From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP Date: Sun, 07 Mar 2021 09:06:35 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0442923169781669285==" List-Id: --===============0442923169781669285== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Bernhard, Lol. Funny misunderstanding - I'll try to figure it out: On 06.03.2021 22:15, Bernhard Bitsch wrote: > For forcing DNS we generate ( for example ) > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j = REDIRECT That's for *forcing* AKA *bad* requests that don't go the way we want. > To filter allowed DNS requests there is a rule > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -= m udp --dport 53 -j RETURN That's for *well-behaving* requests. AH! I see. I think I know what you meant. > To get ${GREEN_ADDRESS} dnsntp needs an additional > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) Funny. I suddenly thought of doing something with '.../ethernet/settings' while writing the v3-commit. But I didn't think of RETURN. > Concerning performance, we want to minimize the rule set to the amount real= ly necessary. On the other hand, it may be quicker to do just a RETURN than a= REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should = be nearly 100%. DNS and NTP servrs are published by DHCP or should be configu= red in the static case. >=20 > Hope this makes it clear enough. I - really - hope I got it right. ;-) To handle the well-behaving requests, I added RETURN rules prior to the REDIRECT rules like this: ... # Force DNS REDIRECTs on GREEN (udp, tcp, 53) if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p tcp -m tcp --dport 53 -j RETURN iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT fi ... Intention (explanation was translated from https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): If the first - well-behaving - rule matches: =3D> RETURN =3D> "Leave this chain and continue with the caller or execute the chain's policy". Otherwise: =3D> REDIRECT the packet. "This goal ensures that the package is delivered to the local computer. This allows packets to "fantasy targets" to be intercepted and dealt with locally." I'm still not 100 percent sure - but does this correspond to your intention? Best, Matthias > Best, > Bernhard >=20 >> Gesendet: Samstag, 06. M=C3=A4rz 2021 um 21:51 Uhr >> Von: "Jon Murphy" >> An: "Bernhard Bitsch" >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >> >> > I mean the extra rules for requests client-->IPFire:53. >> > These are 'well-behaving' and must/should not be redirected. Didn't meas= ure if the performance is equal with or without these extra rules. >>=20 >> How do we determine if a 'well-behaving' client is being redirected? Or h= ow do we measure performance? >>=20 >> When I tried to measure DNS "speed" in the past, the cache gets in there a= nd makes every look like 38 to 44 ms. >>=20 >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch w= rote: >> >=20 >> > Hi, >> >=20 >> >> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 23:49 Uhr >> >> Von: "Matthias Fischer" >> >> An: "Bernhard Bitsch" >> >> Cc: development(a)lists.ipfire.org >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >> >>=20 >> >> Hi, >> >>=20 >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: >> >>> Hi, >> >>>=20 >> >>> at a first glance I think, the code implements the ideas of the commun= ity discussions. >> >>=20 >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet >> >> because I didn't manage to merge the init and the ctrl-file in *one* C >> >> program. The whole is running as I want but... ;-) >> >>=20 >> >>> Just one annotation. As mentioned in a post, it could help to honor 'w= ell-behaving' requests ( to IPFire ) by a RETURN. >> >>=20 >> >> -v please. I don't know if I get this (the translation english =3D> >> >> german) right. >> >> If you mean that I asked for some tips and got some, than of course: >> >> many thanks to everybody! >> >>=20 >> > Sorry if I wasn't specific enough. >> > I mean the extra rules for requests client-->IPFire:53. >> > These are 'well-behaving' and must/should not be redirected. Didn't meas= ure if the performance is equal with or without these extra rules. >> >=20 >> > Best, >> > Bernhard >> >> Best, >> >> Matthias >> >>=20 >> >>> Regards, >> >>> Bernhard >> >>>=20 >> >>>> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 20:40 Uhr >> >>>> Von: "Matthias Fischer" >> >>>> An: development(a)lists.ipfire.org >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >> >>>>=20 >> >>>> Originally triggered by: >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-t= o-the-firewall/3512 >> >>>>=20 >> >>>> Current discussion: >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >> >>>>=20 >> >>>> Summary and functionality: >> >>>> These patches are controlled through "Firewall Options". They add new >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/opt= ionsfw/settings'. >> >>>> They activate/deactivate appropriate REDIRECT rules through a new ct= rl file >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d= /dnsntp'). >> >>>>=20 >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to th= e DNS and NTP >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were a= dded to make >> >>>> this more transparent. >> >>>>=20 >> >>>> Flaw/ToDo: >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file whi= ch calls the actual >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. >> >>>> In fact I wanted to merge these two files in *one* C file, but this = was beyond my >> >>>> capabilities, perhaps "someone" else knows how to program this. >> >>>>=20 >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> >>>> The corresponding interface options - including 'Masquerade ...' - a= re only visible if >> >>>> the respective interface actually exists. >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'D= NS/NTP on BLUE' >> >>>> or logging options for BLUE available (e.g.). >> >>>> Added text colors for better readability and links to DNS and NTP GU= I. >> >>>> Separated logging options per interface. >> >>>>=20 >> >>>> No reboot required: >> >>>> Rules can be switched ON/OFF without rebooting IPFire. >> >>>> Changes immedediatly take effect after clicking 'Save'. >> >>>>=20 >> >>>> Changes to '/etc/rc.d/init.d/firewall': >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a n= ew PREROUTING >> >>>> chain: DNS_NTP_REDIRECT. >> >>>> This chain is flushed by the init file before before the desired set= tings are applied. >> >>>> Corrected a 'trafic' typo. >> >>>>=20 >> >>>> Signed-off-by: Matthias Fischer >> >>>> --- >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + >> >>>> config/rootfiles/common/i586/initscripts | 1 + >> >>>> config/rootfiles/common/misc-progs | 1 + >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> >>>> langs/de/cgi-bin/de.pl | 15 +++- >> >>>> langs/en/cgi-bin/en.pl | 15 +++- >> >>>> lfs/configroot | 4 + >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ >> >>>> src/initscripts/system/firewall | 9 +- >> >>>> src/misc-progs/Makefile | 2 +- >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) >> >>>> create mode 100644 src/initscripts/system/dnsntp >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c >> >>>>=20 >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/roo= tfiles/common/aarch64/initscripts >> >>>> index 800005966..f38a3a294 100644 >> >>>> --- a/config/rootfiles/common/aarch64/initscripts >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/ro= otfiles/common/armv5tel/initscripts >> >>>> index 800005966..f38a3a294 100644 >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfi= les/common/i586/initscripts >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >>>> --- a/config/rootfiles/common/i586/initscripts >> >>>> +++ b/config/rootfiles/common/i586/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/co= mmon/misc-progs >> >>>> index d6594b3f8..4bcb94812 100644 >> >>>> --- a/config/rootfiles/common/misc-progs >> >>>> +++ b/config/rootfiles/common/misc-progs >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> >>>> usr/local/bin/collectdctrl >> >>>> usr/local/bin/ddnsctrl >> >>>> usr/local/bin/dhcpctrl >> >>>> +usr/local/bin/dnsntpctrl >> >>>> usr/local/bin/extrahdctrl >> >>>> usr/local/bin/fireinfoctrl >> >>>> usr/local/bin/firewallctrl >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/root= files/common/x86_64/initscripts >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >>>> --- a/config/rootfiles/common/x86_64/initscripts >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> >>>> index 321642e82..3fc707e8b 100644 >> >>>> --- a/html/cgi-bin/optionsfw.cgi >> >>>> +++ b/html/cgi-bin/optionsfw.cgi >> >>>> @@ -2,7 +2,7 @@ >> >>>> #####################################################################= ########## >> >>>> # = # >> >>>> # IPFire.org - A linux based firewall = # >> >>>> -# Copyright (C) 2014-2020 IPFire Team = # >> >>>> +# Copyright (C) 2014-2021 IPFire Team = # >> >>>> # = # >> >>>> # This program is free software: you can redistribute it and/or modif= y # >> >>>> # it under the terms of the GNU General Public License as published b= y # >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >>>> $errormessage .=3D $Lang::tr{'new optionsfw later'}; >> >>>> &General::writehash($filename, \%settings); # Save good= settings >> >>>> system("/usr/local/bin/firewallctrl"); >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >>>> }else{ >> >>>> if ($settings{'POLICY'} ne ''){ >> >>>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfw= settings); >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfws= ettings); >> >>>> system("/usr/local/bin/firewallctrl"); >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >>>> } >> >>>> &General::readhash($filename, \%settings); # Load good s= ettings >> >>>> } >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUE= RADE_ORANGE'}} =3D 'selected=3D"sele >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selec= ted=3D"selected"'; >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D = "checked=3D'checked'"; >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "c= hecked=3D'checked'"; >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D = "checked=3D'checked'"; >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "c= hecked=3D'checked'"; >> >>>>=20 >> >>>> &Header::openbox('100%', 'center',); >> >>>> print "
"; >> >>>> @@ -189,13 +203,44 @@ END >> >>>> END >> >>>> } >> >>>>=20 >> >>>> - print <> >>>> +print <> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> +END >> >>>> + >> >>>> + if (&Header::blue_used()) { >> >>>> + print <> >>>> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green= '}$Lang::tr{'on'} / >> >>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green= '}$Lang::tr{'on'} / >> >>>> + $Lang::tr{'off'}
>> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> + = >> >>>> + = >> >>>> + >> >>>> + >> >>>> +END >> >>>> + } >> >>>> + >> >>>> + print <> >>>>
$Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue= '}$Lang::tr{'on'} / >> >>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue= '}$Lang::tr{'on'} / >> >>>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / >> >>>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / >> >>>> + $Lang::tr{'off'}
>> >>>>=20 >> >>>> -
>> >>>> +
>> >>>>=20 >> >>>> - >> >>>> - >> >>>> +
<= b>$Lang::tr{'fw logging'}
>> >>>> + >> >>>> = >> >>>> >> >>>> <= td align=3D'left'>$Lang::tr{'on'} / >> >>>> $Lang::tr{'off'} >> >>>> -
<= b>$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / >> >>>> @@ -206,21 +251,30 @@ END >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}
$Lang::tr{'drop wirelessinput'}= $Lang::tr{'on'} / >> >>>> +END >> >>>> + >> >>>> + if (&Header::blue_used()) { >> >>>> + print <> >>>> +
>> >>>> + >> >>>> +
>> >>>> + >> >>>> + >> >>>> + >> >>>> + >> >>>> + = >> >>>> - >> >>>> -
<= b>$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinpu= t'}$Lang::tr{'on'} / >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward= '}$Lang::tr{'on'} / >> >>>> +
$Lang::tr{'drop wirelessforw= ard'}$Lang::tr{'on'} / >> >>>> $Lang::tr{'off'}<= /td>
>> >>>> -
>> >>>> + >> >>>> +END >> >>>> + } >> >>>> + >> >>>> + print <> >>>> + >> >>>> + >> >>>> +
>> >>>>=20 >> >>>> - >> >>>> - >> >>>> -$Lang::tr{'on'} / >> >>>> - $Lang::tr{'off'} >> >>>> -$Lang::tr{'on'} / >> >>>> - $Lang::tr{'off'} >> >>>> -
<= b>$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}
$Lang::tr{'drop samba'}
>> >>>> -
>> >>>> >> >>>> >> >>>> >> >>>> END >> >>>> print "
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / >> >>>> @@ -252,7 +306,7 @@ END >> >>>>=20 >> >>>>
>> >>>> >> >>>> - >> >>>>
>> >>>> +
>> >>>> >> >>>>
>> >>>> @@ -278,7 +332,7 @@ print <> >>>>
"; >> >>>> - print"

"; >> >>>> + print"

"; >> >>>> print <> >>>>
>> >>>> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> >>>> index 6a8133807..d6bb234fa 100644 >> >>>> --- a/langs/de/cgi-bin/de.pl >> >>>> +++ b/langs/de/cgi-bin/de.pl >> >>>> @@ -836,6 +836,8 @@ >> >>>> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren= DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingab= e!
Die eingegebene sekund=C3=A4ren DNS Server Adresse i= st jedoch g=C3=BCltig.
', >> >>>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3= =A4ren wie auch des sekund=C3=A4ren DNS-Servers sin= d nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', >> >>>> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eing= abe!
Die eingegebene prim=C3=A4re DNS Server Adresse is= t jedoch g=C3=BCltig.', >> >>>> +'dns force on blue' =3D> 'Erzwinge lo= kale DNS-Server auf BLAU', >> >>>> +'dns force on green' =3D> 'Erzwinge l= okale DNS-Server auf GR=C3=9CN', >> >>>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohl= en)', >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', >> >>>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> >>>> @@ -1102,9 +1104,12 @@ >> >>>> 'from email server' =3D> 'Von E-Mail-Server', >> >>>> 'from email user' =3D> 'Von E-Mail-Benutzer', >> >>>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', >> >>>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', >> >>>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das BLAUE Interface', >> >>>> 'fw default drop' =3D> 'Firewallrichtlinie', >> >>>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', >> >>>> 'fw logging' =3D> 'Firewallprotokollierung', >> >>>> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', >> >>>> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', >> >>>> 'fw settings' =3D> 'Firewalleinstellungen', >> >>>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', >> >>>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite= anzeigen', >> >>>> @@ -1644,9 +1649,9 @@ >> >>>> 'map to guest' =3D> 'Map to Guest', >> >>>> 'march' =3D> 'M=C3=A4rz', >> >>>> 'marked' =3D> 'Markiert', >> >>>> -'masquerade blue' =3D> 'NAT auf BLAU', >> >>>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', >> >>>> -'masquerade orange' =3D> 'NAT auf ORANGE', >> >>>> +'masquerade blue' =3D> 'NAT auf BLAU', >> >>>> +'masquerade green' =3D> 'NAT auf GR=C3= =9CN', >> >>>> +'masquerade orange' =3D> 'NAT auf ORAN= GE', >> >>>> 'masquerading' =3D> 'Masquerading/NAT', >> >>>> 'masquerading disabled' =3D> 'NAT ausgeschaltet', >> >>>> 'masquerading enabled' =3D> 'NAT eingeschaltet', >> >>>> @@ -1814,6 +1819,8 @@ >> >>>> 'november' =3D> 'November', >> >>>> 'ntp common settings' =3D> 'Allgemeine Einstellungen', >> >>>> 'ntp configuration' =3D> 'Zeitserverkonfiguration', >> >>>> +'ntp force on blue' =3D> 'Erzwinge l= okale NTP-Server auf BLAU', >> >>>> +'ntp force on green' =3D> 'Erzwinge = lokale NTP-Server auf GR=C3=9CN', >> >>>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k= =C3=B6nnen, muss NTP vorher aktiviert sein.', >> >>>> 'ntp server' =3D> 'NTP-Server', >> >>>> 'ntp sync' =3D> 'Synchronisation', >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> >>>> index 8f7e0c2cf..474612025 100644 >> >>>> --- a/langs/en/cgi-bin/en.pl >> >>>> +++ b/langs/en/cgi-bin/en.pl >> >>>> @@ -859,6 +859,8 @@ >> >>>> 'dns error 0' =3D> 'The IP address of the primary DN= S server is not valid, please check your entries!
The entered se= condary DNS server address is valid.', >> >>>> 'dns error 01' =3D> 'The entered IP address of the primary and secondary DNS server are not valid, please check = your entries!', >> >>>> 'dns error 1' =3D> 'The IP address of the secondary = DNS server is not valid, please check your entries!
The entered = primary DNS server address is valid.', >> >>>> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', >> >>>> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', >> >>>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', >> >>>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', >> >>>> @@ -1128,9 +1130,12 @@ >> >>>> 'from email server' =3D> 'From Email server', >> >>>> 'from email user' =3D> 'From e-mail user', >> >>>> 'from warn email bad' =3D> 'From e-mail address is not valid', >> >>>> -'fw blue' =3D> 'Firewall options for BLUE interface', >> >>>> +'fw blue' =3D> 'Firewall options for BLUE<= /font> Interface', >> >>>> 'fw default drop' =3D> 'Firewall policy', >> >>>> +'fw green' =3D> 'Firewall options for GREE= N Interface', >> >>>> 'fw logging' =3D> 'Firewall logging', >> >>>> +'fw logging blue' =3D> 'Firewall logging (= BLUE)', >> >>>> +'fw logging red' =3D> 'Firewall logging (R= ED)', >> >>>> 'fw settings' =3D> 'Firewall settings', >> >>>> 'fw settings color' =3D> 'Show colors in ruletable', >> >>>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', >> >>>> @@ -1672,9 +1677,9 @@ >> >>>> 'map to guest' =3D> 'Map to Guest', >> >>>> 'march' =3D> 'March', >> >>>> 'marked' =3D> 'Marked', >> >>>> -'masquerade blue' =3D> 'Masquerade BLUE', >> >>>> -'masquerade green' =3D> 'Masquerade GREEN', >> >>>> -'masquerade orange' =3D> 'Masquerade ORANGE', >> >>>> +'masquerade blue' =3D> 'Masquerade BLUE= ', >> >>>> +'masquerade green' =3D> 'Masquerade GRE= EN', >> >>>> +'masquerade orange' =3D> 'Masquerade OR= ANGE', >> >>>> 'masquerading' =3D> 'Masquerading', >> >>>> 'masquerading disabled' =3D> 'Masquerading disabled', >> >>>> 'masquerading enabled' =3D> 'Masquerading enabled', >> >>>> @@ -1844,6 +1849,8 @@ >> >>>> 'november' =3D> 'November', >> >>>> 'ntp common settings' =3D> 'Common settings', >> >>>> 'ntp configuration' =3D> 'NTP Configuration', >> >>>> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', >> >>>> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', >> >>>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to ha= ve clients.', >> >>>> 'ntp server' =3D> 'NTP Server', >> >>>> 'ntp sync' =3D> 'Synchronization', >> >>>> diff --git a/lfs/configroot b/lfs/configroot >> >>>> index a3e474d70..622793b35 100644 >> >>>> --- a/lfs/configroot >> >>>> +++ b/lfs/configroot >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : >> >>>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settin= gs >> >>>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settin= gs >> >>>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >> >>>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings >> >>>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/d= nsntp >> >>>> new file mode 100644 >> >>>> index 000000000..2eafa9d20 >> >>>> --- /dev/null >> >>>> +++ b/src/initscripts/system/dnsntp >> >>>> @@ -0,0 +1,36 @@ >> >>>> +#!/bin/sh >> >>>> +####################################################################= #### >> >>>> +# Begin $rc_base/init.d/dnsntp >> >>>> +# >> >>>> +# Description : dnsntp init script for DNS/NTP rules only >> >>>> +# >> >>>> +####################################################################= #### >> >>>> + >> >>>> +# flush chain >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT >> >>>> + >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> >>>> + >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> >>>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport= 53 -j REDIRECT >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport= 53 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> >>>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport = 53 -j REDIRECT >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport = 53 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >> >>>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport= 123 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >> >>>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport = 123 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# End $rc_base/init.d/dnsntp >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system= /firewall >> >>>> index 65f1c979b..43ae74113 100644 >> >>>> --- a/src/initscripts/system/firewall >> >>>> +++ b/src/initscripts/system/firewall >> >>>> @@ -169,6 +169,10 @@ iptables_init() { >> >>>> # Fix for braindead ISPs >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp= -mss-to-pmtu >> >>>>=20 >> >>>> + # DNS / NTP REDIRECT >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> >>>> + >> >>>> # CUSTOM chains, can be used by the users themselves >> >>>> iptables -N CUSTOMINPUT >> >>>> iptables -A INPUT -j CUSTOMINPUT >> >>>> @@ -281,7 +285,7 @@ iptables_init() { >> >>>> iptables -A INPUT -j LOCATIONBLOCK >> >>>> iptables -A FORWARD -j LOCATIONBLOCK >> >>>>=20 >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" acce= pt everything >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" acc= ept everything >> >>>> iptables -N IPSECINPUT >> >>>> iptables -N IPSECFORWARD >> >>>> iptables -N IPSECOUTPUT >> >>>> @@ -389,6 +393,9 @@ iptables_init() { >> >>>> # run captivectrl >> >>>> /usr/local/bin/captivectrl >> >>>>=20 >> >>>> + # run dnsntpctrl >> >>>> + /usr/local/bin/dnsntpctrl >> >>>> + >> >>>> # POLICY CHAIN >> >>>> iptables -N POLICYIN >> >>>> iptables -A INPUT -j POLICYIN >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> >>>> index 7c3ef7529..6f2733ef0 100644 >> >>>> --- a/src/misc-progs/Makefile >> >>>> +++ b/src/misc-progs/Makefile >> >>>> @@ -26,7 +26,7 @@ PROGS =3D iowrap >> >>>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >> >>>> rebuildhosts backupctrl collectdctrl \ >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> >>>> wirelessctrl getipstat qosctrl \ >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> >>>> new file mode 100644 >> >>>> index 000000000..f2a3b89e3 >> >>>> --- /dev/null >> >>>> +++ b/src/misc-progs/dnsntpctrl.c >> >>>> @@ -0,0 +1,19 @@ >> >>>> +/* This file is part of the IPFire Firewall. >> >>>> + * >> >>>> + * This program is distributed under the terms of the GNU General Pu= blic >> >>>> + * Licence. See the file COPYING for details. >> >>>> + * >> >>>> + */ >> >>>> + >> >>>> +#include >> >>>> +#include "setuid.h" >> >>>> + >> >>>> +int main(void) >> >>>> +{ >> >>>> + if (!(initsetuid())) >> >>>> + exit(1); >> >>>> + >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> >>>> + >> >>>> + return 0; >> >>>> +} >> >>>> --=20 >> >>>> 2.18.0 >> >>>>=20 >> >>>>=20 >> >>>=20 >> >>=20 >> >>=20 >>=20 >> >=20 --===============0442923169781669285==--