From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bernhard Bitsch To: development@lists.ipfire.org Subject: Aw: Re: [PATCH] (V3) Forcing DNS/NTP Date: Sat, 06 Mar 2021 20:47:30 +0100 Message-ID: In-Reply-To: <564b11a9-ac91-363b-3270-78305aeb2669@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0296060826139899348==" List-Id: --===============0296060826139899348== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > Gesendet: Freitag, 05. M=C3=A4rz 2021 um 23:49 Uhr > Von: "Matthias Fischer" > An: "Bernhard Bitsch" > Cc: development(a)lists.ipfire.org > Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP > > Hi, >=20 > On 05.03.2021 21:45, Bernhard Bitsch wrote: > > Hi, > >=20 > > at a first glance I think, the code implements the ideas of the community= discussions. >=20 > Thanks - but unfortunately I'm not quite satisfied with my results yet > because I didn't manage to merge the init and the ctrl-file in *one* C > program. The whole is running as I want but... ;-) >=20 > > Just one annotation. As mentioned in a post, it could help to honor 'well= -behaving' requests ( to IPFire ) by a RETURN. >=20 > -v please. I don't know if I get this (the translation english =3D> > german) right. > If you mean that I asked for some tips and got some, than of course: > many thanks to everybody! >=20 Sorry if I wasn't specific enough. I mean the extra rules for requests client-->IPFire:53. These are 'well-behaving' and must/should not be redirected. Didn't measure i= f the performance is equal with or without these extra rules. Best, Bernhard > Best, > Matthias >=20 > > Regards, > > Bernhard > >=20 > >> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 20:40 Uhr > >> Von: "Matthias Fischer" > >> An: development(a)lists.ipfire.org > >> Betreff: [PATCH] (V3) Forcing DNS/NTP > >> > >> Originally triggered by: > >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-t= he-firewall/3512 > >>=20 > >> Current discussion: > >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > >>=20 > >> Summary and functionality: > >> These patches are controlled through "Firewall Options". They add new > >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optio= nsfw/settings'. > >> They activate/deactivate appropriate REDIRECT rules through a new ctrl= file > >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/d= nsntp'). > >>=20 > >> Default of all new rules is OFF (set in 'lfs/configroot'). > >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the = DNS and NTP > >> servers specified in IPFire. GUI links to DNS and NTP options were add= ed to make > >> this more transparent. > >>=20 > >> Flaw/ToDo: > >> To make things work as I wanted I had to add a 'dnsntpctrl' file which= calls the actual > >> init file, 'dnsntp'. This is actually an unnecessary detour. > >> In fact I wanted to merge these two files in *one* C file, but this wa= s beyond my > >> capabilities, perhaps "someone" else knows how to program this. > >>=20 > >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > >> The corresponding interface options - including 'Masquerade ...' - are= only visible if > >> the respective interface actually exists. > >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS= /NTP on BLUE' > >> or logging options for BLUE available (e.g.). > >> Added text colors for better readability and links to DNS and NTP GUI. > >> Separated logging options per interface. > >>=20 > >> No reboot required: > >> Rules can be switched ON/OFF without rebooting IPFire. > >> Changes immedediatly take effect after clicking 'Save'. > >>=20 > >> Changes to '/etc/rc.d/init.d/firewall': > >> To avoid collisions with possibly existing CUSTOM rules, I added a new= PREROUTING > >> chain: DNS_NTP_REDIRECT. > >> This chain is flushed by the init file before before the desired setti= ngs are applied. > >> Corrected a 'trafic' typo. > >>=20 > >> Signed-off-by: Matthias Fischer > >> --- > >> config/rootfiles/common/aarch64/initscripts | 1 + > >> config/rootfiles/common/armv5tel/initscripts | 1 + > >> config/rootfiles/common/i586/initscripts | 1 + > >> config/rootfiles/common/misc-progs | 1 + > >> config/rootfiles/common/x86_64/initscripts | 1 + > >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > >> langs/de/cgi-bin/de.pl | 15 +++- > >> langs/en/cgi-bin/en.pl | 15 +++- > >> lfs/configroot | 4 + > >> src/initscripts/system/dnsntp | 36 ++++++++ > >> src/initscripts/system/firewall | 9 +- > >> src/misc-progs/Makefile | 2 +- > >> src/misc-progs/dnsntpctrl.c | 19 ++++ > >> 13 files changed, 168 insertions(+), 29 deletions(-) > >> create mode 100644 src/initscripts/system/dnsntp > >> create mode 100644 src/misc-progs/dnsntpctrl.c > >>=20 > >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfi= les/common/aarch64/initscripts > >> index 800005966..f38a3a294 100644 > >> --- a/config/rootfiles/common/aarch64/initscripts > >> +++ b/config/rootfiles/common/aarch64/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootf= iles/common/armv5tel/initscripts > >> index 800005966..f38a3a294 100644 > >> --- a/config/rootfiles/common/armv5tel/initscripts > >> +++ b/config/rootfiles/common/armv5tel/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles= /common/i586/initscripts > >> index 18c5a897a..a3a2b47f7 100644 > >> --- a/config/rootfiles/common/i586/initscripts > >> +++ b/config/rootfiles/common/i586/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/commo= n/misc-progs > >> index d6594b3f8..4bcb94812 100644 > >> --- a/config/rootfiles/common/misc-progs > >> +++ b/config/rootfiles/common/misc-progs > >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > >> usr/local/bin/collectdctrl > >> usr/local/bin/ddnsctrl > >> usr/local/bin/dhcpctrl > >> +usr/local/bin/dnsntpctrl > >> usr/local/bin/extrahdctrl > >> usr/local/bin/fireinfoctrl > >> usr/local/bin/firewallctrl > >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfil= es/common/x86_64/initscripts > >> index 18c5a897a..a3a2b47f7 100644 > >> --- a/config/rootfiles/common/x86_64/initscripts > >> +++ b/config/rootfiles/common/x86_64/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > >> index 321642e82..3fc707e8b 100644 > >> --- a/html/cgi-bin/optionsfw.cgi > >> +++ b/html/cgi-bin/optionsfw.cgi > >> @@ -2,7 +2,7 @@ > >> #######################################################################= ######## > >> # = # > >> # IPFire.org - A linux based firewall = # > >> -# Copyright (C) 2014-2020 IPFire Team = # > >> +# Copyright (C) 2014-2021 IPFire Team = # > >> # = # > >> # This program is free software: you can redistribute it and/or modify = # > >> # it under the terms of the GNU General Public License as published by = # > >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> $errormessage .=3D $Lang::tr{'new optionsfw later'}; > >> &General::writehash($filename, \%settings); # Save good s= ettings > >> system("/usr/local/bin/firewallctrl"); > >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> }else{ > >> if ($settings{'POLICY'} ne ''){ > >> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; > >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwse= ttings); > >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwset= tings); > >> system("/usr/local/bin/firewallctrl"); > >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> } > >> &General::readhash($filename, \%settings); # Load good set= tings > >> } > >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERAD= E_ORANGE'}} =3D 'selected=3D"sele > >> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; > >> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; > >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selecte= d=3D"selected"'; > >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; > >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; > >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} =3D "ch= ecked=3D'checked'"; > >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; > >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; > >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D "chec= ked=3D'checked'"; > >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; > >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; > >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} =3D "ch= ecked=3D'checked'"; > >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; > >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; > >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D "chec= ked=3D'checked'"; > >> =20 > >> &Header::openbox('100%', 'center',); > >> print "
"; > >> @@ -189,13 +203,44 @@ END > >> END > >> } > >> =20 > >> - print < >> +print < >> + > >> + > >> + =C2=A0 > >> + > >> + > >> + = > >> + = > >> +END > >> + > >> + if (&Header::blue_used()) { > >> + print < >> +
$Lang::tr{'fw green'}
$Lang::tr{'dns force on green'}<= /td>$Lang::tr{'on'} / > >> + $Lang::tr{'off'}
$Lang::tr{'ntp force on green'}<= /td>$Lang::tr{'on'} / > >> + $Lang::tr{'off'}
> >> + > >> + =C2=A0 > >> + > >> + > >> + > >> + $Lang::tr{'on'} / > >> + $Lang::tr{'off'} > >> + $Lang::tr{'on'} / > >> + $Lang::tr{'off'} > >> + > >> + > >> +END > >> + } > >> + > >> + print < >>
$Lang::tr{'fw blue'}
$Lang::tr{'dns force on blue'}<= /td>$Lang::tr{'on'} / > >> + $Lang::tr{'off'}
$Lang::tr{'ntp force on blue'}<= /td>$Lang::tr{'on'} / > >> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}
$Lang::tr{'drop samba'}
> >> =20 > >> -
> >> +
> >> =20 > >> - > >> - > >> +
$= Lang::tr{'fw logging'}
> >> + > >> $Lang::tr{'on'} / > >> $Lang::tr{'off'} > >> > >> $Lang::tr{'on'} / > >> $Lang::tr{'off'} > >> -
$= Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / > >> @@ -206,21 +251,30 @@ END > >> $Lang::tr{'off'}
$Lang::tr{'drop portscan'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / > >> +END > >> + > >> + if (&Header::blue_used()) { > >> + print < >> +
> >> + > >> +
> >> + > >> + > >> + > >> + > >> + > >> - > >> -
$= Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}= $Lang::tr{'on'} / > >> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}<= /td>$Lang::tr{'on'} / > >> +
$Lang::tr{'drop wirelessforward= '}$Lang::tr{'on'} / > >> $Lang::tr{'off'}
> >> -
> >> + > >> +END > >> + } > >> + > >> + print < >> + > >> + > >> +
> >> =20 > >> - > >> - > >> - > >> - > >> -
$= Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / > >> - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / > >> - $Lang::tr{'off'}
> >> -
> >> > >> > >> > >> END > >> print "
$= Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / > >> @@ -252,7 +306,7 @@ END > >> =20 > >>
> >> > >> - > >>
> >> +
> >> > >>
> >> @@ -278,7 +332,7 @@ print < >>
"; > >> - print"

"; > >> + print"

"; > >> print < >>
> >> > >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > >> index 6a8133807..d6bb234fa 100644 > >> --- a/langs/de/cgi-bin/de.pl > >> +++ b/langs/de/cgi-bin/de.pl > >> @@ -836,6 +836,8 @@ > >> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren D= NS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingabe!=
Die eingegebene sekund=C3=A4ren DNS Server Adresse ist= jedoch g=C3=BCltig.
', > >> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3=A4r= en wie auch des sekund=C3=A4ren DNS-Servers sind ni= cht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', > >> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren= DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingab= e!
Die eingegebene prim=C3=A4re DNS Server Adresse ist = jedoch g=C3=BCltig.', > >> +'dns force on blue' =3D> 'Erzwinge lokal= e DNS-Server auf BLAU', > >> +'dns force on green' =3D> 'Erzwinge loka= le DNS-Server auf GR=C3=9CN', > >> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfohlen= )', > >> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', > >> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red0', > >> @@ -1102,9 +1104,12 @@ > >> 'from email server' =3D> 'Von E-Mail-Server', > >> 'from email user' =3D> 'Von E-Mail-Benutzer', > >> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BCltig', > >> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', > >> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das BLAUE Interface', > >> 'fw default drop' =3D> 'Firewallrichtlinie', > >> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', > >> 'fw logging' =3D> 'Firewallprotokollierung', > >> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', > >> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', > >> 'fw settings' =3D> 'Firewalleinstellungen', > >> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', > >> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungsseite a= nzeigen', > >> @@ -1644,9 +1649,9 @@ > >> 'map to guest' =3D> 'Map to Guest', > >> 'march' =3D> 'M=C3=A4rz', > >> 'marked' =3D> 'Markiert', > >> -'masquerade blue' =3D> 'NAT auf BLAU', > >> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', > >> -'masquerade orange' =3D> 'NAT auf ORANGE', > >> +'masquerade blue' =3D> 'NAT auf BLAU', > >> +'masquerade green' =3D> 'NAT auf GR=C3=9CN= ', > >> +'masquerade orange' =3D> 'NAT auf ORANGE<= /font>', > >> 'masquerading' =3D> 'Masquerading/NAT', > >> 'masquerading disabled' =3D> 'NAT ausgeschaltet', > >> 'masquerading enabled' =3D> 'NAT eingeschaltet', > >> @@ -1814,6 +1819,8 @@ > >> 'november' =3D> 'November', > >> 'ntp common settings' =3D> 'Allgemeine Einstellungen', > >> 'ntp configuration' =3D> 'Zeitserverkonfiguration', > >> +'ntp force on blue' =3D> 'Erzwinge loka= le NTP-Server auf BLAU', > >> +'ntp force on green' =3D> 'Erzwinge lok= ale NTP-Server auf GR=C3=9CN', > >> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu k=C3= =B6nnen, muss NTP vorher aktiviert sein.', > >> 'ntp server' =3D> 'NTP-Server', > >> 'ntp sync' =3D> 'Synchronisation', > >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > >> index 8f7e0c2cf..474612025 100644 > >> --- a/langs/en/cgi-bin/en.pl > >> +++ b/langs/en/cgi-bin/en.pl > >> @@ -859,6 +859,8 @@ > >> 'dns error 0' =3D> 'The IP address of the primary DNS = server is not valid, please check your entries!
The entered seco= ndary DNS server address is valid.', > >> 'dns error 01' =3D> 'The entered IP address of the primary and secondary DNS server are not valid, please check yo= ur entries!', > >> 'dns error 1' =3D> 'The IP address of the secondary DN= S server is not valid, please check your entries!
The entered pr= imary DNS server address is valid.', > >> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', > >> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', > >> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', > >> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', > >> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red0', > >> @@ -1128,9 +1130,12 @@ > >> 'from email server' =3D> 'From Email server', > >> 'from email user' =3D> 'From e-mail user', > >> 'from warn email bad' =3D> 'From e-mail address is not valid', > >> -'fw blue' =3D> 'Firewall options for BLUE interface', > >> +'fw blue' =3D> 'Firewall options for BLUE Interface', > >> 'fw default drop' =3D> 'Firewall policy', > >> +'fw green' =3D> 'Firewall options for GREEN Interface', > >> 'fw logging' =3D> 'Firewall logging', > >> +'fw logging blue' =3D> 'Firewall logging (BLU= E)', > >> +'fw logging red' =3D> 'Firewall logging (RED<= /font>)', > >> 'fw settings' =3D> 'Firewall settings', > >> 'fw settings color' =3D> 'Show colors in ruletable', > >> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site', > >> @@ -1672,9 +1677,9 @@ > >> 'map to guest' =3D> 'Map to Guest', > >> 'march' =3D> 'March', > >> 'marked' =3D> 'Marked', > >> -'masquerade blue' =3D> 'Masquerade BLUE', > >> -'masquerade green' =3D> 'Masquerade GREEN', > >> -'masquerade orange' =3D> 'Masquerade ORANGE', > >> +'masquerade blue' =3D> 'Masquerade BLUE', > >> +'masquerade green' =3D> 'Masquerade GREEN<= /font>', > >> +'masquerade orange' =3D> 'Masquerade ORANG= E', > >> 'masquerading' =3D> 'Masquerading', > >> 'masquerading disabled' =3D> 'Masquerading disabled', > >> 'masquerading enabled' =3D> 'Masquerading enabled', > >> @@ -1844,6 +1849,8 @@ > >> 'november' =3D> 'November', > >> 'ntp common settings' =3D> 'Common settings', > >> 'ntp configuration' =3D> 'NTP Configuration', > >> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', > >> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', > >> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to have= clients.', > >> 'ntp server' =3D> 'NTP Server', > >> 'ntp sync' =3D> 'Synchronization', > >> diff --git a/lfs/configroot b/lfs/configroot > >> index a3e474d70..622793b35 100644 > >> --- a/lfs/configroot > >> +++ b/lfs/configroot > >> @@ -129,6 +129,10 @@ $(TARGET) : > >> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > >> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings > >> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > >> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings > >> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings > >> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings > >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsn= tp > >> new file mode 100644 > >> index 000000000..2eafa9d20 > >> --- /dev/null > >> +++ b/src/initscripts/system/dnsntp > >> @@ -0,0 +1,36 @@ > >> +#!/bin/sh > >> +######################################################################## > >> +# Begin $rc_base/init.d/dnsntp > >> +# > >> +# Description : dnsntp init script for DNS/NTP rules only > >> +# > >> +######################################################################## > >> + > >> +# flush chain > >> +iptables -t nat -F DNS_NTP_REDIRECT > >> + > >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > >> + > >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > >> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53= -j REDIRECT > >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53= -j REDIRECT > >> +fi > >> + > >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > >> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 = -j REDIRECT > >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 = -j REDIRECT > >> +fi > >> + > >> +# Force NTP REDIRECTs on GREEN (udp, 123) > >> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 12= 3 -j REDIRECT > >> +fi > >> + > >> +# Force DNS REDIRECTs on BLUE (udp, 123) > >> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123= -j REDIRECT > >> +fi > >> + > >> +# End $rc_base/init.d/dnsntp > >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fi= rewall > >> index 65f1c979b..43ae74113 100644 > >> --- a/src/initscripts/system/firewall > >> +++ b/src/initscripts/system/firewall > >> @@ -169,6 +169,10 @@ iptables_init() { > >> # Fix for braindead ISPs > >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-m= ss-to-pmtu > >> =20 > >> + # DNS / NTP REDIRECT > >> + iptables -t nat -N DNS_NTP_REDIRECT > >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > >> + > >> # CUSTOM chains, can be used by the users themselves > >> iptables -N CUSTOMINPUT > >> iptables -A INPUT -j CUSTOMINPUT > >> @@ -281,7 +285,7 @@ iptables_init() { > >> iptables -A INPUT -j LOCATIONBLOCK > >> iptables -A FORWARD -j LOCATIONBLOCK > >> =20 > >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept = everything > >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept= everything > >> iptables -N IPSECINPUT > >> iptables -N IPSECFORWARD > >> iptables -N IPSECOUTPUT > >> @@ -389,6 +393,9 @@ iptables_init() { > >> # run captivectrl > >> /usr/local/bin/captivectrl > >> =20 > >> + # run dnsntpctrl > >> + /usr/local/bin/dnsntpctrl > >> + > >> # POLICY CHAIN > >> iptables -N POLICYIN > >> iptables -A INPUT -j POLICYIN > >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > >> index 7c3ef7529..6f2733ef0 100644 > >> --- a/src/misc-progs/Makefile > >> +++ b/src/misc-progs/Makefile > >> @@ -26,7 +26,7 @@ PROGS =3D iowrap > >> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ > >> ipsecctrl timectrl dhcpctrl suricatactrl \ > >> rebuildhosts backupctrl collectdctrl \ > >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > >> wirelessctrl getipstat qosctrl \ > >> redctrl syslogdctrl extrahdctrl sambactrl \ > >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > >> new file mode 100644 > >> index 000000000..f2a3b89e3 > >> --- /dev/null > >> +++ b/src/misc-progs/dnsntpctrl.c > >> @@ -0,0 +1,19 @@ > >> +/* This file is part of the IPFire Firewall. > >> + * > >> + * This program is distributed under the terms of the GNU General Public > >> + * Licence. See the file COPYING for details. > >> + * > >> + */ > >> + > >> +#include > >> +#include "setuid.h" > >> + > >> +int main(void) > >> +{ > >> + if (!(initsetuid())) > >> + exit(1); > >> + > >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > >> + > >> + return 0; > >> +} > >> --=20 > >> 2.18.0 > >>=20 > >> > >=20 >=20 > --===============0296060826139899348==--