >> + } >> + >> + print <> + >> + >> +
>>=20 >> - >> - >> - >> - >> -
$La= ng::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >> - $Lang::tr{'off'}
>> -
>> >> >> $Lang::tr{'on'} / >> @@ -252,7 +306,7 @@ END >>=20 >>
>>
$Lan= g::tr{'fw settings'}
$Lang::tr{'fw settings color'}
>> - >>
>> +
>> >>
>> @@ -278,7 +332,7 @@ print <> = >> END >> print ""; >> - print"

"; >> + print"

"; >> print <>
>> >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 6a8133807..d6bb234fa 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -836,6 +836,8 @@ >> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren DNS = Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!Die eingegebene sekund=C3=A4ren DNS Server Adresse ist je= doch g=C3=BCltig.
', >> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3=A4ren<= /strong> wie auch des sekund=C3=A4ren DNS-Servers sind nicht= g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', >> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren DN= S Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!<= br />Die eingegebene prim=C3=A4re DNS Server Adresse ist jed= och g=C3=BCltig.', >> +'dns force on blue' =3D> 'Erzwinge lokale = DNS-Server auf BLAU', >> +'dns force on green' =3D> 'Erzwinge lokale= DNS-Server auf GR=C3=9CN', >> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohlen)', >> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', >> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> @@ -1102,9 +1104,12 @@ >> 'from email server' =3D> 'Von E-Mail-Server', >> 'from email user' =3D> 'Von E-Mail-Benutzer', >> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', >> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', >> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das B= LAUE Interface', >> 'fw default drop' =3D> 'Firewallrichtlinie', >> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das = GR=C3=9CNE Interface', >> 'fw logging' =3D> 'Firewallprotokollierung', >> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', >> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', >> 'fw settings' =3D> 'Firewalleinstellungen', >> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', >> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite anze= igen', >> @@ -1644,9 +1649,9 @@ >> 'map to guest' =3D> 'Map to Guest', >> 'march' =3D> 'M=C3=A4rz', >> 'marked' =3D> 'Markiert', >> -'masquerade blue' =3D> 'NAT auf BLAU', >> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', >> -'masquerade orange' =3D> 'NAT auf ORANGE', >> +'masquerade blue' =3D> 'NAT auf BLAU<= /b>', >> +'masquerade green' =3D> 'NAT auf GR=C3=9CN', >> +'masquerade orange' =3D> 'NAT auf ORANGE', >> 'masquerading' =3D> 'Masquerading/NAT', >> 'masquerading disabled' =3D> 'NAT ausgeschaltet', >> 'masquerading enabled' =3D> 'NAT eingeschaltet', >> @@ -1814,6 +1819,8 @@ >> 'november' =3D> 'November', >> 'ntp common settings' =3D> 'Allgemeine Einstellungen', >> 'ntp configuration' =3D> 'Zeitserverkonfiguration', >> +'ntp force on blue' =3D> 'Erzwinge lokale= NTP-Server auf BLAU', >> +'ntp force on green' =3D> 'Erzwinge lokal= e NTP-Server auf GR=C3=9CN', >> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k=C3=B6= nnen, muss NTP vorher aktiviert sein.', >> 'ntp server' =3D> 'NTP-Server', >> 'ntp sync' =3D> 'Synchronisation', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index 8f7e0c2cf..474612025 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -859,6 +859,8 @@ >> 'dns error 0' =3D> 'The IP address of the primary DNS ser= ver is not valid, please check your entries!
The entered seconda= ry DNS server address is valid.', >> 'dns error 01' =3D> 'The entered IP address of the primary and secondary DNS server are not valid, please check your = entries!', >> 'dns error 1' =3D> 'The IP address of the secondary DNS s= erver is not valid, please check your entries!
The entered prima= ry DNS server address is valid.', >> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', >> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', >> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', >> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', >> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', >> @@ -1128,9 +1130,12 @@ >> 'from email server' =3D> 'From Email server', >> 'from email user' =3D> 'From e-mail user', >> 'from warn email bad' =3D> 'From e-mail address is not valid', >> -'fw blue' =3D> 'Firewall options for BLUE interface', >> +'fw blue' =3D> 'Firewall options for BLUE Interface', >> 'fw default drop' =3D> 'Firewall policy', >> +'fw green' =3D> 'Firewall options for GREEN Interface', >> 'fw logging' =3D> 'Firewall logging', >> +'fw logging blue' =3D> 'Firewall logging (BLUE<= /font>)', >> +'fw logging red' =3D> 'Firewall logging (RED)', >> 'fw settings' =3D> 'Firewall settings', >> 'fw settings color' =3D> 'Show colors in ruletable', >> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', >> @@ -1672,9 +1677,9 @@ >> 'map to guest' =3D> 'Map to Guest', >> 'march' =3D> 'March', >> 'marked' =3D> 'Marked', >> -'masquerade blue' =3D> 'Masquerade BLUE', >> -'masquerade green' =3D> 'Masquerade GREEN', >> -'masquerade orange' =3D> 'Masquerade ORANGE', >> +'masquerade blue' =3D> 'Masquerade BLUE', >> +'masquerade green' =3D> 'Masquerade GREEN', >> +'masquerade orange' =3D> 'Masquerade ORANGE<= /font>', >> 'masquerading' =3D> 'Masquerading', >> 'masquerading disabled' =3D> 'Masquerading disabled', >> 'masquerading enabled' =3D> 'Masquerading enabled', >> @@ -1844,6 +1849,8 @@ >> 'november' =3D> 'November', >> 'ntp common settings' =3D> 'Common settings', >> 'ntp configuration' =3D> 'NTP Configuration', >> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', >> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', >> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to have cl= ients.', >> 'ntp server' =3D> 'NTP Server', >> 'ntp sync' =3D> 'Synchronization', >> diff --git a/lfs/configroot b/lfs/configroot >> index a3e474d70..622793b35 100644 >> --- a/lfs/configroot >> +++ b/lfs/configroot >> @@ -129,6 +129,10 @@ $(TARGET) : >> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >> new file mode 100644 >> index 000000000..2eafa9d20 >> --- /dev/null >> +++ b/src/initscripts/system/dnsntp >> @@ -0,0 +1,36 @@ >> +#!/bin/sh >> +######################################################################## >> +# Begin $rc_base/init.d/dnsntp >> +# >> +# Description : dnsntp init script for DNS/NTP rules only >> +# >> +######################################################################## >> + >> +# flush chain >> +iptables -t nat -F DNS_NTP_REDIRECT >> + >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> + >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -= j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -= j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j= REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j= REDIRECT >> +fi >> + >> +# Force NTP REDIRECTs on GREEN (udp, 123) >> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 = -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, 123) >> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -= j REDIRECT >> +fi >> + >> +# End $rc_base/init.d/dnsntp >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire= wall >=20 > This script hardcodes the interface names which should be read from /var/ip= fire/ethernet/settings instead. >=20 > They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but = you can never be too sure. I thought of this, but had something on my eyes. Added ${GREEN/BLUE_DEV} variables. Thanks. ;-) > This script is also hardcoding the port numbers. I am not sure what users m= ight expect here when you say =E2=80=9CDNS=E2=80=9D. Does that include DoT an= d DoH? Those can obviously not be redirected, but shouldn=E2=80=99t they be b= locked instead? Hm. At the moment I don't know how to do this. >> index 65f1c979b..43ae74113 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -169,6 +169,10 @@ iptables_init() { >> # Fix for braindead ISPs >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-= to-pmtu >>=20 >> + # DNS / NTP REDIRECT >> + iptables -t nat -N DNS_NTP_REDIRECT >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> + >=20 > The CUSTOM* chains are always the first ones. >=20 > The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do n= ot have to send every single packet through them. This would have a massive p= erformance impact on really fast networks. >=20 > Those rules should also come after suricata so that the IPS can scan NTP an= d DNS traffic. >=20 > How about before/after WIRELESSFORWARD? Sorry, if this sounds naive, but I'm a bit puzzled and not 100% familiar with the different chains and the sequences in the firewall init. If I get you right, then this means that you would prefer to move the following code block in '/etc/init.d/rc.d/firewall'? Move: ... # DNS / NTP REDIRECT iptables -t nat -N DNS_NTP_REDIRECT iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT ... *Behind* this block: ... # WIRELESS chains iptables -N WIRELESSINPUT iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT iptables -N WIRELESSFORWARD iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD ... Is this what you meant!? >> # CUSTOM chains, can be used by the users themselves >> iptables -N CUSTOMINPUT >> iptables -A INPUT -j CUSTOMINPUT >> @@ -281,7 +285,7 @@ iptables_init() { >> iptables -A INPUT -j LOCATIONBLOCK >> iptables -A FORWARD -j LOCATIONBLOCK >>=20 >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept ev= erything >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept e= verything >> iptables -N IPSECINPUT >> iptables -N IPSECFORWARD >> iptables -N IPSECOUTPUT >> @@ -389,6 +393,9 @@ iptables_init() { >> # run captivectrl >> /usr/local/bin/captivectrl >>=20 >> + # run dnsntpctrl >> + /usr/local/bin/dnsntpctrl >> + >> # POLICY CHAIN >> iptables -N POLICYIN >> iptables -A INPUT -j POLICYIN >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> index 7c3ef7529..6f2733ef0 100644 >> --- a/src/misc-progs/Makefile >> +++ b/src/misc-progs/Makefile >> @@ -26,7 +26,7 @@ PROGS =3D iowrap >> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ >> ipsecctrl timectrl dhcpctrl suricatactrl \ >> rebuildhosts backupctrl collectdctrl \ >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> wirelessctrl getipstat qosctrl \ >> redctrl syslogdctrl extrahdctrl sambactrl \ >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> new file mode 100644 >> index 000000000..f2a3b89e3 >> --- /dev/null >> +++ b/src/misc-progs/dnsntpctrl.c >> @@ -0,0 +1,19 @@ >> +/* This file is part of the IPFire Firewall. >> + * >> + * This program is distributed under the terms of the GNU General Public >> + * Licence. See the file COPYING for details. >> + * >> + */ >> + >> +#include >> +#include "setuid.h" >> + >> +int main(void) >> +{ >> + if (!(initsetuid())) >> + exit(1); >> + >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> + >> + return 0; >> +} >> --=20 >> 2.18.0 >>=20 >=20 > -Michael >=20 --===============2831606125611793312==--