Best,
Matthias
On 07.03.2021 14:02, Matthias Fischer wrote:
> Hi Bernhard,
>
> On 07.03.2021 11:20, Bernhard Bitsch wrote:
>> Hi Matthias,
>>
>> yes. You got it.
>
> Very good. ;-)
>
>> I use these rules now for some time, based on the scripts and discussions in the community.
>> The RETURN rules do not weaken the aim of REDIRECT rules.
>
> Running here since ~12 hours. Absolutely no problems. Just for fun, I
> even told Firefox to use DoH.
> And: I told my client PC to use 1.2.3.4 as DNS-server. He had no chance.
> DNS was still working as before.
> Furthermore I can see the redirections from our blue clients (nasty
> programmed apps).
>
> Settings:
> DNS-Server with nine DNSSEC-entries, status on 'dhcp.cgi' is "Working",
> DNS-Protocol: TLS, QNAME-Minmisation: Strict. Running 'unbound 1.13.1'.
>
>> Because I can do not know a measurement tool, I can't say something about performance.
>
> What about something like this?
>
> =>
https://github.com/DNS-OARC/dnsperf/blob/master/README.md
>
>> But I'll try to record the behaviour of those 'bad devices' through logging rules, both for REDIRECT and RETURN.
>
>>From time to time I take a look at the IPTables-GUI - right now its...:
>
> Chain DNS_NTP_REDIRECT (1 references)
> pkts bytes target prot opt in out source destination
>
> 82 5532 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:53
> 24 1734 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> 0 0 RETURN tcp -- green0 * 0.0.0.0/0 192.168.100.254 tcp dpt:53
> 0 0 REDIRECT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> 459 31772 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:53
> 40 2861 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> 0 0 RETURN tcp -- blue0 * 0.0.0.0/0 192.168.101.254 tcp dpt:53
> 0 0 REDIRECT tcp -- blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> 983 74708 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:123
> 0 0 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
> 0 0 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:123
> 18 1368 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
>
> Opinions?
>
> Best,
> Matthias
>
> P.S.:
> One (last?) thing to do would be to merge 'dnsntp' (init) and
> 'dnsntpctrl'.(c) into one C file to get rid of the still remaining
> init-file. But sorry, that's for someone else, please...
>
>>
>> Best,
>> Bernhard
>>
>>> Gesendet: Sonntag, 07. März 2021 um 09:06 Uhr
>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
>>> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>, "Jon Murphy" <jcmurphy26@gmail.com>
>>> Cc: "IPFire Development" <development@lists.ipfire.org>
>>> Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP
>>>
>>> Hi Bernhard,
>>>
>>> Lol. Funny misunderstanding - I'll try to figure it out:
>>>
>>> On 06.03.2021 22:15, Bernhard Bitsch wrote:
>>> > For forcing DNS we generate ( for example )
>>> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
>>>
>>> That's for *forcing* AKA *bad* requests that don't go the way we want.
>>>
>>> > To filter allowed DNS requests there is a rule
>>> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN
>>>
>>> That's for *well-behaving* requests.
>>>
>>> AH! I see. I think I know what you meant.
>>>
>>> > To get ${GREEN_ADDRESS} dnsntp needs an additional
>>> > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>>
>>> Funny. I suddenly thought of doing something with
>>> '.../ethernet/settings' while writing the v3-commit. But I didn't think
>>> of RETURN.
>>>
>>> > Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case.
>>> >
>>> > Hope this makes it clear enough.
>>>
>>> I - really - hope I got it right. ;-)
>>>
>>> To handle the well-behaving requests, I added RETURN rules prior to the
>>> REDIRECT rules like this:
>>>
>>> ...
>>> # Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>> if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p
>>> udp -m udp --dport 53 -j RETURN
>>>
>>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53
>>> -j REDIRECT
>>>
>>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p
>>> tcp -m tcp --dport 53 -j RETURN
>>>
>>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53
>>> -j REDIRECT
>>> fi
>>> ...
>>>
>>> Intention (explanation was translated from
>>>
https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html):
>>> If the first - well-behaving - rule matches:
>>> => RETURN => "Leave this chain and continue with the caller or execute
>>> the chain's policy".
>>>
>>> Otherwise:
>>> => REDIRECT the packet. "This goal ensures that the package is delivered
>>> to the local computer. This allows packets to "fantasy targets" to be
>>> intercepted and dealt with locally."
>>>
>>> I'm still not 100 percent sure - but does this correspond to your intention?
>>>
>>> Best,
>>> Matthias
>>>
>>> > Best,
>>> > Bernhard
>>> >
>>> >> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr
>>> >> Von: "Jon Murphy" <jcmurphy26@gmail.com>
>>> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>
>>> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP
>>> >>
>>> >> > I mean the extra rules for requests client-->IPFire:53.
>>> >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules.
>>> >>
>>> >> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance?
>>> >>
>>> >> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms.
>>> >>
>>> >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote:
>>> >> >
>>> >> > Hi,
>>> >> >
>>> >> >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr
>>> >> >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
>>> >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>
>>> >> >> Cc: development@lists.ipfire.org
>>> >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP
>>> >> >>
>>> >> >> Hi,
>>> >> >>
>>> >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote:
>>> >> >>> Hi,
>>> >> >>>
>>> >> >>> at a first glance I think, the code implements the ideas of the community discussions.
>>> >> >>
>>> >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet
>>> >> >> because I didn't manage to merge the init and the ctrl-file in *one* C
>>> >> >> program. The whole is running as I want but... ;-)
>>> >> >>
>>> >> >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN.
>>> >> >>
>>> >> >> -v please. I don't know if I get this (the translation english =>
>>> >> >> german) right.
>>> >> >> If you mean that I asked for some tips and got some, than of course:
>>> >> >> many thanks to everybody!
>>> >> >>
>>> >> > Sorry if I wasn't specific enough.
>>> >> > I mean the extra rules for requests client-->IPFire:53.
>>> >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules.
>>> >> >
>>> >> > Best,
>>> >> > Bernhard
>>> >> >> Best,
>>> >> >> Matthias
>>> >> >>
>>> >> >>> Regards,
>>> >> >>> Bernhard
>>> >> >>>
>>> >> >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr
>>> >> >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
>>> >> >>>> An: development@lists.ipfire.org
>>> >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP
>>> >> >>>>
>>> >> >>>> Originally triggered by:
>>> >> >>>>
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>> >> >>>>
>>> >> >>>> Current discussion:
>>> >> >>>>
https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>> >> >>>>
>>> >> >>>> Summary and functionality:
>>> >> >>>> These patches are controlled through "Firewall Options". They add new
>>> >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>> >> >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file
>>> >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
>>> >> >>>>
>>> >> >>>> Default of all new rules is OFF (set in 'lfs/configroot').
>>> >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>> >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make
>>> >> >>>> this more transparent.
>>> >> >>>>
>>> >> >>>> Flaw/ToDo:
>>> >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>> >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour.
>>> >> >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>> >> >>>> capabilities, perhaps "someone" else knows how to program this.
>>> >> >>>>
>>> >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>> >> >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if
>>> >> >>>> the respective interface actually exists.
>>> >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
>>> >> >>>> or logging options for BLUE available (e.g.).
>>> >> >>>> Added text colors for better readability and links to DNS and NTP GUI.
>>> >> >>>> Separated logging options per interface.
>>> >> >>>>
>>> >> >>>> No reboot required:
>>> >> >>>> Rules can be switched ON/OFF without rebooting IPFire.
>>> >> >>>> Changes immedediatly take effect after clicking 'Save'.
>>> >> >>>>
>>> >> >>>> Changes to '/etc/rc.d/init.d/firewall':
>>> >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
>>> >> >>>> chain: DNS_NTP_REDIRECT.
>>> >> >>>> This chain is flushed by the init file before before the desired settings are applied.
>>> >> >>>> Corrected a 'trafic' typo.
>>> >> >>>>
>>> >> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
>>> >> >>>> ---
>>> >> >>>> config/rootfiles/common/aarch64/initscripts | 1 +
>>> >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 +
>>> >> >>>> config/rootfiles/common/i586/initscripts | 1 +
>>> >> >>>> config/rootfiles/common/misc-progs | 1 +
>>> >> >>>> config/rootfiles/common/x86_64/initscripts | 1 +
>>> >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++----
>>> >> >>>> langs/de/cgi-bin/de.pl | 15 +++-
>>> >> >>>> langs/en/cgi-bin/en.pl | 15 +++-
>>> >> >>>> lfs/configroot | 4 +
>>> >> >>>> src/initscripts/system/dnsntp | 36 ++++++++
>>> >> >>>> src/initscripts/system/firewall | 9 +-
>>> >> >>>> src/misc-progs/Makefile | 2 +-
>>> >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++
>>> >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-)
>>> >> >>>> create mode 100644 src/initscripts/system/dnsntp
>>> >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c
>>> >> >>>>
>>> >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
>>> >> >>>> index 800005966..f38a3a294 100644
>>> >> >>>> --- a/config/rootfiles/common/aarch64/initscripts
>>> >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts
>>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> >> >>>> etc/rc.d/init.d/console
>>> >> >>>> etc/rc.d/init.d/dhcp
>>> >> >>>> etc/rc.d/init.d/dhcrelay
>>> >> >>>> +etc/rc.d/init.d/dnsntp
>>> >> >>>> etc/rc.d/init.d/fcron
>>> >> >>>> etc/rc.d/init.d/fireinfo
>>> >> >>>> etc/rc.d/init.d/firewall
>>> >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
>>> >> >>>> index 800005966..f38a3a294 100644
>>> >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts
>>> >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts
>>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> >> >>>> etc/rc.d/init.d/console
>>> >> >>>> etc/rc.d/init.d/dhcp
>>> >> >>>> etc/rc.d/init.d/dhcrelay
>>> >> >>>> +etc/rc.d/init.d/dnsntp
>>> >> >>>> etc/rc.d/init.d/fcron
>>> >> >>>> etc/rc.d/init.d/fireinfo
>>> >> >>>> etc/rc.d/init.d/firewall
>>> >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
>>> >> >>>> index 18c5a897a..a3a2b47f7 100644
>>> >> >>>> --- a/config/rootfiles/common/i586/initscripts
>>> >> >>>> +++ b/config/rootfiles/common/i586/initscripts
>>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> >> >>>> etc/rc.d/init.d/console
>>> >> >>>> etc/rc.d/init.d/dhcp
>>> >> >>>> etc/rc.d/init.d/dhcrelay
>>> >> >>>> +etc/rc.d/init.d/dnsntp
>>> >> >>>> etc/rc.d/init.d/fcron
>>> >> >>>> etc/rc.d/init.d/fireinfo
>>> >> >>>> etc/rc.d/init.d/firewall
>>> >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
>>> >> >>>> index d6594b3f8..4bcb94812 100644
>>> >> >>>> --- a/config/rootfiles/common/misc-progs
>>> >> >>>> +++ b/config/rootfiles/common/misc-progs
>>> >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>>> >> >>>> usr/local/bin/collectdctrl
>>> >> >>>> usr/local/bin/ddnsctrl
>>> >> >>>> usr/local/bin/dhcpctrl
>>> >> >>>> +usr/local/bin/dnsntpctrl
>>> >> >>>> usr/local/bin/extrahdctrl
>>> >> >>>> usr/local/bin/fireinfoctrl
>>> >> >>>> usr/local/bin/firewallctrl
>>> >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
>>> >> >>>> index 18c5a897a..a3a2b47f7 100644
>>> >> >>>> --- a/config/rootfiles/common/x86_64/initscripts
>>> >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts
>>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
>>> >> >>>> etc/rc.d/init.d/console
>>> >> >>>> etc/rc.d/init.d/dhcp
>>> >> >>>> etc/rc.d/init.d/dhcrelay
>>> >> >>>> +etc/rc.d/init.d/dnsntp
>>> >> >>>> etc/rc.d/init.d/fcron
>>> >> >>>> etc/rc.d/init.d/fireinfo
>>> >> >>>> etc/rc.d/init.d/firewall
>>> >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>>> >> >>>> index 321642e82..3fc707e8b 100644
>>> >> >>>> --- a/html/cgi-bin/optionsfw.cgi
>>> >> >>>> +++ b/html/cgi-bin/optionsfw.cgi
>>> >> >>>> @@ -2,7 +2,7 @@
>>> >> >>>> ###############################################################################
>>> >> >>>> # #
>>> >> >>>> # IPFire.org - A linux based firewall #
>>> >> >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> #
>>> >> >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> #
>>> >> >>>> # #
>>> >> >>>> # This program is free software: you can redistribute it and/or modify #
>>> >> >>>> # it under the terms of the GNU General Public License as published by #
>>> >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>> >> >>>> $errormessage .= $Lang::tr{'new optionsfw later'};
>>> >> >>>> &General::writehash($filename, \%settings); # Save good settings
>>> >> >>>> system("/usr/local/bin/firewallctrl");
>>> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>> >> >>>> }else{
>>> >> >>>> if ($settings{'POLICY'} ne ''){
>>> >> >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
>>> >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>> >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>> >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>> >> >>>> system("/usr/local/bin/firewallctrl");
>>> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>> >> >>>> }
>>> >> >>>> &General::readhash($filename, \%settings); # Load good settings
>>> >> >>>> }
>>> >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>>> >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} = '';
>>> >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} = '';
>>> >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
>>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
>>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
>>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
>>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
>>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
>>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
>>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
>>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
>>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
>>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
>>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>>> >> >>>>
>>> >> >>>> &Header::openbox('100%', 'center',);
>>> >> >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>>> >> >>>> @@ -189,13 +203,44 @@ END
>>> >> >>>> END
>>> >> >>>> }
>>> >> >>>>
>>> >> >>>> - print <<END
>>> >> >>>> +print <<END;
>>> >> >>>> + <table width='95%' cellspacing='0'>
>>> >> >>>> + <tr bgcolor='$color{'color20'}'></tr>
>>> >> >>>> + <tr> </tr>
>>> >> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
>>> >> >>>> + </tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>>> >> >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>>> >> >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> +END
>>> >> >>>> +
>>> >> >>>> + if (&Header::blue_used()) {
>>> >> >>>> + print <<END;
>>> >> >>>> + <table width='95%' cellspacing='0'>
>>> >> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>>> >> >>>> + <tr> </tr>
>>> >> >>>> + <tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>>> >> >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>>> >> >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>>> >> >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>>> >> >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> + </td>
>>> >> >>>> + </tr>
>>> >> >>>> +END
>>> >> >>>> + }
>>> >> >>>> +
>>> >> >>>> + print <<END;
>>> >> >>>> </table>
>>> >> >>>>
>>> >> >>>> - <br>
>>> >> >>>> + <br />
>>> >> >>>>
>>> >> >>>> -<table width='95%' cellspacing='0'>
>>> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
>>> >> >>>> + <table width='95%' cellspacing='0'>
>>> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>>> >> >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
>>> >> >>>> @@ -206,21 +251,30 @@ END
>>> >> >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>>> >> >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>>> >> >>>> +END
>>> >> >>>> +
>>> >> >>>> + if (&Header::blue_used()) {
>>> >> >>>> + print <<END;
>>> >> >>>> + </table>
>>> >> >>>> +
>>> >> >>>> + <br />
>>> >> >>>> +
>>> >> >>>> + <table width='95%' cellspacing='0'>
>>> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>>> >> >>>> + <tr>
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>>> >> >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>>> >> >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> -</table>
>>> >> >>>> -<br/>
>>> >> >>>> + </tr>
>>> >> >>>> +END
>>> >> >>>> + }
>>> >> >>>> +
>>> >> >>>> + print <<END;
>>> >> >>>> + </table>
>>> >> >>>> +
>>> >> >>>> + <br />
>>> >> >>>>
>>> >> >>>> -<table width='95%' cellspacing='0'>
>>> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>>> >> >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>>> >> >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>> >> >>>> -</table>
>>> >> >>>> -<br>
>>> >> >>>> <table width='95%' cellspacing='0'>
>>> >> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
>>> >> >>>> @@ -252,7 +306,7 @@ END
>>> >> >>>>
>>> >> >>>> <br />
>>> >> >>>> <table width='100%' cellspacing='0'>
>>> >> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>> >> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>>> >> >>>> </form></td></tr>
>>> >> >>>> </table>
>>> >> >>>> @@ -278,7 +332,7 @@ print <<END;
>>> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>>> >> >>>> END
>>> >> >>>> print "</tr></table></form>";
>>> >> >>>> - print"<br><br>";
>>> >> >>>> + print"<br /><br />";
>>> >> >>>> print <<END;
>>> >> >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>> >> >>>> <table width='100%' border='0'>
>>> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>>> >> >>>> index 6a8133807..d6bb234fa 100644
>>> >> >>>> --- a/langs/de/cgi-bin/de.pl
>>> >> >>>> +++ b/langs/de/cgi-bin/de.pl
>>> >> >>>> @@ -836,6 +836,8 @@
>>> >> >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>>> >> >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>>> >> >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
>>> >> >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU',
>>> >> >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN',
>>> >> >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>>> >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>>> >> >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
>>> >> >>>> @@ -1102,9 +1104,12 @@
>>> >> >>>> 'from email server' => 'Von E-Mail-Server',
>>> >> >>>> 'from email user' => 'Von E-Mail-Benutzer',
>>> >> >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
>>> >> >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
>>> >> >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
>>> >> >>>> 'fw default drop' => 'Firewallrichtlinie',
>>> >> >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
>>> >> >>>> 'fw logging' => 'Firewallprotokollierung',
>>> >> >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
>>> >> >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
>>> >> >>>> 'fw settings' => 'Firewalleinstellungen',
>>> >> >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
>>> >> >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
>>> >> >>>> @@ -1644,9 +1649,9 @@
>>> >> >>>> 'map to guest' => 'Map to Guest',
>>> >> >>>> 'march' => 'März',
>>> >> >>>> 'marked' => 'Markiert',
>>> >> >>>> -'masquerade blue' => 'NAT auf BLAU',
>>> >> >>>> -'masquerade green' => 'NAT auf GRÜN',
>>> >> >>>> -'masquerade orange' => 'NAT auf ORANGE',
>>> >> >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
>>> >> >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
>>> >> >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
>>> >> >>>> 'masquerading' => 'Masquerading/NAT',
>>> >> >>>> 'masquerading disabled' => 'NAT ausgeschaltet',
>>> >> >>>> 'masquerading enabled' => 'NAT eingeschaltet',
>>> >> >>>> @@ -1814,6 +1819,8 @@
>>> >> >>>> 'november' => 'November',
>>> >> >>>> 'ntp common settings' => 'Allgemeine Einstellungen',
>>> >> >>>> 'ntp configuration' => 'Zeitserverkonfiguration',
>>> >> >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU',
>>> >> >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN',
>>> >> >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>>> >> >>>> 'ntp server' => 'NTP-Server',
>>> >> >>>> 'ntp sync' => 'Synchronisation',
>>> >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>>> >> >>>> index 8f7e0c2cf..474612025 100644
>>> >> >>>> --- a/langs/en/cgi-bin/en.pl
>>> >> >>>> +++ b/langs/en/cgi-bin/en.pl
>>> >> >>>> @@ -859,6 +859,8 @@
>>> >> >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>>> >> >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>>> >> >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
>>> >> >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE',
>>> >> >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN',
>>> >> >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>>> >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>>> >> >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
>>> >> >>>> @@ -1128,9 +1130,12 @@
>>> >> >>>> 'from email server' => 'From Email server',
>>> >> >>>> 'from email user' => 'From e-mail user',
>>> >> >>>> 'from warn email bad' => 'From e-mail address is not valid',
>>> >> >>>> -'fw blue' => 'Firewall options for BLUE interface',
>>> >> >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>>> >> >>>> 'fw default drop' => 'Firewall policy',
>>> >> >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>>> >> >>>> 'fw logging' => 'Firewall logging',
>>> >> >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
>>> >> >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>>> >> >>>> 'fw settings' => 'Firewall settings',
>>> >> >>>> 'fw settings color' => 'Show colors in ruletable',
>>> >> >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site',
>>> >> >>>> @@ -1672,9 +1677,9 @@
>>> >> >>>> 'map to guest' => 'Map to Guest',
>>> >> >>>> 'march' => 'March',
>>> >> >>>> 'marked' => 'Marked',
>>> >> >>>> -'masquerade blue' => 'Masquerade BLUE',
>>> >> >>>> -'masquerade green' => 'Masquerade GREEN',
>>> >> >>>> -'masquerade orange' => 'Masquerade ORANGE',
>>> >> >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
>>> >> >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
>>> >> >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>>> >> >>>> 'masquerading' => 'Masquerading',
>>> >> >>>> 'masquerading disabled' => 'Masquerading disabled',
>>> >> >>>> 'masquerading enabled' => 'Masquerading enabled',
>>> >> >>>> @@ -1844,6 +1849,8 @@
>>> >> >>>> 'november' => 'November',
>>> >> >>>> 'ntp common settings' => 'Common settings',
>>> >> >>>> 'ntp configuration' => 'NTP Configuration',
>>> >> >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE',
>>> >> >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN',
>>> >> >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>>> >> >>>> 'ntp server' => 'NTP Server',
>>> >> >>>> 'ntp sync' => 'Synchronization',
>>> >> >>>> diff --git a/lfs/configroot b/lfs/configroot
>>> >> >>>> index a3e474d70..622793b35 100644
>>> >> >>>> --- a/lfs/configroot
>>> >> >>>> +++ b/lfs/configroot
>>> >> >>>> @@ -129,6 +129,10 @@ $(TARGET) :
>>> >> >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
>>> >> >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
>>> >> >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
>>> >> >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
>>> >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>>> >> >>>> new file mode 100644
>>> >> >>>> index 000000000..2eafa9d20
>>> >> >>>> --- /dev/null
>>> >> >>>> +++ b/src/initscripts/system/dnsntp
>>> >> >>>> @@ -0,0 +1,36 @@
>>> >> >>>> +#!/bin/sh
>>> >> >>>> +########################################################################
>>> >> >>>> +# Begin $rc_base/init.d/dnsntp
>>> >> >>>> +#
>>> >> >>>> +# Description : dnsntp init script for DNS/NTP rules only
>>> >> >>>> +#
>>> >> >>>> +########################################################################
>>> >> >>>> +
>>> >> >>>> +# flush chain
>>> >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT
>>> >> >>>> +
>>> >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>> >> >>>> +
>>> >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>> >> >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
>>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
>>> >> >>>> +fi
>>> >> >>>> +
>>> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>>> >> >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
>>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
>>> >> >>>> +fi
>>> >> >>>> +
>>> >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>>> >> >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT
>>> >> >>>> +fi
>>> >> >>>> +
>>> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>>> >> >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT
>>> >> >>>> +fi
>>> >> >>>> +
>>> >> >>>> +# End $rc_base/init.d/dnsntp
>>> >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> >> >>>> index 65f1c979b..43ae74113 100644
>>> >> >>>> --- a/src/initscripts/system/firewall
>>> >> >>>> +++ b/src/initscripts/system/firewall
>>> >> >>>> @@ -169,6 +169,10 @@ iptables_init() {
>>> >> >>>> # Fix for braindead ISPs
>>> >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>>> >> >>>>
>>> >> >>>> + # DNS / NTP REDIRECT
>>> >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT
>>> >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>>> >> >>>> +
>>> >> >>>> # CUSTOM chains, can be used by the users themselves
>>> >> >>>> iptables -N CUSTOMINPUT
>>> >> >>>> iptables -A INPUT -j CUSTOMINPUT
>>> >> >>>> @@ -281,7 +285,7 @@ iptables_init() {
>>> >> >>>> iptables -A INPUT -j LOCATIONBLOCK
>>> >> >>>> iptables -A FORWARD -j LOCATIONBLOCK
>>> >> >>>>
>>> >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>> >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>> >> >>>> iptables -N IPSECINPUT
>>> >> >>>> iptables -N IPSECFORWARD
>>> >> >>>> iptables -N IPSECOUTPUT
>>> >> >>>> @@ -389,6 +393,9 @@ iptables_init() {
>>> >> >>>> # run captivectrl
>>> >> >>>> /usr/local/bin/captivectrl
>>> >> >>>>
>>> >> >>>> + # run dnsntpctrl
>>> >> >>>> + /usr/local/bin/dnsntpctrl
>>> >> >>>> +
>>> >> >>>> # POLICY CHAIN
>>> >> >>>> iptables -N POLICYIN
>>> >> >>>> iptables -A INPUT -j POLICYIN
>>> >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>>> >> >>>> index 7c3ef7529..6f2733ef0 100644
>>> >> >>>> --- a/src/misc-progs/Makefile
>>> >> >>>> +++ b/src/misc-progs/Makefile
>>> >> >>>> @@ -26,7 +26,7 @@ PROGS = iowrap
>>> >> >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>> >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \
>>> >> >>>> rebuildhosts backupctrl collectdctrl \
>>> >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \
>>> >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
>>> >> >>>> wirelessctrl getipstat qosctrl \
>>> >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \
>>> >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>>> >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>>> >> >>>> new file mode 100644
>>> >> >>>> index 000000000..f2a3b89e3
>>> >> >>>> --- /dev/null
>>> >> >>>> +++ b/src/misc-progs/dnsntpctrl.c
>>> >> >>>> @@ -0,0 +1,19 @@
>>> >> >>>> +/* This file is part of the IPFire Firewall.
>>> >> >>>> + *
>>> >> >>>> + * This program is distributed under the terms of the GNU General Public
>>> >> >>>> + * Licence. See the file COPYING for details.
>>> >> >>>> + *
>>> >> >>>> + */
>>> >> >>>> +
>>> >> >>>> +#include <stdlib.h>
>>> >> >>>> +#include "setuid.h"
>>> >> >>>> +
>>> >> >>>> +int main(void)
>>> >> >>>> +{
>>> >> >>>> + if (!(initsetuid()))
>>> >> >>>> + exit(1);
>>> >> >>>> +
>>> >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>>> >> >>>> +
>>> >> >>>> + return 0;
>>> >> >>>> +}
>>> >> >>>> --
>>> >> >>>> 2.18.0
>>> >> >>>>
>>> >> >>>>
>>> >> >>>
>>> >> >>
>>> >> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>
>