public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
* Re: Aw: [PATCH] (V3) Forcing DNS/NTP
@ 2021-03-05 22:49 Matthias Fischer
  2021-03-06 19:47 ` Aw: " Bernhard Bitsch
  0 siblings, 1 reply; 6+ messages in thread
From: Matthias Fischer @ 2021-03-05 22:49 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 28608 bytes --]

Hi,

On 05.03.2021 21:45, Bernhard Bitsch wrote:
> Hi,
> 
> at a first glance I think, the code implements the ideas of the community discussions.

Thanks - but unfortunately I'm not quite satisfied with my results yet
because I didn't manage to merge the init and the ctrl-file in *one* C
program. The whole is running as I want but... ;-)

> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN.

-v please. I don't know if I get this (the translation english =>
german) right.
If you mean that I asked for some tips and got some, than of course:
many thanks to everybody!

Best,
Matthias

> Regards,
> Bernhard
> 
>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr
>> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
>> An: development(a)lists.ipfire.org
>> Betreff: [PATCH] (V3) Forcing DNS/NTP
>>
>> Originally triggered by:
>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>> 
>> Current discussion:
>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>> 
>> Summary and functionality:
>>   These patches are controlled through "Firewall Options". They add new
>>   firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>   They activate/deactivate appropriate REDIRECT rules through a new ctrl file
>>   ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
>> 
>>   Default of all new rules is OFF (set in 'lfs/configroot').
>>   If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>   servers specified in IPFire. GUI links to DNS and NTP options were added to make
>>   this more transparent.
>> 
>>   Flaw/ToDo:
>>   To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>   init file, 'dnsntp'. This is actually an unnecessary detour.
>>   In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>   capabilities, perhaps "someone" else knows how to program this.
>> 
>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>   The corresponding interface options - including 'Masquerade ...' - are only visible if
>>   the respective interface actually exists.
>>   If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
>>   or logging options for BLUE available (e.g.).
>>   Added text colors for better readability and links to DNS and NTP GUI.
>>   Separated logging options per interface.
>> 
>> No reboot required:
>>   Rules can be switched ON/OFF without rebooting IPFire.
>>   Changes immedediatly take effect after clicking 'Save'.
>> 
>> Changes to '/etc/rc.d/init.d/firewall':
>>   To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
>>   chain: DNS_NTP_REDIRECT.
>>   This chain is flushed by the init file before before the desired settings are applied.
>>   Corrected a 'trafic' typo.
>> 
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>>  config/rootfiles/common/aarch64/initscripts  |  1 +
>>  config/rootfiles/common/armv5tel/initscripts |  1 +
>>  config/rootfiles/common/i586/initscripts     |  1 +
>>  config/rootfiles/common/misc-progs           |  1 +
>>  config/rootfiles/common/x86_64/initscripts   |  1 +
>>  html/cgi-bin/optionsfw.cgi                   | 92 ++++++++++++++++----
>>  langs/de/cgi-bin/de.pl                       | 15 +++-
>>  langs/en/cgi-bin/en.pl                       | 15 +++-
>>  lfs/configroot                               |  4 +
>>  src/initscripts/system/dnsntp                | 36 ++++++++
>>  src/initscripts/system/firewall              |  9 +-
>>  src/misc-progs/Makefile                      |  2 +-
>>  src/misc-progs/dnsntpctrl.c                  | 19 ++++
>>  13 files changed, 168 insertions(+), 29 deletions(-)
>>  create mode 100644 src/initscripts/system/dnsntp
>>  create mode 100644 src/misc-progs/dnsntpctrl.c
>> 
>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
>> index 800005966..f38a3a294 100644
>> --- a/config/rootfiles/common/aarch64/initscripts
>> +++ b/config/rootfiles/common/aarch64/initscripts
>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>  etc/rc.d/init.d/console
>>  etc/rc.d/init.d/dhcp
>>  etc/rc.d/init.d/dhcrelay
>> +etc/rc.d/init.d/dnsntp
>>  etc/rc.d/init.d/fcron
>>  etc/rc.d/init.d/fireinfo
>>  etc/rc.d/init.d/firewall
>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
>> index 800005966..f38a3a294 100644
>> --- a/config/rootfiles/common/armv5tel/initscripts
>> +++ b/config/rootfiles/common/armv5tel/initscripts
>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>  etc/rc.d/init.d/console
>>  etc/rc.d/init.d/dhcp
>>  etc/rc.d/init.d/dhcrelay
>> +etc/rc.d/init.d/dnsntp
>>  etc/rc.d/init.d/fcron
>>  etc/rc.d/init.d/fireinfo
>>  etc/rc.d/init.d/firewall
>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
>> index 18c5a897a..a3a2b47f7 100644
>> --- a/config/rootfiles/common/i586/initscripts
>> +++ b/config/rootfiles/common/i586/initscripts
>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>  etc/rc.d/init.d/console
>>  etc/rc.d/init.d/dhcp
>>  etc/rc.d/init.d/dhcrelay
>> +etc/rc.d/init.d/dnsntp
>>  etc/rc.d/init.d/fcron
>>  etc/rc.d/init.d/fireinfo
>>  etc/rc.d/init.d/firewall
>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
>> index d6594b3f8..4bcb94812 100644
>> --- a/config/rootfiles/common/misc-progs
>> +++ b/config/rootfiles/common/misc-progs
>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>>  usr/local/bin/collectdctrl
>>  usr/local/bin/ddnsctrl
>>  usr/local/bin/dhcpctrl
>> +usr/local/bin/dnsntpctrl
>>  usr/local/bin/extrahdctrl
>>  usr/local/bin/fireinfoctrl
>>  usr/local/bin/firewallctrl
>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
>> index 18c5a897a..a3a2b47f7 100644
>> --- a/config/rootfiles/common/x86_64/initscripts
>> +++ b/config/rootfiles/common/x86_64/initscripts
>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>  etc/rc.d/init.d/console
>>  etc/rc.d/init.d/dhcp
>>  etc/rc.d/init.d/dhcrelay
>> +etc/rc.d/init.d/dnsntp
>>  etc/rc.d/init.d/fcron
>>  etc/rc.d/init.d/fireinfo
>>  etc/rc.d/init.d/firewall
>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>> index 321642e82..3fc707e8b 100644
>> --- a/html/cgi-bin/optionsfw.cgi
>> +++ b/html/cgi-bin/optionsfw.cgi
>> @@ -2,7 +2,7 @@
>>  ###############################################################################
>>  #                                                                             #
>>  # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2014-2020  IPFire Team  <info(a)ipfire.org>                     #
>> +# Copyright (C) 2014-2021  IPFire Team  <info(a)ipfire.org>                     #
>>  #                                                                             #
>>  # This program is free software: you can redistribute it and/or modify        #
>>  # it under the terms of the GNU General Public License as published by        #
>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>  		$errormessage .= $Lang::tr{'new optionsfw later'};
>>  		&General::writehash($filename, \%settings);             # Save good settings
>>  		system("/usr/local/bin/firewallctrl");
>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>  	}else{
>>  		if ($settings{'POLICY'} ne ''){
>>  			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>  		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>  		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>  		system("/usr/local/bin/firewallctrl");
>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>  	}
>>  	&General::readhash($filename, \%settings);             # Load good settings
>>  }
>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>>  $selected{'MASQUERADE_BLUE'}{'off'} = '';
>>  $selected{'MASQUERADE_BLUE'}{'on'} = '';
>>  $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>>  
>>  &Header::openbox('100%', 'center',);
>>  print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>> @@ -189,13 +203,44 @@ END
>>  END
>>  	}
>>  
>> -	print <<END
>> +print <<END;
>> +	<table width='95%' cellspacing='0'>
>> +		<tr bgcolor='$color{'color20'}'></tr>
>> +		<tr> </tr>
>> +			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
>> +		</tr>
>> +		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>> +																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>> +																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +END
>> +
>> +	if (&Header::blue_used()) {
>> +		print <<END;
>> +		<table width='95%' cellspacing='0'>
>> +		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> +		<tr> </tr>
>> +			<tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>> +																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>> +																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> +																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> +																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			</td>
>> +			</tr>
>> +END
>> +	}
>> +
>> +	print <<END;
>>  	</table>
>>  
>> -	<br>
>> +	<br />
>>  
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
>> +		<table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>>  <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>>  																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>  <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
>> @@ -206,21 +251,30 @@ END
>>  																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>  <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>>  																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> +END
>> +
>> +	if (&Header::blue_used()) {
>> +		print <<END;
>> +	</table>
>> +
>> +	<br />
>> +
>> +		<table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>> +			<tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>>  																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>>  																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br/>
>> +			</tr>
>> +END
>> +	}
>> +
>> +	print <<END;
>> +	</table>
>> +
>> +	<br />
>>  
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> -																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> -																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br>
>>  <table width='95%' cellspacing='0'>
>>  <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>>  <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
>> @@ -252,7 +306,7 @@ END
>>  
>>  <br />
>>  <table width='100%' cellspacing='0'>
>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>  <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>>  </form></td></tr>
>>  </table>
>> @@ -278,7 +332,7 @@ print <<END;
>>  	    <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>>  END
>>  	print "</tr></table></form>";
>> -	print"<br><br>";
>> +	print"<br /><br />";
>>  	print <<END;
>>  	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>  	<table width='100%' border='0'>
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 6a8133807..d6bb234fa 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -836,6 +836,8 @@
>>  'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>>  'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>>  'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU',
>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN',
>>  'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>>  'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>>  'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
>> @@ -1102,9 +1104,12 @@
>>  'from email server' => 'Von E-Mail-Server',
>>  'from email user' => 'Von E-Mail-Benutzer',
>>  'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
>>  'fw default drop' => 'Firewallrichtlinie',
>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
>>  'fw logging' => 'Firewallprotokollierung',
>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
>>  'fw settings' => 'Firewalleinstellungen',
>>  'fw settings color' => 'Farben in Regeltabelle anzeigen',
>>  'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
>> @@ -1644,9 +1649,9 @@
>>  'map to guest' => 'Map to Guest',
>>  'march' => 'März',
>>  'marked' => 'Markiert',
>> -'masquerade blue' => 'NAT auf BLAU',
>> -'masquerade green' => 'NAT auf GRÜN',
>> -'masquerade orange' => 'NAT auf ORANGE',
>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
>>  'masquerading' => 'Masquerading/NAT',
>>  'masquerading disabled' => 'NAT ausgeschaltet',
>>  'masquerading enabled' => 'NAT eingeschaltet',
>> @@ -1814,6 +1819,8 @@
>>  'november' => 'November',
>>  'ntp common settings' => 'Allgemeine Einstellungen',
>>  'ntp configuration' => 'Zeitserverkonfiguration',
>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU',
>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN',
>>  'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>>  'ntp server' => 'NTP-Server',
>>  'ntp sync' => 'Synchronisation',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index 8f7e0c2cf..474612025 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -859,6 +859,8 @@
>>  'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>>  'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>>  'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE',
>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN',
>>  'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>>  'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>>  'dns header' => 'Assign DNS server addresses only for DHCP on red0',
>> @@ -1128,9 +1130,12 @@
>>  'from email server' => 'From Email server',
>>  'from email user' => 'From e-mail user',
>>  'from warn email bad' => 'From e-mail address is not valid',
>> -'fw blue' => 'Firewall options for BLUE interface',
>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>>  'fw default drop' => 'Firewall policy',
>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>>  'fw logging' => 'Firewall logging',
>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>>  'fw settings' => 'Firewall settings',
>>  'fw settings color' => 'Show colors in ruletable',
>>  'fw settings dropdown' => 'Show all networks on rulecreation site',
>> @@ -1672,9 +1677,9 @@
>>  'map to guest' => 'Map to Guest',
>>  'march' => 'March',
>>  'marked' => 'Marked',
>> -'masquerade blue' => 'Masquerade BLUE',
>> -'masquerade green' => 'Masquerade GREEN',
>> -'masquerade orange' => 'Masquerade ORANGE',
>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>>  'masquerading' => 'Masquerading',
>>  'masquerading disabled' => 'Masquerading disabled',
>>  'masquerading enabled' => 'Masquerading enabled',
>> @@ -1844,6 +1849,8 @@
>>  'november' => 'November',
>>  'ntp common settings' => 'Common settings',
>>  'ntp configuration' => 'NTP Configuration',
>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE',
>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN',
>>  'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>>  'ntp server' => 'NTP Server',
>>  'ntp sync' => 'Synchronization',
>> diff --git a/lfs/configroot b/lfs/configroot
>> index a3e474d70..622793b35 100644
>> --- a/lfs/configroot
>> +++ b/lfs/configroot
>> @@ -129,6 +129,10 @@ $(TARGET) :
>>  	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>  	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>>  	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "DNS_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "DNS_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "NTP_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "NTP_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>  	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>>  	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>>  	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>> new file mode 100644
>> index 000000000..2eafa9d20
>> --- /dev/null
>> +++ b/src/initscripts/system/dnsntp
>> @@ -0,0 +1,36 @@
>> +#!/bin/sh
>> +########################################################################
>> +# Begin $rc_base/init.d/dnsntp
>> +#
>> +# Description : dnsntp init script for DNS/NTP rules only
>> +#
>> +########################################################################
>> +
>> +# flush chain
>> +iptables -t nat -F DNS_NTP_REDIRECT
>> +
>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>> +
>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
>> +fi
>> +
>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT
>> +fi
>> +
>> +# End $rc_base/init.d/dnsntp
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 65f1c979b..43ae74113 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -169,6 +169,10 @@ iptables_init() {
>>  	# Fix for braindead ISPs
>>  	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>>  
>> +	# DNS / NTP REDIRECT
>> +	iptables -t nat -N DNS_NTP_REDIRECT
>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>> +
>>  	# CUSTOM chains, can be used by the users themselves
>>  	iptables -N CUSTOMINPUT
>>  	iptables -A INPUT -j CUSTOMINPUT
>> @@ -281,7 +285,7 @@ iptables_init() {
>>  	iptables -A INPUT -j LOCATIONBLOCK
>>  	iptables -A FORWARD -j LOCATIONBLOCK
>>  
>> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>  	iptables -N IPSECINPUT
>>  	iptables -N IPSECFORWARD
>>  	iptables -N IPSECOUTPUT
>> @@ -389,6 +393,9 @@ iptables_init() {
>>  	# run captivectrl
>>  	/usr/local/bin/captivectrl
>>  
>> +	# run dnsntpctrl
>> +	/usr/local/bin/dnsntpctrl
>> +
>>  	# POLICY CHAIN
>>  	iptables -N POLICYIN
>>  	iptables -A INPUT -j POLICYIN
>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>> index 7c3ef7529..6f2733ef0 100644
>> --- a/src/misc-progs/Makefile
>> +++ b/src/misc-progs/Makefile
>> @@ -26,7 +26,7 @@ PROGS = iowrap
>>  SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>  	ipsecctrl timectrl dhcpctrl suricatactrl \
>>  	rebuildhosts backupctrl collectdctrl \
>> -	logwatch wioscan wiohelper openvpnctrl firewallctrl \
>> +	logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
>>  	wirelessctrl getipstat qosctrl \
>>  	redctrl syslogdctrl extrahdctrl sambactrl \
>>  	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>> new file mode 100644
>> index 000000000..f2a3b89e3
>> --- /dev/null
>> +++ b/src/misc-progs/dnsntpctrl.c
>> @@ -0,0 +1,19 @@
>> +/* This file is part of the IPFire Firewall.
>> + *
>> + * This program is distributed under the terms of the GNU General Public
>> + * Licence.  See the file COPYING for details.
>> + *
>> + */
>> +
>> +#include <stdlib.h>
>> +#include "setuid.h"
>> +
>> +int main(void)
>> +{
>> +	if (!(initsetuid()))
>> +		exit(1);
>> +
>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>> +
>> +	return 0;
>> +}
>> -- 
>> 2.18.0
>> 
>>
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-03-07 13:02 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <EB71159A-1513-46D6-ACC1-57BCC4F2DCC8@gmail.com>
2021-03-06 21:15 ` Aw: Re: [PATCH] (V3) Forcing DNS/NTP Bernhard Bitsch
2021-03-06 21:29   ` Jon Murphy
2021-03-07  8:06   ` Aw: " Matthias Fischer
2021-03-07 10:20     ` Aw: " Bernhard Bitsch
2021-03-07 13:02       ` Matthias Fischer
2021-03-05 22:49 Aw: " Matthias Fischer
2021-03-06 19:47 ` Aw: " Bernhard Bitsch

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox