For forcing DNS we generate ( for example ) iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT To filter allowed DNS requests there is a rule iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN To get ${GREEN_ADDRESS} dnsntp needs an additional eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case. Hope this makes it clear enough. Best, Bernhard > Gesendet: Samstag, 06. März 2021 um 21:51 Uhr > Von: "Jon Murphy" > An: "Bernhard Bitsch" > Betreff: Re: [PATCH] (V3) Forcing DNS/NTP > > > I mean the extra rules for requests client-->IPFire:53. > > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. > > How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance? > > When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms. > > > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch wrote: > > > > Hi, > > > >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr > >> Von: "Matthias Fischer" > >> An: "Bernhard Bitsch" > >> Cc: development(a)lists.ipfire.org > >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP > >> > >> Hi, > >> > >> On 05.03.2021 21:45, Bernhard Bitsch wrote: > >>> Hi, > >>> > >>> at a first glance I think, the code implements the ideas of the community discussions. > >> > >> Thanks - but unfortunately I'm not quite satisfied with my results yet > >> because I didn't manage to merge the init and the ctrl-file in *one* C > >> program. The whole is running as I want but... ;-) > >> > >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. > >> > >> -v please. I don't know if I get this (the translation english => > >> german) right. > >> If you mean that I asked for some tips and got some, than of course: > >> many thanks to everybody! > >> > > Sorry if I wasn't specific enough. > > I mean the extra rules for requests client-->IPFire:53. > > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. > > > > Best, > > Bernhard > >> Best, > >> Matthias > >> > >>> Regards, > >>> Bernhard > >>> > >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr > >>>> Von: "Matthias Fischer" > >>>> An: development(a)lists.ipfire.org > >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP > >>>> > >>>> Originally triggered by: > >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 > >>>> > >>>> Current discussion: > >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > >>>> > >>>> Summary and functionality: > >>>> These patches are controlled through "Firewall Options". They add new > >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. > >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file > >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). > >>>> > >>>> Default of all new rules is OFF (set in 'lfs/configroot'). > >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP > >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make > >>>> this more transparent. > >>>> > >>>> Flaw/ToDo: > >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual > >>>> init file, 'dnsntp'. This is actually an unnecessary detour. > >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my > >>>> capabilities, perhaps "someone" else knows how to program this. > >>>> > >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if > >>>> the respective interface actually exists. > >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' > >>>> or logging options for BLUE available (e.g.). > >>>> Added text colors for better readability and links to DNS and NTP GUI. > >>>> Separated logging options per interface. > >>>> > >>>> No reboot required: > >>>> Rules can be switched ON/OFF without rebooting IPFire. > >>>> Changes immedediatly take effect after clicking 'Save'. > >>>> > >>>> Changes to '/etc/rc.d/init.d/firewall': > >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING > >>>> chain: DNS_NTP_REDIRECT. > >>>> This chain is flushed by the init file before before the desired settings are applied. > >>>> Corrected a 'trafic' typo. > >>>> > >>>> Signed-off-by: Matthias Fischer > >>>> --- > >>>> config/rootfiles/common/aarch64/initscripts | 1 + > >>>> config/rootfiles/common/armv5tel/initscripts | 1 + > >>>> config/rootfiles/common/i586/initscripts | 1 + > >>>> config/rootfiles/common/misc-progs | 1 + > >>>> config/rootfiles/common/x86_64/initscripts | 1 + > >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > >>>> langs/de/cgi-bin/de.pl | 15 +++- > >>>> langs/en/cgi-bin/en.pl | 15 +++- > >>>> lfs/configroot | 4 + > >>>> src/initscripts/system/dnsntp | 36 ++++++++ > >>>> src/initscripts/system/firewall | 9 +- > >>>> src/misc-progs/Makefile | 2 +- > >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ > >>>> 13 files changed, 168 insertions(+), 29 deletions(-) > >>>> create mode 100644 src/initscripts/system/dnsntp > >>>> create mode 100644 src/misc-progs/dnsntpctrl.c > >>>> > >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts > >>>> index 800005966..f38a3a294 100644 > >>>> --- a/config/rootfiles/common/aarch64/initscripts > >>>> +++ b/config/rootfiles/common/aarch64/initscripts > >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >>>> etc/rc.d/init.d/console > >>>> etc/rc.d/init.d/dhcp > >>>> etc/rc.d/init.d/dhcrelay > >>>> +etc/rc.d/init.d/dnsntp > >>>> etc/rc.d/init.d/fcron > >>>> etc/rc.d/init.d/fireinfo > >>>> etc/rc.d/init.d/firewall > >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts > >>>> index 800005966..f38a3a294 100644 > >>>> --- a/config/rootfiles/common/armv5tel/initscripts > >>>> +++ b/config/rootfiles/common/armv5tel/initscripts > >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >>>> etc/rc.d/init.d/console > >>>> etc/rc.d/init.d/dhcp > >>>> etc/rc.d/init.d/dhcrelay > >>>> +etc/rc.d/init.d/dnsntp > >>>> etc/rc.d/init.d/fcron > >>>> etc/rc.d/init.d/fireinfo > >>>> etc/rc.d/init.d/firewall > >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts > >>>> index 18c5a897a..a3a2b47f7 100644 > >>>> --- a/config/rootfiles/common/i586/initscripts > >>>> +++ b/config/rootfiles/common/i586/initscripts > >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >>>> etc/rc.d/init.d/console > >>>> etc/rc.d/init.d/dhcp > >>>> etc/rc.d/init.d/dhcrelay > >>>> +etc/rc.d/init.d/dnsntp > >>>> etc/rc.d/init.d/fcron > >>>> etc/rc.d/init.d/fireinfo > >>>> etc/rc.d/init.d/firewall > >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs > >>>> index d6594b3f8..4bcb94812 100644 > >>>> --- a/config/rootfiles/common/misc-progs > >>>> +++ b/config/rootfiles/common/misc-progs > >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > >>>> usr/local/bin/collectdctrl > >>>> usr/local/bin/ddnsctrl > >>>> usr/local/bin/dhcpctrl > >>>> +usr/local/bin/dnsntpctrl > >>>> usr/local/bin/extrahdctrl > >>>> usr/local/bin/fireinfoctrl > >>>> usr/local/bin/firewallctrl > >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts > >>>> index 18c5a897a..a3a2b47f7 100644 > >>>> --- a/config/rootfiles/common/x86_64/initscripts > >>>> +++ b/config/rootfiles/common/x86_64/initscripts > >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >>>> etc/rc.d/init.d/console > >>>> etc/rc.d/init.d/dhcp > >>>> etc/rc.d/init.d/dhcrelay > >>>> +etc/rc.d/init.d/dnsntp > >>>> etc/rc.d/init.d/fcron > >>>> etc/rc.d/init.d/fireinfo > >>>> etc/rc.d/init.d/firewall > >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > >>>> index 321642e82..3fc707e8b 100644 > >>>> --- a/html/cgi-bin/optionsfw.cgi > >>>> +++ b/html/cgi-bin/optionsfw.cgi > >>>> @@ -2,7 +2,7 @@ > >>>> ############################################################################### > >>>> # # > >>>> # IPFire.org - A linux based firewall # > >>>> -# Copyright (C) 2014-2020 IPFire Team # > >>>> +# Copyright (C) 2014-2021 IPFire Team # > >>>> # # > >>>> # This program is free software: you can redistribute it and/or modify # > >>>> # it under the terms of the GNU General Public License as published by # > >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >>>> $errormessage .= $Lang::tr{'new optionsfw later'}; > >>>> &General::writehash($filename, \%settings); # Save good settings > >>>> system("/usr/local/bin/firewallctrl"); > >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >>>> }else{ > >>>> if ($settings{'POLICY'} ne ''){ > >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; > >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); > >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); > >>>> system("/usr/local/bin/firewallctrl"); > >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >>>> } > >>>> &General::readhash($filename, \%settings); # Load good settings > >>>> } > >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele > >>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; > >>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; > >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; > >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; > >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; > >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; > >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; > >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; > >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; > >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; > >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; > >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; > >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; > >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; > >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; > >>>> > >>>> &Header::openbox('100%', 'center',); > >>>> print "
"; > >>>> @@ -189,13 +203,44 @@ END > >>>> END > >>>> } > >>>> > >>>> - print < >>>> +print < >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> +END > >>>> + > >>>> + if (&Header::blue_used()) { > >>>> + print < >>>> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}$Lang::tr{'on'} / > >>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}$Lang::tr{'on'} / > >>>> + $Lang::tr{'off'}
> >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> +END > >>>> + } > >>>> + > >>>> + print < >>>>
$Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}$Lang::tr{'on'} / > >>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / > >>>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / > >>>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / > >>>> + $Lang::tr{'off'}
> >>>> > >>>> -
> >>>> +
> >>>> > >>>> - > >>>> - > >>>> +
$Lang::tr{'fw logging'}
> >>>> + > >>>> > >>>> > >>>> > >>>> -
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / > >>>> $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / > >>>> @@ -206,21 +251,30 @@ END > >>>> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / > >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / > >>>> +END > >>>> + > >>>> + if (&Header::blue_used()) { > >>>> + print < >>>> +
> >>>> + > >>>> +
> >>>> + > >>>> + > >>>> + > >>>> + > >>>> + > >>>> - > >>>> -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / > >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / > >>>> +
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / > >>>> $Lang::tr{'off'}
> >>>> -
> >>>> + > >>>> +END > >>>> + } > >>>> + > >>>> + print < >>>> + > >>>> + > >>>> +
> >>>> > >>>> - > >>>> - > >>>> - > >>>> - > >>>> -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / > >>>> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / > >>>> - $Lang::tr{'off'}
> >>>> -
> >>>> > >>>> > >>>> > >>>> END > >>>> print "
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / > >>>> @@ -252,7 +306,7 @@ END > >>>> > >>>>
> >>>> > >>>> - > >>>>
> >>>> +
> >>>> > >>>>
> >>>> @@ -278,7 +332,7 @@ print < >>>>
"; > >>>> - print"

"; > >>>> + print"

"; > >>>> print < >>>>
> >>>> > >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > >>>> index 6a8133807..d6bb234fa 100644 > >>>> --- a/langs/de/cgi-bin/de.pl > >>>> +++ b/langs/de/cgi-bin/de.pl > >>>> @@ -836,6 +836,8 @@ > >>>> 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', > >>>> 'dns error 01' => 'Die eingegebene IP Adresse des primären wie auch des sekundären DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', > >>>> 'dns error 1' => 'Die IP Adresse vom sekundären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene primäre DNS Server Adresse ist jedoch gültig.', > >>>> +'dns force on blue' => 'Erzwinge lokale DNS-Server auf BLAU', > >>>> +'dns force on green' => 'Erzwinge lokale DNS-Server auf GRÜN', > >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', > >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', > >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', > >>>> @@ -1102,9 +1104,12 @@ > >>>> 'from email server' => 'Von E-Mail-Server', > >>>> 'from email user' => 'Von E-Mail-Benutzer', > >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', > >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', > >>>> +'fw blue' => 'Firewalloptionen für das BLAUE Interface', > >>>> 'fw default drop' => 'Firewallrichtlinie', > >>>> +'fw green' => 'Firewalloptionen für das GRÜNE Interface', > >>>> 'fw logging' => 'Firewallprotokollierung', > >>>> +'fw logging blue' => 'Firewallprotokollierung (BLAU)', > >>>> +'fw logging red' => 'Firewallprotokollierung (ROT)', > >>>> 'fw settings' => 'Firewalleinstellungen', > >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', > >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', > >>>> @@ -1644,9 +1649,9 @@ > >>>> 'map to guest' => 'Map to Guest', > >>>> 'march' => 'März', > >>>> 'marked' => 'Markiert', > >>>> -'masquerade blue' => 'NAT auf BLAU', > >>>> -'masquerade green' => 'NAT auf GRÜN', > >>>> -'masquerade orange' => 'NAT auf ORANGE', > >>>> +'masquerade blue' => 'NAT auf BLAU', > >>>> +'masquerade green' => 'NAT auf GRÜN', > >>>> +'masquerade orange' => 'NAT auf ORANGE', > >>>> 'masquerading' => 'Masquerading/NAT', > >>>> 'masquerading disabled' => 'NAT ausgeschaltet', > >>>> 'masquerading enabled' => 'NAT eingeschaltet', > >>>> @@ -1814,6 +1819,8 @@ > >>>> 'november' => 'November', > >>>> 'ntp common settings' => 'Allgemeine Einstellungen', > >>>> 'ntp configuration' => 'Zeitserverkonfiguration', > >>>> +'ntp force on blue' => 'Erzwinge lokale NTP-Server auf BLAU', > >>>> +'ntp force on green' => 'Erzwinge lokale NTP-Server auf GRÜN', > >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', > >>>> 'ntp server' => 'NTP-Server', > >>>> 'ntp sync' => 'Synchronisation', > >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > >>>> index 8f7e0c2cf..474612025 100644 > >>>> --- a/langs/en/cgi-bin/en.pl > >>>> +++ b/langs/en/cgi-bin/en.pl > >>>> @@ -859,6 +859,8 @@ > >>>> 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', > >>>> 'dns error 01' => 'The entered IP address of the primary and secondary DNS server are not valid, please check your entries!', > >>>> 'dns error 1' => 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', > >>>> +'dns force on blue' => 'Force DNS to use local DNS servers on BLUE', > >>>> +'dns force on green' => 'Force DNS to use local DNS servers on GREEN', > >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', > >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', > >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', > >>>> @@ -1128,9 +1130,12 @@ > >>>> 'from email server' => 'From Email server', > >>>> 'from email user' => 'From e-mail user', > >>>> 'from warn email bad' => 'From e-mail address is not valid', > >>>> -'fw blue' => 'Firewall options for BLUE interface', > >>>> +'fw blue' => 'Firewall options for BLUE Interface', > >>>> 'fw default drop' => 'Firewall policy', > >>>> +'fw green' => 'Firewall options for GREEN Interface', > >>>> 'fw logging' => 'Firewall logging', > >>>> +'fw logging blue' => 'Firewall logging (BLUE)', > >>>> +'fw logging red' => 'Firewall logging (RED)', > >>>> 'fw settings' => 'Firewall settings', > >>>> 'fw settings color' => 'Show colors in ruletable', > >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', > >>>> @@ -1672,9 +1677,9 @@ > >>>> 'map to guest' => 'Map to Guest', > >>>> 'march' => 'March', > >>>> 'marked' => 'Marked', > >>>> -'masquerade blue' => 'Masquerade BLUE', > >>>> -'masquerade green' => 'Masquerade GREEN', > >>>> -'masquerade orange' => 'Masquerade ORANGE', > >>>> +'masquerade blue' => 'Masquerade BLUE', > >>>> +'masquerade green' => 'Masquerade GREEN', > >>>> +'masquerade orange' => 'Masquerade ORANGE', > >>>> 'masquerading' => 'Masquerading', > >>>> 'masquerading disabled' => 'Masquerading disabled', > >>>> 'masquerading enabled' => 'Masquerading enabled', > >>>> @@ -1844,6 +1849,8 @@ > >>>> 'november' => 'November', > >>>> 'ntp common settings' => 'Common settings', > >>>> 'ntp configuration' => 'NTP Configuration', > >>>> +'ntp force on blue' => 'Force NTP to use local NTP servers on BLUE', > >>>> +'ntp force on green' => 'Force NTP to use local NTP servers on GREEN', > >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', > >>>> 'ntp server' => 'NTP Server', > >>>> 'ntp sync' => 'Synchronization', > >>>> diff --git a/lfs/configroot b/lfs/configroot > >>>> index a3e474d70..622793b35 100644 > >>>> --- a/lfs/configroot > >>>> +++ b/lfs/configroot > >>>> @@ -129,6 +129,10 @@ $(TARGET) : > >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings > >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings > >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings > >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > >>>> new file mode 100644 > >>>> index 000000000..2eafa9d20 > >>>> --- /dev/null > >>>> +++ b/src/initscripts/system/dnsntp > >>>> @@ -0,0 +1,36 @@ > >>>> +#!/bin/sh > >>>> +######################################################################## > >>>> +# Begin $rc_base/init.d/dnsntp > >>>> +# > >>>> +# Description : dnsntp init script for DNS/NTP rules only > >>>> +# > >>>> +######################################################################## > >>>> + > >>>> +# flush chain > >>>> +iptables -t nat -F DNS_NTP_REDIRECT > >>>> + > >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > >>>> + > >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT > >>>> +fi > >>>> + > >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then > >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT > >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT > >>>> +fi > >>>> + > >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) > >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then > >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT > >>>> +fi > >>>> + > >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) > >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then > >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT > >>>> +fi > >>>> + > >>>> +# End $rc_base/init.d/dnsntp > >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > >>>> index 65f1c979b..43ae74113 100644 > >>>> --- a/src/initscripts/system/firewall > >>>> +++ b/src/initscripts/system/firewall > >>>> @@ -169,6 +169,10 @@ iptables_init() { > >>>> # Fix for braindead ISPs > >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > >>>> > >>>> + # DNS / NTP REDIRECT > >>>> + iptables -t nat -N DNS_NTP_REDIRECT > >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > >>>> + > >>>> # CUSTOM chains, can be used by the users themselves > >>>> iptables -N CUSTOMINPUT > >>>> iptables -A INPUT -j CUSTOMINPUT > >>>> @@ -281,7 +285,7 @@ iptables_init() { > >>>> iptables -A INPUT -j LOCATIONBLOCK > >>>> iptables -A FORWARD -j LOCATIONBLOCK > >>>> > >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > >>>> iptables -N IPSECINPUT > >>>> iptables -N IPSECFORWARD > >>>> iptables -N IPSECOUTPUT > >>>> @@ -389,6 +393,9 @@ iptables_init() { > >>>> # run captivectrl > >>>> /usr/local/bin/captivectrl > >>>> > >>>> + # run dnsntpctrl > >>>> + /usr/local/bin/dnsntpctrl > >>>> + > >>>> # POLICY CHAIN > >>>> iptables -N POLICYIN > >>>> iptables -A INPUT -j POLICYIN > >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > >>>> index 7c3ef7529..6f2733ef0 100644 > >>>> --- a/src/misc-progs/Makefile > >>>> +++ b/src/misc-progs/Makefile > >>>> @@ -26,7 +26,7 @@ PROGS = iowrap > >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ > >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ > >>>> rebuildhosts backupctrl collectdctrl \ > >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > >>>> wirelessctrl getipstat qosctrl \ > >>>> redctrl syslogdctrl extrahdctrl sambactrl \ > >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > >>>> new file mode 100644 > >>>> index 000000000..f2a3b89e3 > >>>> --- /dev/null > >>>> +++ b/src/misc-progs/dnsntpctrl.c > >>>> @@ -0,0 +1,19 @@ > >>>> +/* This file is part of the IPFire Firewall. > >>>> + * > >>>> + * This program is distributed under the terms of the GNU General Public > >>>> + * Licence. See the file COPYING for details. > >>>> + * > >>>> + */ > >>>> + > >>>> +#include > >>>> +#include "setuid.h" > >>>> + > >>>> +int main(void) > >>>> +{ > >>>> + if (!(initsetuid())) > >>>> + exit(1); > >>>> + > >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > >>>> + > >>>> + return 0; > >>>> +} > >>>> -- > >>>> 2.18.0 > >>>> > >>>> > >>> > >> > >> > >