From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bernhard Bitsch To: development@lists.ipfire.org Subject: Aw: Re: Re: [PATCH] (V3) Forcing DNS/NTP Date: Sun, 07 Mar 2021 11:20:11 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5885879503088772475==" List-Id: --===============5885879503088772475== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Matthias, yes. You got it. I use these rules now for some time, based on the scripts and discussions in = the community. The RETURN rules do not weaken the aim of REDIRECT rules. Because I can do not know a measurement tool, I can't say something about per= formance. But I'll try to record the behaviour of those 'bad devices' through logging r= ules, both for REDIRECT and RETURN. Best, Bernhard > Gesendet: Sonntag, 07. M=C3=A4rz 2021 um 09:06 Uhr > Von: "Matthias Fischer" > An: "Bernhard Bitsch" , "Jon Murphy" > Cc: "IPFire Development" > Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP > > Hi Bernhard, >=20 > Lol. Funny misunderstanding - I'll try to figure it out: >=20 > On 06.03.2021 22:15, Bernhard Bitsch wrote: > > For forcing DNS we generate ( for example ) > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -= j REDIRECT >=20 > That's for *forcing* AKA *bad* requests that don't go the way we want. >=20 > > To filter allowed DNS requests there is a rule > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp= -m udp --dport 53 -j RETURN >=20 > That's for *well-behaving* requests. >=20 > AH! I see. I think I know what you meant. >=20 > > To get ${GREEN_ADDRESS} dnsntp needs an additional > > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) >=20 > Funny. I suddenly thought of doing something with > '.../ethernet/settings' while writing the v3-commit. But I didn't think > of RETURN. >=20 > > Concerning performance, we want to minimize the rule set to the amount re= ally necessary. On the other hand, it may be quicker to do just a RETURN than= a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) shoul= d be nearly 100%. DNS and NTP servrs are published by DHCP or should be confi= gured in the static case. > >=20 > > Hope this makes it clear enough. >=20 > I - really - hope I got it right. ;-) >=20 > To handle the well-behaving requests, I added RETURN rules prior to the > REDIRECT rules like this: >=20 > ... > # Force DNS REDIRECTs on GREEN (udp, tcp, 53) > if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p > udp -m udp --dport 53 -j RETURN >=20 > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 > -j REDIRECT >=20 > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p > tcp -m tcp --dport 53 -j RETURN >=20 > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 > -j REDIRECT > fi > ... >=20 > Intention (explanation was translated from > https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): > If the first - well-behaving - rule matches: > =3D> RETURN =3D> "Leave this chain and continue with the caller or execute > the chain's policy". >=20 > Otherwise: > =3D> REDIRECT the packet. "This goal ensures that the package is delivered > to the local computer. This allows packets to "fantasy targets" to be > intercepted and dealt with locally." >=20 > I'm still not 100 percent sure - but does this correspond to your intention? >=20 > Best, > Matthias >=20 > > Best, > > Bernhard > >=20 > >> Gesendet: Samstag, 06. M=C3=A4rz 2021 um 21:51 Uhr > >> Von: "Jon Murphy" > >> An: "Bernhard Bitsch" > >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP > >> > >> > I mean the extra rules for requests client-->IPFire:53. > >> > These are 'well-behaving' and must/should not be redirected. Didn't me= asure if the performance is equal with or without these extra rules. > >>=20 > >> How do we determine if a 'well-behaving' client is being redirected? Or= how do we measure performance? > >>=20 > >> When I tried to measure DNS "speed" in the past, the cache gets in there= and makes every look like 38 to 44 ms. > >>=20 > >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch = wrote: > >> >=20 > >> > Hi, > >> >=20 > >> >> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 23:49 Uhr > >> >> Von: "Matthias Fischer" > >> >> An: "Bernhard Bitsch" > >> >> Cc: development(a)lists.ipfire.org > >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP > >> >>=20 > >> >> Hi, > >> >>=20 > >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: > >> >>> Hi, > >> >>>=20 > >> >>> at a first glance I think, the code implements the ideas of the comm= unity discussions. > >> >>=20 > >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet > >> >> because I didn't manage to merge the init and the ctrl-file in *one* C > >> >> program. The whole is running as I want but... ;-) > >> >>=20 > >> >>> Just one annotation. As mentioned in a post, it could help to honor = 'well-behaving' requests ( to IPFire ) by a RETURN. > >> >>=20 > >> >> -v please. I don't know if I get this (the translation english =3D> > >> >> german) right. > >> >> If you mean that I asked for some tips and got some, than of course: > >> >> many thanks to everybody! > >> >>=20 > >> > Sorry if I wasn't specific enough. > >> > I mean the extra rules for requests client-->IPFire:53. > >> > These are 'well-behaving' and must/should not be redirected. Didn't me= asure if the performance is equal with or without these extra rules. > >> >=20 > >> > Best, > >> > Bernhard > >> >> Best, > >> >> Matthias > >> >>=20 > >> >>> Regards, > >> >>> Bernhard > >> >>>=20 > >> >>>> Gesendet: Freitag, 05. M=C3=A4rz 2021 um 20:40 Uhr > >> >>>> Von: "Matthias Fischer" > >> >>>> An: development(a)lists.ipfire.org > >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP > >> >>>>=20 > >> >>>> Originally triggered by: > >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan= -to-the-firewall/3512 > >> >>>>=20 > >> >>>> Current discussion: > >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/38= 88 > >> >>>>=20 > >> >>>> Summary and functionality: > >> >>>> These patches are controlled through "Firewall Options". They add = new > >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/o= ptionsfw/settings'. > >> >>>> They activate/deactivate appropriate REDIRECT rules through a new = ctrl file > >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init= .d/dnsntp'). > >> >>>>=20 > >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). > >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to = the DNS and NTP > >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were= added to make > >> >>>> this more transparent. > >> >>>>=20 > >> >>>> Flaw/ToDo: > >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file w= hich calls the actual > >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. > >> >>>> In fact I wanted to merge these two files in *one* C file, but thi= s was beyond my > >> >>>> capabilities, perhaps "someone" else knows how to program this. > >> >>>>=20 > >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > >> >>>> The corresponding interface options - including 'Masquerade ...' -= are only visible if > >> >>>> the respective interface actually exists. > >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for = 'DNS/NTP on BLUE' > >> >>>> or logging options for BLUE available (e.g.). > >> >>>> Added text colors for better readability and links to DNS and NTP = GUI. > >> >>>> Separated logging options per interface. > >> >>>>=20 > >> >>>> No reboot required: > >> >>>> Rules can be switched ON/OFF without rebooting IPFire. > >> >>>> Changes immedediatly take effect after clicking 'Save'. > >> >>>>=20 > >> >>>> Changes to '/etc/rc.d/init.d/firewall': > >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a= new PREROUTING > >> >>>> chain: DNS_NTP_REDIRECT. > >> >>>> This chain is flushed by the init file before before the desired s= ettings are applied. > >> >>>> Corrected a 'trafic' typo. > >> >>>>=20 > >> >>>> Signed-off-by: Matthias Fischer > >> >>>> --- > >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + > >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + > >> >>>> config/rootfiles/common/i586/initscripts | 1 + > >> >>>> config/rootfiles/common/misc-progs | 1 + > >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + > >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++-= --- > >> >>>> langs/de/cgi-bin/de.pl | 15 +++- > >> >>>> langs/en/cgi-bin/en.pl | 15 +++- > >> >>>> lfs/configroot | 4 + > >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ > >> >>>> src/initscripts/system/firewall | 9 +- > >> >>>> src/misc-progs/Makefile | 2 +- > >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ > >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) > >> >>>> create mode 100644 src/initscripts/system/dnsntp > >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c > >> >>>>=20 > >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/r= ootfiles/common/aarch64/initscripts > >> >>>> index 800005966..f38a3a294 100644 > >> >>>> --- a/config/rootfiles/common/aarch64/initscripts > >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/= rootfiles/common/armv5tel/initscripts > >> >>>> index 800005966..f38a3a294 100644 > >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts > >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/root= files/common/i586/initscripts > >> >>>> index 18c5a897a..a3a2b47f7 100644 > >> >>>> --- a/config/rootfiles/common/i586/initscripts > >> >>>> +++ b/config/rootfiles/common/i586/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/= common/misc-progs > >> >>>> index d6594b3f8..4bcb94812 100644 > >> >>>> --- a/config/rootfiles/common/misc-progs > >> >>>> +++ b/config/rootfiles/common/misc-progs > >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > >> >>>> usr/local/bin/collectdctrl > >> >>>> usr/local/bin/ddnsctrl > >> >>>> usr/local/bin/dhcpctrl > >> >>>> +usr/local/bin/dnsntpctrl > >> >>>> usr/local/bin/extrahdctrl > >> >>>> usr/local/bin/fireinfoctrl > >> >>>> usr/local/bin/firewallctrl > >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/ro= otfiles/common/x86_64/initscripts > >> >>>> index 18c5a897a..a3a2b47f7 100644 > >> >>>> --- a/config/rootfiles/common/x86_64/initscripts > >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > >> >>>> index 321642e82..3fc707e8b 100644 > >> >>>> --- a/html/cgi-bin/optionsfw.cgi > >> >>>> +++ b/html/cgi-bin/optionsfw.cgi > >> >>>> @@ -2,7 +2,7 @@ > >> >>>> ###################################################################= ############ > >> >>>> # = # > >> >>>> # IPFire.org - A linux based firewall = # > >> >>>> -# Copyright (C) 2014-2020 IPFire Team = # > >> >>>> +# Copyright (C) 2014-2021 IPFire Team = # > >> >>>> # = # > >> >>>> # This program is free software: you can redistribute it and/or mod= ify # > >> >>>> # it under the terms of the GNU General Public License as published= by # > >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> >>>> $errormessage .=3D $Lang::tr{'new optionsfw later'}; > >> >>>> &General::writehash($filename, \%settings); # Save go= od settings > >> >>>> system("/usr/local/bin/firewallctrl"); > >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> >>>> }else{ > >> >>>> if ($settings{'POLICY'} ne ''){ > >> >>>> $fwdfwsettings{'POLICY'} =3D $settings{'POLICY'}; > >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwd= fwsettings); > >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdf= wsettings); > >> >>>> system("/usr/local/bin/firewallctrl"); > >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> >>>> } > >> >>>> &General::readhash($filename, \%settings); # Load good= settings > >> >>>> } > >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQ= UERADE_ORANGE'}} =3D 'selected=3D"sele > >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; > >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; > >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'sel= ected=3D"selected"'; > >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} =3D ''; > >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} =3D ''; > >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = =3D "checked=3D'checked'"; > >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} =3D ''; > >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} =3D ''; > >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} =3D = "checked=3D'checked'"; > >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} =3D ''; > >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} =3D ''; > >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = =3D "checked=3D'checked'"; > >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} =3D ''; > >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} =3D ''; > >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} =3D = "checked=3D'checked'"; > >> >>>>=20 > >> >>>> &Header::openbox('100%', 'center',); > >> >>>> print "
"; > >> >>>> @@ -189,13 +203,44 @@ END > >> >>>> END > >> >>>> } > >> >>>>=20 > >> >>>> - print < >> >>>> +print < >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> +END > >> >>>> + > >> >>>> + if (&Header::blue_used()) { > >> >>>> + print < >> >>>> +
$Lang::tr{'fw green'} > >> >>>> +
$Lang::tr{'dns force on gre= en'}$Lang::tr{'on'} / > >> >>>> + $Lang::tr{'off'}=
$Lang::tr{'ntp force on gre= en'}$Lang::tr{'on'} / > >> >>>> + $Lang::tr{'off'}=
> >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> +END > >> >>>> + } > >> >>>> + > >> >>>> + print < >> >>>>
$Lang::tr{'fw blue'}
$Lang::tr{'dns force on bl= ue'}$Lang::tr{'on'} / > >> >>>> + $Lang::tr{'off'}
$Lang::tr{'ntp force on bl= ue'}$Lang::tr{'on'} / > >> >>>> + $Lang::tr{'off'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / > >> >>>> + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / > >> >>>> + $Lang::tr{'off'}
> >> >>>>=20 > >> >>>> -
> >> >>>> +
> >> >>>>=20 > >> >>>> - > >> >>>> - > >> >>>> +
$Lang::tr{'fw logging'}
> >> >>>> + > >> >>>> > >> >>>> $Lang::tr{'on'} / > >> >>>> @@ -206,21 +251,30 @@ END > >> >>>> $Lang::tr{'off'} > >> >>>> > >> >>>> -
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / > >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop input'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / > >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput= '}$Lang::tr{'on'} / > >> >>>> +END > >> >>>> + > >> >>>> + if (&Header::blue_used()) { > >> >>>> + print < >> >>>> +
> >> >>>> + > >> >>>> +
> >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> + > >> >>>> - > >> >>>> -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessin= put'}$Lang::tr{'on'} / > >> >>>> $Lang::tr{'off'}
$Lang::tr{'drop wirelessforwa= rd'}$Lang::tr{'on'} / > >> >>>> +
$Lang::tr{'drop wirelessfo= rward'}$Lang::tr{'on'} / > >> >>>> $Lang::tr{'off'= }
> >> >>>> -
> >> >>>> + > >> >>>> +END > >> >>>> + } > >> >>>> + > >> >>>> + print < >> >>>> + > >> >>>> + > >> >>>> +
> >> >>>>=20 > >> >>>> - > >> >>>> - > >> >>>> -<= td align=3D'left'>$Lang::tr{'on'} / > >> >>>> - $Lang::tr{'off'} > >> >>>> -<= td align=3D'left'>$Lang::tr{'on'} / > >> >>>> - $Lang::tr{'off'} > >> >>>> -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}
$Lang::tr{'drop samba'}
> >> >>>> -
> >> >>>> > >> >>>> > >> >>>> > >> >>>> END > >> >>>> print "
= $Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}= $Lang::tr{'on'} / > >> >>>> @@ -252,7 +306,7 @@ END > >> >>>>=20 > >> >>>>
> >> >>>> > >> >>>> - > >> >>>>
> >> >>>> +
> >> >>>> > >> >>>>
> >> >>>> @@ -278,7 +332,7 @@ print < >> >>>>
"; > >> >>>> - print"

"; > >> >>>> + print"

"; > >> >>>> print < >> >>>>
> >> >>>> > >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > >> >>>> index 6a8133807..d6bb234fa 100644 > >> >>>> --- a/langs/de/cgi-bin/de.pl > >> >>>> +++ b/langs/de/cgi-bin/de.pl > >> >>>> @@ -836,6 +836,8 @@ > >> >>>> 'dns error 0' =3D> 'Die IP Adresse vom prim=C3=A4ren DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eing= abe!
Die eingegebene sekund=C3=A4ren DNS Server Adresse= ist jedoch g=C3=BCltig.
', > >> >>>> 'dns error 01' =3D> 'Die eingegebene IP Adresse des prim=C3= =A4ren wie auch des sekund=C3=A4ren DNS-Servers sin= d nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Eingaben!', > >> >>>> 'dns error 1' =3D> 'Die IP Adresse vom sekund=C3=A4ren DNS Server ist nicht g=C3=BCltig, bitte =C3=BCberpr=C3=BCfen Sie Ihre Ei= ngabe!
Die eingegebene prim=C3=A4re DNS Server Adresse = ist jedoch g=C3=BCltig.', > >> >>>> +'dns force on blue' =3D> 'Erzwinge = lokale DNS-Server auf BLAU', > >> >>>> +'dns force on green' =3D> 'Erzwinge lokale DNS-Server auf GR=C3=9CN', > >> >>>> 'dns forward disable dnssec' =3D> 'DNSSEC deaktivieren (nicht empfo= hlen)', > >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC deaktiviert)', > >> >>>> 'dns header' =3D> 'DNS Server Adressen zuweisen nur mit DHCP an red= 0', > >> >>>> @@ -1102,9 +1104,12 @@ > >> >>>> 'from email server' =3D> 'Von E-Mail-Server', > >> >>>> 'from email user' =3D> 'Von E-Mail-Benutzer', > >> >>>> 'from warn email bad' =3D> 'Von E-Mail-Adresse ist nicht g=C3=BClti= g', > >> >>>> -'fw blue' =3D> 'Firewalloptionen f=C3=BCr das Blaue Interface', > >> >>>> +'fw blue' =3D> 'Firewalloptionen f=C3=BCr das BLAUE Interface', > >> >>>> 'fw default drop' =3D> 'Firewallrichtlinie', > >> >>>> +'fw green' =3D> 'Firewalloptionen f=C3=BCr das GR=C3=9CNE Interface', > >> >>>> 'fw logging' =3D> 'Firewallprotokollierung', > >> >>>> +'fw logging blue' =3D> 'Firewallprotokollierung (BLAU)', > >> >>>> +'fw logging red' =3D> 'Firewallprotokollierung (ROT)', > >> >>>> 'fw settings' =3D> 'Firewalleinstellungen', > >> >>>> 'fw settings color' =3D> 'Farben in Regeltabelle anzeigen', > >> >>>> 'fw settings dropdown' =3D> 'Alle Netzwerke auf Regelerstellungssei= te anzeigen', > >> >>>> @@ -1644,9 +1649,9 @@ > >> >>>> 'map to guest' =3D> 'Map to Guest', > >> >>>> 'march' =3D> 'M=C3=A4rz', > >> >>>> 'marked' =3D> 'Markiert', > >> >>>> -'masquerade blue' =3D> 'NAT auf BLAU', > >> >>>> -'masquerade green' =3D> 'NAT auf GR=C3=9CN', > >> >>>> -'masquerade orange' =3D> 'NAT auf ORANGE', > >> >>>> +'masquerade blue' =3D> 'NAT auf BLAU<= /font>', > >> >>>> +'masquerade green' =3D> 'NAT auf GR= =C3=9CN', > >> >>>> +'masquerade orange' =3D> 'NAT auf OR= ANGE', > >> >>>> 'masquerading' =3D> 'Masquerading/NAT', > >> >>>> 'masquerading disabled' =3D> 'NAT ausgeschaltet', > >> >>>> 'masquerading enabled' =3D> 'NAT eingeschaltet', > >> >>>> @@ -1814,6 +1819,8 @@ > >> >>>> 'november' =3D> 'November', > >> >>>> 'ntp common settings' =3D> 'Allgemeine Einstellungen', > >> >>>> 'ntp configuration' =3D> 'Zeitserverkonfiguration', > >> >>>> +'ntp force on blue' =3D> 'Erzwinge lokale NTP-Server auf BLAU', > >> >>>> +'ntp force on green' =3D> 'Erzwinge lokale NTP-Server auf GR=C3=9CN', > >> >>>> 'ntp must be enabled to have clients' =3D> 'Um Clients annehmen zu = k=C3=B6nnen, muss NTP vorher aktiviert sein.', > >> >>>> 'ntp server' =3D> 'NTP-Server', > >> >>>> 'ntp sync' =3D> 'Synchronisation', > >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > >> >>>> index 8f7e0c2cf..474612025 100644 > >> >>>> --- a/langs/en/cgi-bin/en.pl > >> >>>> +++ b/langs/en/cgi-bin/en.pl > >> >>>> @@ -859,6 +859,8 @@ > >> >>>> 'dns error 0' =3D> 'The IP address of the primary = DNS server is not valid, please check your entries!
The entered = secondary DNS server address is valid.', > >> >>>> 'dns error 01' =3D> 'The entered IP address of the primary<= /strong> and secondary DNS server are not valid, please chec= k your entries!', > >> >>>> 'dns error 1' =3D> 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', > >> >>>> +'dns force on blue' =3D> 'Force DNS to use local DNS servers on BLUE', > >> >>>> +'dns force on green' =3D> 'Force DNS to use local DNS servers on GREEN', > >> >>>> 'dns forward disable dnssec' =3D> 'Disable DNSSEC (dangerous)', > >> >>>> 'dns forwarding dnssec disabled notice' =3D> '(DNSSEC disabled)', > >> >>>> 'dns header' =3D> 'Assign DNS server addresses only for DHCP on red= 0', > >> >>>> @@ -1128,9 +1130,12 @@ > >> >>>> 'from email server' =3D> 'From Email server', > >> >>>> 'from email user' =3D> 'From e-mail user', > >> >>>> 'from warn email bad' =3D> 'From e-mail address is not valid', > >> >>>> -'fw blue' =3D> 'Firewall options for BLUE interface', > >> >>>> +'fw blue' =3D> 'Firewall options for BLU= E Interface', > >> >>>> 'fw default drop' =3D> 'Firewall policy', > >> >>>> +'fw green' =3D> 'Firewall options for GR= EEN Interface', > >> >>>> 'fw logging' =3D> 'Firewall logging', > >> >>>> +'fw logging blue' =3D> 'Firewall logging (BLUE)', > >> >>>> +'fw logging red' =3D> 'Firewall logging (RED)', > >> >>>> 'fw settings' =3D> 'Firewall settings', > >> >>>> 'fw settings color' =3D> 'Show colors in ruletable', > >> >>>> 'fw settings dropdown' =3D> 'Show all networks on rulecreation site= ', > >> >>>> @@ -1672,9 +1677,9 @@ > >> >>>> 'map to guest' =3D> 'Map to Guest', > >> >>>> 'march' =3D> 'March', > >> >>>> 'marked' =3D> 'Marked', > >> >>>> -'masquerade blue' =3D> 'Masquerade BLUE', > >> >>>> -'masquerade green' =3D> 'Masquerade GREEN', > >> >>>> -'masquerade orange' =3D> 'Masquerade ORANGE', > >> >>>> +'masquerade blue' =3D> 'Masquerade BL= UE', > >> >>>> +'masquerade green' =3D> 'Masquerade G= REEN', > >> >>>> +'masquerade orange' =3D> 'Masquerade = ORANGE', > >> >>>> 'masquerading' =3D> 'Masquerading', > >> >>>> 'masquerading disabled' =3D> 'Masquerading disabled', > >> >>>> 'masquerading enabled' =3D> 'Masquerading enabled', > >> >>>> @@ -1844,6 +1849,8 @@ > >> >>>> 'november' =3D> 'November', > >> >>>> 'ntp common settings' =3D> 'Common settings', > >> >>>> 'ntp configuration' =3D> 'NTP Configuration', > >> >>>> +'ntp force on blue' =3D> 'Force NTP to use local NTP servers on BLUE', > >> >>>> +'ntp force on green' =3D> 'Force NTP to use local NTP servers on GREEN', > >> >>>> 'ntp must be enabled to have clients' =3D> 'NTP must be enabled to = have clients.', > >> >>>> 'ntp server' =3D> 'NTP Server', > >> >>>> 'ntp sync' =3D> 'Synchronization', > >> >>>> diff --git a/lfs/configroot b/lfs/configroot > >> >>>> index a3e474d70..622793b35 100644 > >> >>>> --- a/lfs/configroot > >> >>>> +++ b/lfs/configroot > >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : > >> >>>> echo "SHOWDROPDOWN=3Doff" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> echo "DROPWIRELESSINPUT=3Don" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> echo "DROPWIRELESSFORWARD=3Don" >> $(CONFIG_ROOT)/optionsfw/setti= ngs > >> >>>> + echo "DNS_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/sett= ings > >> >>>> + echo "DNS_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/setti= ngs > >> >>>> + echo "NTP_FORCE_ON_GREEN=3Doff" >> $(CONFIG_ROOT)/optionsfw/sett= ings > >> >>>> + echo "NTP_FORCE_ON_BLUE=3Doff" >> $(CONFIG_ROOT)/optionsfw/setti= ngs > >> >>>> echo "POLICY=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings > >> >>>> echo "POLICY1=3DMODE2" >> $(CONFIG_ROOT)/firewall/settings > >> >>>> echo "USE_ISP_NAMESERVERS=3Don" >> $(CONFIG_ROOT)/dns/settings > >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system= /dnsntp > >> >>>> new file mode 100644 > >> >>>> index 000000000..2eafa9d20 > >> >>>> --- /dev/null > >> >>>> +++ b/src/initscripts/system/dnsntp > >> >>>> @@ -0,0 +1,36 @@ > >> >>>> +#!/bin/sh > >> >>>> +##################################################################= ###### > >> >>>> +# Begin $rc_base/init.d/dnsntp > >> >>>> +# > >> >>>> +# Description : dnsntp init script for DNS/NTP rules only > >> >>>> +# > >> >>>> +##################################################################= ###### > >> >>>> + > >> >>>> +# flush chain > >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT > >> >>>> + > >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > >> >>>> + > >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > >> >>>> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dpo= rt 53 -j REDIRECT > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dpo= rt 53 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > >> >>>> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dpor= t 53 -j REDIRECT > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dpor= t 53 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) > >> >>>> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dpo= rt 123 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) > >> >>>> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dpor= t 123 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# End $rc_base/init.d/dnsntp > >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/syst= em/firewall > >> >>>> index 65f1c979b..43ae74113 100644 > >> >>>> --- a/src/initscripts/system/firewall > >> >>>> +++ b/src/initscripts/system/firewall > >> >>>> @@ -169,6 +169,10 @@ iptables_init() { > >> >>>> # Fix for braindead ISPs > >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --cla= mp-mss-to-pmtu > >> >>>>=20 > >> >>>> + # DNS / NTP REDIRECT > >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT > >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > >> >>>> + > >> >>>> # CUSTOM chains, can be used by the users themselves > >> >>>> iptables -N CUSTOMINPUT > >> >>>> iptables -A INPUT -j CUSTOMINPUT > >> >>>> @@ -281,7 +285,7 @@ iptables_init() { > >> >>>> iptables -A INPUT -j LOCATIONBLOCK > >> >>>> iptables -A FORWARD -j LOCATIONBLOCK > >> >>>>=20 > >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" ac= cept everything > >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" a= ccept everything > >> >>>> iptables -N IPSECINPUT > >> >>>> iptables -N IPSECFORWARD > >> >>>> iptables -N IPSECOUTPUT > >> >>>> @@ -389,6 +393,9 @@ iptables_init() { > >> >>>> # run captivectrl > >> >>>> /usr/local/bin/captivectrl > >> >>>>=20 > >> >>>> + # run dnsntpctrl > >> >>>> + /usr/local/bin/dnsntpctrl > >> >>>> + > >> >>>> # POLICY CHAIN > >> >>>> iptables -N POLICYIN > >> >>>> iptables -A INPUT -j POLICYIN > >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > >> >>>> index 7c3ef7529..6f2733ef0 100644 > >> >>>> --- a/src/misc-progs/Makefile > >> >>>> +++ b/src/misc-progs/Makefile > >> >>>> @@ -26,7 +26,7 @@ PROGS =3D iowrap > >> >>>> SUID_PROGS =3D squidctrl sshctrl ipfirereboot \ > >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ > >> >>>> rebuildhosts backupctrl collectdctrl \ > >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > >> >>>> wirelessctrl getipstat qosctrl \ > >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ > >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctr= l.c > >> >>>> new file mode 100644 > >> >>>> index 000000000..f2a3b89e3 > >> >>>> --- /dev/null > >> >>>> +++ b/src/misc-progs/dnsntpctrl.c > >> >>>> @@ -0,0 +1,19 @@ > >> >>>> +/* This file is part of the IPFire Firewall. > >> >>>> + * > >> >>>> + * This program is distributed under the terms of the GNU General = Public > >> >>>> + * Licence. See the file COPYING for details. > >> >>>> + * > >> >>>> + */ > >> >>>> + > >> >>>> +#include > >> >>>> +#include "setuid.h" > >> >>>> + > >> >>>> +int main(void) > >> >>>> +{ > >> >>>> + if (!(initsetuid())) > >> >>>> + exit(1); > >> >>>> + > >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > >> >>>> + > >> >>>> + return 0; > >> >>>> +} > >> >>>> --=20 > >> >>>> 2.18.0 > >> >>>>=20 > >> >>>>=20 > >> >>>=20 > >> >>=20 > >> >>=20 > >>=20 > >> > >=20 >=20 > --===============5885879503088772475==--