From: Bernhard Bitsch <Bernhard.Bitsch@gmx.de>
To: development@lists.ipfire.org
Subject: Aw: Re: [PATCH] (V3) Forcing DNS/NTP
Date: Sat, 06 Mar 2021 20:47:30 +0100 [thread overview]
Message-ID: <trinity-30c65ad7-2cca-4070-903f-7f3203cff6b7-1615060050360@3c-app-gmx-bs04> (raw)
In-Reply-To: <564b11a9-ac91-363b-3270-78305aeb2669@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 30201 bytes --]
Hi,
> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr
> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
> An: "Bernhard Bitsch" <Bernhard.Bitsch(a)gmx.de>
> Cc: development(a)lists.ipfire.org
> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP
>
> Hi,
>
> On 05.03.2021 21:45, Bernhard Bitsch wrote:
> > Hi,
> >
> > at a first glance I think, the code implements the ideas of the community discussions.
>
> Thanks - but unfortunately I'm not quite satisfied with my results yet
> because I didn't manage to merge the init and the ctrl-file in *one* C
> program. The whole is running as I want but... ;-)
>
> > Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN.
>
> -v please. I don't know if I get this (the translation english =>
> german) right.
> If you mean that I asked for some tips and got some, than of course:
> many thanks to everybody!
>
Sorry if I wasn't specific enough.
I mean the extra rules for requests client-->IPFire:53.
These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules.
Best,
Bernhard
> Best,
> Matthias
>
> > Regards,
> > Bernhard
> >
> >> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr
> >> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
> >> An: development(a)lists.ipfire.org
> >> Betreff: [PATCH] (V3) Forcing DNS/NTP
> >>
> >> Originally triggered by:
> >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
> >>
> >> Current discussion:
> >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
> >>
> >> Summary and functionality:
> >> These patches are controlled through "Firewall Options". They add new
> >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
> >> They activate/deactivate appropriate REDIRECT rules through a new ctrl file
> >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
> >>
> >> Default of all new rules is OFF (set in 'lfs/configroot').
> >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
> >> servers specified in IPFire. GUI links to DNS and NTP options were added to make
> >> this more transparent.
> >>
> >> Flaw/ToDo:
> >> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
> >> init file, 'dnsntp'. This is actually an unnecessary detour.
> >> In fact I wanted to merge these two files in *one* C file, but this was beyond my
> >> capabilities, perhaps "someone" else knows how to program this.
> >>
> >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
> >> The corresponding interface options - including 'Masquerade ...' - are only visible if
> >> the respective interface actually exists.
> >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
> >> or logging options for BLUE available (e.g.).
> >> Added text colors for better readability and links to DNS and NTP GUI.
> >> Separated logging options per interface.
> >>
> >> No reboot required:
> >> Rules can be switched ON/OFF without rebooting IPFire.
> >> Changes immedediatly take effect after clicking 'Save'.
> >>
> >> Changes to '/etc/rc.d/init.d/firewall':
> >> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
> >> chain: DNS_NTP_REDIRECT.
> >> This chain is flushed by the init file before before the desired settings are applied.
> >> Corrected a 'trafic' typo.
> >>
> >> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> >> ---
> >> config/rootfiles/common/aarch64/initscripts | 1 +
> >> config/rootfiles/common/armv5tel/initscripts | 1 +
> >> config/rootfiles/common/i586/initscripts | 1 +
> >> config/rootfiles/common/misc-progs | 1 +
> >> config/rootfiles/common/x86_64/initscripts | 1 +
> >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++----
> >> langs/de/cgi-bin/de.pl | 15 +++-
> >> langs/en/cgi-bin/en.pl | 15 +++-
> >> lfs/configroot | 4 +
> >> src/initscripts/system/dnsntp | 36 ++++++++
> >> src/initscripts/system/firewall | 9 +-
> >> src/misc-progs/Makefile | 2 +-
> >> src/misc-progs/dnsntpctrl.c | 19 ++++
> >> 13 files changed, 168 insertions(+), 29 deletions(-)
> >> create mode 100644 src/initscripts/system/dnsntp
> >> create mode 100644 src/misc-progs/dnsntpctrl.c
> >>
> >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
> >> index 800005966..f38a3a294 100644
> >> --- a/config/rootfiles/common/aarch64/initscripts
> >> +++ b/config/rootfiles/common/aarch64/initscripts
> >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >> etc/rc.d/init.d/console
> >> etc/rc.d/init.d/dhcp
> >> etc/rc.d/init.d/dhcrelay
> >> +etc/rc.d/init.d/dnsntp
> >> etc/rc.d/init.d/fcron
> >> etc/rc.d/init.d/fireinfo
> >> etc/rc.d/init.d/firewall
> >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
> >> index 800005966..f38a3a294 100644
> >> --- a/config/rootfiles/common/armv5tel/initscripts
> >> +++ b/config/rootfiles/common/armv5tel/initscripts
> >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >> etc/rc.d/init.d/console
> >> etc/rc.d/init.d/dhcp
> >> etc/rc.d/init.d/dhcrelay
> >> +etc/rc.d/init.d/dnsntp
> >> etc/rc.d/init.d/fcron
> >> etc/rc.d/init.d/fireinfo
> >> etc/rc.d/init.d/firewall
> >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
> >> index 18c5a897a..a3a2b47f7 100644
> >> --- a/config/rootfiles/common/i586/initscripts
> >> +++ b/config/rootfiles/common/i586/initscripts
> >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >> etc/rc.d/init.d/console
> >> etc/rc.d/init.d/dhcp
> >> etc/rc.d/init.d/dhcrelay
> >> +etc/rc.d/init.d/dnsntp
> >> etc/rc.d/init.d/fcron
> >> etc/rc.d/init.d/fireinfo
> >> etc/rc.d/init.d/firewall
> >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
> >> index d6594b3f8..4bcb94812 100644
> >> --- a/config/rootfiles/common/misc-progs
> >> +++ b/config/rootfiles/common/misc-progs
> >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
> >> usr/local/bin/collectdctrl
> >> usr/local/bin/ddnsctrl
> >> usr/local/bin/dhcpctrl
> >> +usr/local/bin/dnsntpctrl
> >> usr/local/bin/extrahdctrl
> >> usr/local/bin/fireinfoctrl
> >> usr/local/bin/firewallctrl
> >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
> >> index 18c5a897a..a3a2b47f7 100644
> >> --- a/config/rootfiles/common/x86_64/initscripts
> >> +++ b/config/rootfiles/common/x86_64/initscripts
> >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >> etc/rc.d/init.d/console
> >> etc/rc.d/init.d/dhcp
> >> etc/rc.d/init.d/dhcrelay
> >> +etc/rc.d/init.d/dnsntp
> >> etc/rc.d/init.d/fcron
> >> etc/rc.d/init.d/fireinfo
> >> etc/rc.d/init.d/firewall
> >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> >> index 321642e82..3fc707e8b 100644
> >> --- a/html/cgi-bin/optionsfw.cgi
> >> +++ b/html/cgi-bin/optionsfw.cgi
> >> @@ -2,7 +2,7 @@
> >> ###############################################################################
> >> # #
> >> # IPFire.org - A linux based firewall #
> >> -# Copyright (C) 2014-2020 IPFire Team <info(a)ipfire.org> #
> >> +# Copyright (C) 2014-2021 IPFire Team <info(a)ipfire.org> #
> >> # #
> >> # This program is free software: you can redistribute it and/or modify #
> >> # it under the terms of the GNU General Public License as published by #
> >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> >> $errormessage .= $Lang::tr{'new optionsfw later'};
> >> &General::writehash($filename, \%settings); # Save good settings
> >> system("/usr/local/bin/firewallctrl");
> >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> >> }else{
> >> if ($settings{'POLICY'} ne ''){
> >> $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
> >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> >> system("/usr/local/bin/firewallctrl");
> >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> >> }
> >> &General::readhash($filename, \%settings); # Load good settings
> >> }
> >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
> >> $selected{'MASQUERADE_BLUE'}{'off'} = '';
> >> $selected{'MASQUERADE_BLUE'}{'on'} = '';
> >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
> >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
> >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
> >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
> >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
> >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
> >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
> >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
> >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
> >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
> >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
> >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
> >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
> >>
> >> &Header::openbox('100%', 'center',);
> >> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
> >> @@ -189,13 +203,44 @@ END
> >> END
> >> }
> >>
> >> - print <<END
> >> +print <<END;
> >> + <table width='95%' cellspacing='0'>
> >> + <tr bgcolor='$color{'color20'}'></tr>
> >> + <tr> </tr>
> >> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
> >> + </tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
> >> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
> >> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> +END
> >> +
> >> + if (&Header::blue_used()) {
> >> + print <<END;
> >> + <table width='95%' cellspacing='0'>
> >> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> >> + <tr> </tr>
> >> + <tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
> >> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
> >> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> >> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> >> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> + </td>
> >> + </tr>
> >> +END
> >> + }
> >> +
> >> + print <<END;
> >> </table>
> >>
> >> - <br>
> >> + <br />
> >>
> >> -<table width='95%' cellspacing='0'>
> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
> >> + <table width='95%' cellspacing='0'>
> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
> >> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
> >> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
> >> @@ -206,21 +251,30 @@ END
> >> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
> >> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> >> +END
> >> +
> >> + if (&Header::blue_used()) {
> >> + print <<END;
> >> + </table>
> >> +
> >> + <br />
> >> +
> >> + <table width='95%' cellspacing='0'>
> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
> >> + <tr>
> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> >> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> >> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> -</table>
> >> -<br/>
> >> + </tr>
> >> +END
> >> + }
> >> +
> >> + print <<END;
> >> + </table>
> >> +
> >> + <br />
> >>
> >> -<table width='95%' cellspacing='0'>
> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> >> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> >> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >> -</table>
> >> -<br>
> >> <table width='95%' cellspacing='0'>
> >> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
> >> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
> >> @@ -252,7 +306,7 @@ END
> >>
> >> <br />
> >> <table width='100%' cellspacing='0'>
> >> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> >> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
> >> </form></td></tr>
> >> </table>
> >> @@ -278,7 +332,7 @@ print <<END;
> >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
> >> END
> >> print "</tr></table></form>";
> >> - print"<br><br>";
> >> + print"<br /><br />";
> >> print <<END;
> >> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
> >> <table width='100%' border='0'>
> >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> >> index 6a8133807..d6bb234fa 100644
> >> --- a/langs/de/cgi-bin/de.pl
> >> +++ b/langs/de/cgi-bin/de.pl
> >> @@ -836,6 +836,8 @@
> >> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
> >> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
> >> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
> >> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU',
> >> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN',
> >> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
> >> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
> >> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
> >> @@ -1102,9 +1104,12 @@
> >> 'from email server' => 'Von E-Mail-Server',
> >> 'from email user' => 'Von E-Mail-Benutzer',
> >> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
> >> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
> >> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
> >> 'fw default drop' => 'Firewallrichtlinie',
> >> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
> >> 'fw logging' => 'Firewallprotokollierung',
> >> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
> >> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
> >> 'fw settings' => 'Firewalleinstellungen',
> >> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
> >> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
> >> @@ -1644,9 +1649,9 @@
> >> 'map to guest' => 'Map to Guest',
> >> 'march' => 'März',
> >> 'marked' => 'Markiert',
> >> -'masquerade blue' => 'NAT auf BLAU',
> >> -'masquerade green' => 'NAT auf GRÜN',
> >> -'masquerade orange' => 'NAT auf ORANGE',
> >> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
> >> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
> >> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
> >> 'masquerading' => 'Masquerading/NAT',
> >> 'masquerading disabled' => 'NAT ausgeschaltet',
> >> 'masquerading enabled' => 'NAT eingeschaltet',
> >> @@ -1814,6 +1819,8 @@
> >> 'november' => 'November',
> >> 'ntp common settings' => 'Allgemeine Einstellungen',
> >> 'ntp configuration' => 'Zeitserverkonfiguration',
> >> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU',
> >> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN',
> >> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
> >> 'ntp server' => 'NTP-Server',
> >> 'ntp sync' => 'Synchronisation',
> >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> >> index 8f7e0c2cf..474612025 100644
> >> --- a/langs/en/cgi-bin/en.pl
> >> +++ b/langs/en/cgi-bin/en.pl
> >> @@ -859,6 +859,8 @@
> >> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
> >> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
> >> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
> >> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE',
> >> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN',
> >> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
> >> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
> >> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
> >> @@ -1128,9 +1130,12 @@
> >> 'from email server' => 'From Email server',
> >> 'from email user' => 'From e-mail user',
> >> 'from warn email bad' => 'From e-mail address is not valid',
> >> -'fw blue' => 'Firewall options for BLUE interface',
> >> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
> >> 'fw default drop' => 'Firewall policy',
> >> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
> >> 'fw logging' => 'Firewall logging',
> >> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
> >> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
> >> 'fw settings' => 'Firewall settings',
> >> 'fw settings color' => 'Show colors in ruletable',
> >> 'fw settings dropdown' => 'Show all networks on rulecreation site',
> >> @@ -1672,9 +1677,9 @@
> >> 'map to guest' => 'Map to Guest',
> >> 'march' => 'March',
> >> 'marked' => 'Marked',
> >> -'masquerade blue' => 'Masquerade BLUE',
> >> -'masquerade green' => 'Masquerade GREEN',
> >> -'masquerade orange' => 'Masquerade ORANGE',
> >> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
> >> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
> >> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
> >> 'masquerading' => 'Masquerading',
> >> 'masquerading disabled' => 'Masquerading disabled',
> >> 'masquerading enabled' => 'Masquerading enabled',
> >> @@ -1844,6 +1849,8 @@
> >> 'november' => 'November',
> >> 'ntp common settings' => 'Common settings',
> >> 'ntp configuration' => 'NTP Configuration',
> >> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE',
> >> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN',
> >> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
> >> 'ntp server' => 'NTP Server',
> >> 'ntp sync' => 'Synchronization',
> >> diff --git a/lfs/configroot b/lfs/configroot
> >> index a3e474d70..622793b35 100644
> >> --- a/lfs/configroot
> >> +++ b/lfs/configroot
> >> @@ -129,6 +129,10 @@ $(TARGET) :
> >> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
> >> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
> >> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
> >> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
> >> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
> >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
> >> new file mode 100644
> >> index 000000000..2eafa9d20
> >> --- /dev/null
> >> +++ b/src/initscripts/system/dnsntp
> >> @@ -0,0 +1,36 @@
> >> +#!/bin/sh
> >> +########################################################################
> >> +# Begin $rc_base/init.d/dnsntp
> >> +#
> >> +# Description : dnsntp init script for DNS/NTP rules only
> >> +#
> >> +########################################################################
> >> +
> >> +# flush chain
> >> +iptables -t nat -F DNS_NTP_REDIRECT
> >> +
> >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> >> +
> >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
> >> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
> >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
> >> +fi
> >> +
> >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
> >> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
> >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
> >> +fi
> >> +
> >> +# Force NTP REDIRECTs on GREEN (udp, 123)
> >> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT
> >> +fi
> >> +
> >> +# Force DNS REDIRECTs on BLUE (udp, 123)
> >> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT
> >> +fi
> >> +
> >> +# End $rc_base/init.d/dnsntp
> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> >> index 65f1c979b..43ae74113 100644
> >> --- a/src/initscripts/system/firewall
> >> +++ b/src/initscripts/system/firewall
> >> @@ -169,6 +169,10 @@ iptables_init() {
> >> # Fix for braindead ISPs
> >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> >>
> >> + # DNS / NTP REDIRECT
> >> + iptables -t nat -N DNS_NTP_REDIRECT
> >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
> >> +
> >> # CUSTOM chains, can be used by the users themselves
> >> iptables -N CUSTOMINPUT
> >> iptables -A INPUT -j CUSTOMINPUT
> >> @@ -281,7 +285,7 @@ iptables_init() {
> >> iptables -A INPUT -j LOCATIONBLOCK
> >> iptables -A FORWARD -j LOCATIONBLOCK
> >>
> >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> >> iptables -N IPSECINPUT
> >> iptables -N IPSECFORWARD
> >> iptables -N IPSECOUTPUT
> >> @@ -389,6 +393,9 @@ iptables_init() {
> >> # run captivectrl
> >> /usr/local/bin/captivectrl
> >>
> >> + # run dnsntpctrl
> >> + /usr/local/bin/dnsntpctrl
> >> +
> >> # POLICY CHAIN
> >> iptables -N POLICYIN
> >> iptables -A INPUT -j POLICYIN
> >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
> >> index 7c3ef7529..6f2733ef0 100644
> >> --- a/src/misc-progs/Makefile
> >> +++ b/src/misc-progs/Makefile
> >> @@ -26,7 +26,7 @@ PROGS = iowrap
> >> SUID_PROGS = squidctrl sshctrl ipfirereboot \
> >> ipsecctrl timectrl dhcpctrl suricatactrl \
> >> rebuildhosts backupctrl collectdctrl \
> >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \
> >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
> >> wirelessctrl getipstat qosctrl \
> >> redctrl syslogdctrl extrahdctrl sambactrl \
> >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
> >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
> >> new file mode 100644
> >> index 000000000..f2a3b89e3
> >> --- /dev/null
> >> +++ b/src/misc-progs/dnsntpctrl.c
> >> @@ -0,0 +1,19 @@
> >> +/* This file is part of the IPFire Firewall.
> >> + *
> >> + * This program is distributed under the terms of the GNU General Public
> >> + * Licence. See the file COPYING for details.
> >> + *
> >> + */
> >> +
> >> +#include <stdlib.h>
> >> +#include "setuid.h"
> >> +
> >> +int main(void)
> >> +{
> >> + if (!(initsetuid()))
> >> + exit(1);
> >> +
> >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
> >> +
> >> + return 0;
> >> +}
> >> --
> >> 2.18.0
> >>
> >>
> >
>
>
next prev parent reply other threads:[~2021-03-06 19:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 19:40 Matthias Fischer
2021-03-05 20:45 ` Aw: " Bernhard Bitsch
2021-03-05 22:49 ` Matthias Fischer
2021-03-06 19:47 ` Bernhard Bitsch [this message]
2021-03-29 21:34 ` Jon Murphy
2021-04-01 10:22 ` Michael Tremer
2021-05-30 15:51 ` Matthias Fischer
2021-04-01 10:29 ` Michael Tremer
2021-04-01 23:18 ` Matthias Fischer
2021-04-07 20:47 ` Michael Tremer
[not found] <EB71159A-1513-46D6-ACC1-57BCC4F2DCC8@gmail.com>
2021-03-06 21:15 ` Aw: " Bernhard Bitsch
2021-03-07 8:06 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=trinity-30c65ad7-2cca-4070-903f-7f3203cff6b7-1615060050360@3c-app-gmx-bs04 \
--to=bernhard.bitsch@gmx.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox