| Message ID | 20210305194017.7114-1-matthias.fischer@ipfire.org |
|---|---|
| State | Dropped |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DsdPP1M46z3wwp for <patchwork@web04.haj.ipfire.org>; Fri, 5 Mar 2021 19:40:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DsdPN0nhyz25m; Fri, 5 Mar 2021 19:40:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DsdPM6l0pz2xYh; Fri, 5 Mar 2021 19:40:23 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DsdPL4p68z2xLb for <development@lists.ipfire.org>; Fri, 5 Mar 2021 19:40:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DsdPL0XlMz7W for <development@lists.ipfire.org>; Fri, 5 Mar 2021 19:40:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1614973222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xKJ9kFHeNB+HpSMk5Fvvd1RyhXiwvO/GGVErdmPYOTw=; b=lgtqk0Lg9JgRQgIaHnq5L4qr5RFLZexlonJxbBWiFuHOG+9KHmX9ypWIOeZOJyl0xQa1YF 3bIhjzuH7xxr16BQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1614973222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xKJ9kFHeNB+HpSMk5Fvvd1RyhXiwvO/GGVErdmPYOTw=; b=nkOQMktRrndteswj/ygccSEGn4NgZ4A9Skw2C+hoR+eKoRrWoixIFdh2WpVa/ygITDXGLm pzuIBP1hpMUC0JlvwDYh64031Zt+t7JdNJJDoHk2T8cC55L6kxwnhGOGP/meR3pPBhvk1e 3Lvy3u16e+xJeIMJNGuAfDl5Sq9m0rjb6svUCQCEIcWztIMh/n/3mpNQ8qYfUnO47FtxfC oNQtJI1HTKGuptREZvL5cp9Hwj/vTGLsIeCYNGmNt/WmoSv6YkD3AP8Jz7ppV7PlOeBt1R P/7mj3KFHqWQJ9hAWCMGKHLnDnyLyE91CFxVwfPsLKNfs0wU0oWMyhYchwNUFw== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] (V3) Forcing DNS/NTP Date: Fri, 5 Mar 2021 20:40:17 +0100 Message-Id: <20210305194017.7114-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
(V3) Forcing DNS/NTP
|
|
Commit Message
Matthias Fischer
March 5, 2021, 7:40 p.m. UTC
Originally triggered by:
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
Current discussion:
https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
Summary and functionality:
These patches are controlled through "Firewall Options". They add new
firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
They activate/deactivate appropriate REDIRECT rules through a new ctrl file
('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
Default of all new rules is OFF (set in 'lfs/configroot').
If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
servers specified in IPFire. GUI links to DNS and NTP options were added to make
this more transparent.
Flaw/ToDo:
To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
init file, 'dnsntp'. This is actually an unnecessary detour.
In fact I wanted to merge these two files in *one* C file, but this was beyond my
capabilities, perhaps "someone" else knows how to program this.
Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
The corresponding interface options - including 'Masquerade ...' - are only visible if
the respective interface actually exists.
If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
or logging options for BLUE available (e.g.).
Added text colors for better readability and links to DNS and NTP GUI.
Separated logging options per interface.
No reboot required:
Rules can be switched ON/OFF without rebooting IPFire.
Changes immedediatly take effect after clicking 'Save'.
Changes to '/etc/rc.d/init.d/firewall':
To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
chain: DNS_NTP_REDIRECT.
This chain is flushed by the init file before before the desired settings are applied.
Corrected a 'trafic' typo.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/aarch64/initscripts | 1 +
config/rootfiles/common/armv5tel/initscripts | 1 +
config/rootfiles/common/i586/initscripts | 1 +
config/rootfiles/common/misc-progs | 1 +
config/rootfiles/common/x86_64/initscripts | 1 +
html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++----
langs/de/cgi-bin/de.pl | 15 +++-
langs/en/cgi-bin/en.pl | 15 +++-
lfs/configroot | 4 +
src/initscripts/system/dnsntp | 36 ++++++++
src/initscripts/system/firewall | 9 +-
src/misc-progs/Makefile | 2 +-
src/misc-progs/dnsntpctrl.c | 19 ++++
13 files changed, 168 insertions(+), 29 deletions(-)
create mode 100644 src/initscripts/system/dnsntp
create mode 100644 src/misc-progs/dnsntpctrl.c
Comments
Hi, at a first glance I think, the code implements the ideas of the community discussions. Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. Regards, Bernhard > Gesendet: Freitag, 05. März 2021 um 20:40 Uhr > Von: "Matthias Fischer" <matthias.fischer@ipfire.org> > An: development@lists.ipfire.org > Betreff: [PATCH] (V3) Forcing DNS/NTP > > Originally triggered by: > https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 > > Current discussion: > https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > > Summary and functionality: > These patches are controlled through "Firewall Options". They add new > firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. > They activate/deactivate appropriate REDIRECT rules through a new ctrl file > ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). > > Default of all new rules is OFF (set in 'lfs/configroot'). > If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP > servers specified in IPFire. GUI links to DNS and NTP options were added to make > this more transparent. > > Flaw/ToDo: > To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual > init file, 'dnsntp'. This is actually an unnecessary detour. > In fact I wanted to merge these two files in *one* C file, but this was beyond my > capabilities, perhaps "someone" else knows how to program this. > > Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > The corresponding interface options - including 'Masquerade ...' - are only visible if > the respective interface actually exists. > If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' > or logging options for BLUE available (e.g.). > Added text colors for better readability and links to DNS and NTP GUI. > Separated logging options per interface. > > No reboot required: > Rules can be switched ON/OFF without rebooting IPFire. > Changes immedediatly take effect after clicking 'Save'. > > Changes to '/etc/rc.d/init.d/firewall': > To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING > chain: DNS_NTP_REDIRECT. > This chain is flushed by the init file before before the desired settings are applied. > Corrected a 'trafic' typo. > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/rootfiles/common/aarch64/initscripts | 1 + > config/rootfiles/common/armv5tel/initscripts | 1 + > config/rootfiles/common/i586/initscripts | 1 + > config/rootfiles/common/misc-progs | 1 + > config/rootfiles/common/x86_64/initscripts | 1 + > html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > langs/de/cgi-bin/de.pl | 15 +++- > langs/en/cgi-bin/en.pl | 15 +++- > lfs/configroot | 4 + > src/initscripts/system/dnsntp | 36 ++++++++ > src/initscripts/system/firewall | 9 +- > src/misc-progs/Makefile | 2 +- > src/misc-progs/dnsntpctrl.c | 19 ++++ > 13 files changed, 168 insertions(+), 29 deletions(-) > create mode 100644 src/initscripts/system/dnsntp > create mode 100644 src/misc-progs/dnsntpctrl.c > > diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/aarch64/initscripts > +++ b/config/rootfiles/common/aarch64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/armv5tel/initscripts > +++ b/config/rootfiles/common/armv5tel/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/i586/initscripts > +++ b/config/rootfiles/common/i586/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs > index d6594b3f8..4bcb94812 100644 > --- a/config/rootfiles/common/misc-progs > +++ b/config/rootfiles/common/misc-progs > @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > usr/local/bin/collectdctrl > usr/local/bin/ddnsctrl > usr/local/bin/dhcpctrl > +usr/local/bin/dnsntpctrl > usr/local/bin/extrahdctrl > usr/local/bin/fireinfoctrl > usr/local/bin/firewallctrl > diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/x86_64/initscripts > +++ b/config/rootfiles/common/x86_64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > index 321642e82..3fc707e8b 100644 > --- a/html/cgi-bin/optionsfw.cgi > +++ b/html/cgi-bin/optionsfw.cgi > @@ -2,7 +2,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > $errormessage .= $Lang::tr{'new optionsfw later'}; > &General::writehash($filename, \%settings); # Save good settings > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > }else{ > if ($settings{'POLICY'} ne ''){ > $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; > @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); > &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > } > &General::readhash($filename, \%settings); # Load good settings > } > @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele > $selected{'MASQUERADE_BLUE'}{'off'} = ''; > $selected{'MASQUERADE_BLUE'}{'on'} = ''; > $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; > +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; > +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; > +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; > +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; > +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; > +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; > +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; > +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; > +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; > +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; > +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; > +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; > > &Header::openbox('100%', 'center',); > print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; > @@ -189,13 +203,44 @@ END > END > } > > - print <<END > +print <<END; > + <table width='95%' cellspacing='0'> > + <tr bgcolor='$color{'color20'}'></tr> > + <tr> </tr> > + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> > + </tr> > + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ > + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ > + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > +END > + > + if (&Header::blue_used()) { > + print <<END; > + <table width='95%' cellspacing='0'> > + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > + <tr> </tr> > + <tr> > + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ > + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ > + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > + </td> > + </tr> > +END > + } > + > + print <<END; > </table> > > - <br> > + <br /> > > -<table width='95%' cellspacing='0'> > -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> > + <table width='95%' cellspacing='0'> > +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ > <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ > @@ -206,21 +251,30 @@ END > <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ > <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > +END > + > + if (&Header::blue_used()) { > + print <<END; > + </table> > + > + <br /> > + > + <table width='95%' cellspacing='0'> > +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> > + <tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> > -</table> > -<br/> > + </tr> > +END > + } > + > + print <<END; > + </table> > + > + <br /> > > -<table width='95%' cellspacing='0'> > -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > -</table> > -<br> > <table width='95%' cellspacing='0'> > <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ > @@ -252,7 +306,7 @@ END > > <br /> > <table width='100%' cellspacing='0'> > -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> > </form></td></tr> > </table> > @@ -278,7 +332,7 @@ print <<END; > <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> > END > print "</tr></table></form>"; > - print"<br><br>"; > + print"<br /><br />"; > print <<END; > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <table width='100%' border='0'> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 6a8133807..d6bb234fa 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -836,6 +836,8 @@ > 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', > 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', > 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', > +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', > +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', > 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', > 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', > 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', > @@ -1102,9 +1104,12 @@ > 'from email server' => 'Von E-Mail-Server', > 'from email user' => 'Von E-Mail-Benutzer', > 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', > -'fw blue' => 'Firewalloptionen für das Blaue Interface', > +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', > 'fw default drop' => 'Firewallrichtlinie', > +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', > 'fw logging' => 'Firewallprotokollierung', > +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', > +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', > 'fw settings' => 'Firewalleinstellungen', > 'fw settings color' => 'Farben in Regeltabelle anzeigen', > 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', > @@ -1644,9 +1649,9 @@ > 'map to guest' => 'Map to Guest', > 'march' => 'März', > 'marked' => 'Markiert', > -'masquerade blue' => 'NAT auf BLAU', > -'masquerade green' => 'NAT auf GRÜN', > -'masquerade orange' => 'NAT auf ORANGE', > +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', > +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', > +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', > 'masquerading' => 'Masquerading/NAT', > 'masquerading disabled' => 'NAT ausgeschaltet', > 'masquerading enabled' => 'NAT eingeschaltet', > @@ -1814,6 +1819,8 @@ > 'november' => 'November', > 'ntp common settings' => 'Allgemeine Einstellungen', > 'ntp configuration' => 'Zeitserverkonfiguration', > +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', > +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', > 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', > 'ntp server' => 'NTP-Server', > 'ntp sync' => 'Synchronisation', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index 8f7e0c2cf..474612025 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -859,6 +859,8 @@ > 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', > 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', > 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', > +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', > +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', > 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', > 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', > 'dns header' => 'Assign DNS server addresses only for DHCP on red0', > @@ -1128,9 +1130,12 @@ > 'from email server' => 'From Email server', > 'from email user' => 'From e-mail user', > 'from warn email bad' => 'From e-mail address is not valid', > -'fw blue' => 'Firewall options for BLUE interface', > +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', > 'fw default drop' => 'Firewall policy', > +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', > 'fw logging' => 'Firewall logging', > +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', > +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', > 'fw settings' => 'Firewall settings', > 'fw settings color' => 'Show colors in ruletable', > 'fw settings dropdown' => 'Show all networks on rulecreation site', > @@ -1672,9 +1677,9 @@ > 'map to guest' => 'Map to Guest', > 'march' => 'March', > 'marked' => 'Marked', > -'masquerade blue' => 'Masquerade BLUE', > -'masquerade green' => 'Masquerade GREEN', > -'masquerade orange' => 'Masquerade ORANGE', > +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', > +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', > +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', > 'masquerading' => 'Masquerading', > 'masquerading disabled' => 'Masquerading disabled', > 'masquerading enabled' => 'Masquerading enabled', > @@ -1844,6 +1849,8 @@ > 'november' => 'November', > 'ntp common settings' => 'Common settings', > 'ntp configuration' => 'NTP Configuration', > +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', > +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', > 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', > 'ntp server' => 'NTP Server', > 'ntp sync' => 'Synchronization', > diff --git a/lfs/configroot b/lfs/configroot > index a3e474d70..622793b35 100644 > --- a/lfs/configroot > +++ b/lfs/configroot > @@ -129,6 +129,10 @@ $(TARGET) : > echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings > diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > new file mode 100644 > index 000000000..2eafa9d20 > --- /dev/null > +++ b/src/initscripts/system/dnsntp > @@ -0,0 +1,36 @@ > +#!/bin/sh > +######################################################################## > +# Begin $rc_base/init.d/dnsntp > +# > +# Description : dnsntp init script for DNS/NTP rules only > +# > +######################################################################## > + > +# flush chain > +iptables -t nat -F DNS_NTP_REDIRECT > + > +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > + > +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT > +fi > + > +# Force NTP REDIRECTs on GREEN (udp, 123) > +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, 123) > +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT > +fi > + > +# End $rc_base/init.d/dnsntp > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 65f1c979b..43ae74113 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -169,6 +169,10 @@ iptables_init() { > # Fix for braindead ISPs > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > + # DNS / NTP REDIRECT > + iptables -t nat -N DNS_NTP_REDIRECT > + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > + > # CUSTOM chains, can be used by the users themselves > iptables -N CUSTOMINPUT > iptables -A INPUT -j CUSTOMINPUT > @@ -281,7 +285,7 @@ iptables_init() { > iptables -A INPUT -j LOCATIONBLOCK > iptables -A FORWARD -j LOCATIONBLOCK > > - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > iptables -N IPSECINPUT > iptables -N IPSECFORWARD > iptables -N IPSECOUTPUT > @@ -389,6 +393,9 @@ iptables_init() { > # run captivectrl > /usr/local/bin/captivectrl > > + # run dnsntpctrl > + /usr/local/bin/dnsntpctrl > + > # POLICY CHAIN > iptables -N POLICYIN > iptables -A INPUT -j POLICYIN > diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > index 7c3ef7529..6f2733ef0 100644 > --- a/src/misc-progs/Makefile > +++ b/src/misc-progs/Makefile > @@ -26,7 +26,7 @@ PROGS = iowrap > SUID_PROGS = squidctrl sshctrl ipfirereboot \ > ipsecctrl timectrl dhcpctrl suricatactrl \ > rebuildhosts backupctrl collectdctrl \ > - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > wirelessctrl getipstat qosctrl \ > redctrl syslogdctrl extrahdctrl sambactrl \ > smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > new file mode 100644 > index 000000000..f2a3b89e3 > --- /dev/null > +++ b/src/misc-progs/dnsntpctrl.c > @@ -0,0 +1,19 @@ > +/* This file is part of the IPFire Firewall. > + * > + * This program is distributed under the terms of the GNU General Public > + * Licence. See the file COPYING for details. > + * > + */ > + > +#include <stdlib.h> > +#include "setuid.h" > + > +int main(void) > +{ > + if (!(initsetuid())) > + exit(1); > + > + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > + > + return 0; > +} > -- > 2.18.0 > >
Hi, On 05.03.2021 21:45, Bernhard Bitsch wrote: > Hi, > > at a first glance I think, the code implements the ideas of the community discussions. Thanks - but unfortunately I'm not quite satisfied with my results yet because I didn't manage to merge the init and the ctrl-file in *one* C program. The whole is running as I want but... ;-) > Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. -v please. I don't know if I get this (the translation english => german) right. If you mean that I asked for some tips and got some, than of course: many thanks to everybody! Best, Matthias > Regards, > Bernhard > >> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >> An: development@lists.ipfire.org >> Betreff: [PATCH] (V3) Forcing DNS/NTP >> >> Originally triggered by: >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >> >> Current discussion: >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >> >> Summary and functionality: >> These patches are controlled through "Firewall Options". They add new >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >> >> Default of all new rules is OFF (set in 'lfs/configroot'). >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >> servers specified in IPFire. GUI links to DNS and NTP options were added to make >> this more transparent. >> >> Flaw/ToDo: >> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >> init file, 'dnsntp'. This is actually an unnecessary detour. >> In fact I wanted to merge these two files in *one* C file, but this was beyond my >> capabilities, perhaps "someone" else knows how to program this. >> >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> The corresponding interface options - including 'Masquerade ...' - are only visible if >> the respective interface actually exists. >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >> or logging options for BLUE available (e.g.). >> Added text colors for better readability and links to DNS and NTP GUI. >> Separated logging options per interface. >> >> No reboot required: >> Rules can be switched ON/OFF without rebooting IPFire. >> Changes immedediatly take effect after clicking 'Save'. >> >> Changes to '/etc/rc.d/init.d/firewall': >> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >> chain: DNS_NTP_REDIRECT. >> This chain is flushed by the init file before before the desired settings are applied. >> Corrected a 'trafic' typo. >> >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> config/rootfiles/common/aarch64/initscripts | 1 + >> config/rootfiles/common/armv5tel/initscripts | 1 + >> config/rootfiles/common/i586/initscripts | 1 + >> config/rootfiles/common/misc-progs | 1 + >> config/rootfiles/common/x86_64/initscripts | 1 + >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> langs/de/cgi-bin/de.pl | 15 +++- >> langs/en/cgi-bin/en.pl | 15 +++- >> lfs/configroot | 4 + >> src/initscripts/system/dnsntp | 36 ++++++++ >> src/initscripts/system/firewall | 9 +- >> src/misc-progs/Makefile | 2 +- >> src/misc-progs/dnsntpctrl.c | 19 ++++ >> 13 files changed, 168 insertions(+), 29 deletions(-) >> create mode 100644 src/initscripts/system/dnsntp >> create mode 100644 src/misc-progs/dnsntpctrl.c >> >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/aarch64/initscripts >> +++ b/config/rootfiles/common/aarch64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/armv5tel/initscripts >> +++ b/config/rootfiles/common/armv5tel/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/i586/initscripts >> +++ b/config/rootfiles/common/i586/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >> index d6594b3f8..4bcb94812 100644 >> --- a/config/rootfiles/common/misc-progs >> +++ b/config/rootfiles/common/misc-progs >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> usr/local/bin/collectdctrl >> usr/local/bin/ddnsctrl >> usr/local/bin/dhcpctrl >> +usr/local/bin/dnsntpctrl >> usr/local/bin/extrahdctrl >> usr/local/bin/fireinfoctrl >> usr/local/bin/firewallctrl >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/x86_64/initscripts >> +++ b/config/rootfiles/common/x86_64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> index 321642e82..3fc707e8b 100644 >> --- a/html/cgi-bin/optionsfw.cgi >> +++ b/html/cgi-bin/optionsfw.cgi >> @@ -2,7 +2,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> $errormessage .= $Lang::tr{'new optionsfw later'}; >> &General::writehash($filename, \%settings); # Save good settings >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> }else{ >> if ($settings{'POLICY'} ne ''){ >> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> } >> &General::readhash($filename, \%settings); # Load good settings >> } >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >> >> &Header::openbox('100%', 'center',); >> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >> @@ -189,13 +203,44 @@ END >> END >> } >> >> - print <<END >> +print <<END; >> + <table width='95%' cellspacing='0'> >> + <tr bgcolor='$color{'color20'}'></tr> >> + <tr> </tr> >> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >> + </tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> +END >> + >> + if (&Header::blue_used()) { >> + print <<END; >> + <table width='95%' cellspacing='0'> >> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> + <tr> </tr> >> + <tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + </td> >> + </tr> >> +END >> + } >> + >> + print <<END; >> </table> >> >> - <br> >> + <br /> >> >> -<table width='95%' cellspacing='0'> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >> + <table width='95%' cellspacing='0'> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >> @@ -206,21 +251,30 @@ END >> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> +END >> + >> + if (&Header::blue_used()) { >> + print <<END; >> + </table> >> + >> + <br /> >> + >> + <table width='95%' cellspacing='0'> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >> + <tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -</table> >> -<br/> >> + </tr> >> +END >> + } >> + >> + print <<END; >> + </table> >> + >> + <br /> >> >> -<table width='95%' cellspacing='0'> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -</table> >> -<br> >> <table width='95%' cellspacing='0'> >> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >> @@ -252,7 +306,7 @@ END >> >> <br /> >> <table width='100%' cellspacing='0'> >> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >> </form></td></tr> >> </table> >> @@ -278,7 +332,7 @@ print <<END; >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >> END >> print "</tr></table></form>"; >> - print"<br><br>"; >> + print"<br /><br />"; >> print <<END; >> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <table width='100%' border='0'> >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 6a8133807..d6bb234fa 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -836,6 +836,8 @@ >> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> @@ -1102,9 +1104,12 @@ >> 'from email server' => 'Von E-Mail-Server', >> 'from email user' => 'Von E-Mail-Benutzer', >> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >> 'fw default drop' => 'Firewallrichtlinie', >> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >> 'fw logging' => 'Firewallprotokollierung', >> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >> 'fw settings' => 'Firewalleinstellungen', >> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >> @@ -1644,9 +1649,9 @@ >> 'map to guest' => 'Map to Guest', >> 'march' => 'März', >> 'marked' => 'Markiert', >> -'masquerade blue' => 'NAT auf BLAU', >> -'masquerade green' => 'NAT auf GRÜN', >> -'masquerade orange' => 'NAT auf ORANGE', >> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >> 'masquerading' => 'Masquerading/NAT', >> 'masquerading disabled' => 'NAT ausgeschaltet', >> 'masquerading enabled' => 'NAT eingeschaltet', >> @@ -1814,6 +1819,8 @@ >> 'november' => 'November', >> 'ntp common settings' => 'Allgemeine Einstellungen', >> 'ntp configuration' => 'Zeitserverkonfiguration', >> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >> 'ntp server' => 'NTP-Server', >> 'ntp sync' => 'Synchronisation', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index 8f7e0c2cf..474612025 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -859,6 +859,8 @@ >> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >> @@ -1128,9 +1130,12 @@ >> 'from email server' => 'From Email server', >> 'from email user' => 'From e-mail user', >> 'from warn email bad' => 'From e-mail address is not valid', >> -'fw blue' => 'Firewall options for BLUE interface', >> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >> 'fw default drop' => 'Firewall policy', >> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >> 'fw logging' => 'Firewall logging', >> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >> 'fw settings' => 'Firewall settings', >> 'fw settings color' => 'Show colors in ruletable', >> 'fw settings dropdown' => 'Show all networks on rulecreation site', >> @@ -1672,9 +1677,9 @@ >> 'map to guest' => 'Map to Guest', >> 'march' => 'March', >> 'marked' => 'Marked', >> -'masquerade blue' => 'Masquerade BLUE', >> -'masquerade green' => 'Masquerade GREEN', >> -'masquerade orange' => 'Masquerade ORANGE', >> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >> 'masquerading' => 'Masquerading', >> 'masquerading disabled' => 'Masquerading disabled', >> 'masquerading enabled' => 'Masquerading enabled', >> @@ -1844,6 +1849,8 @@ >> 'november' => 'November', >> 'ntp common settings' => 'Common settings', >> 'ntp configuration' => 'NTP Configuration', >> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >> 'ntp server' => 'NTP Server', >> 'ntp sync' => 'Synchronization', >> diff --git a/lfs/configroot b/lfs/configroot >> index a3e474d70..622793b35 100644 >> --- a/lfs/configroot >> +++ b/lfs/configroot >> @@ -129,6 +129,10 @@ $(TARGET) : >> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >> new file mode 100644 >> index 000000000..2eafa9d20 >> --- /dev/null >> +++ b/src/initscripts/system/dnsntp >> @@ -0,0 +1,36 @@ >> +#!/bin/sh >> +######################################################################## >> +# Begin $rc_base/init.d/dnsntp >> +# >> +# Description : dnsntp init script for DNS/NTP rules only >> +# >> +######################################################################## >> + >> +# flush chain >> +iptables -t nat -F DNS_NTP_REDIRECT >> + >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> + >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >> +fi >> + >> +# Force NTP REDIRECTs on GREEN (udp, 123) >> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, 123) >> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >> +fi >> + >> +# End $rc_base/init.d/dnsntp >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 65f1c979b..43ae74113 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -169,6 +169,10 @@ iptables_init() { >> # Fix for braindead ISPs >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >> >> + # DNS / NTP REDIRECT >> + iptables -t nat -N DNS_NTP_REDIRECT >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> + >> # CUSTOM chains, can be used by the users themselves >> iptables -N CUSTOMINPUT >> iptables -A INPUT -j CUSTOMINPUT >> @@ -281,7 +285,7 @@ iptables_init() { >> iptables -A INPUT -j LOCATIONBLOCK >> iptables -A FORWARD -j LOCATIONBLOCK >> >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> iptables -N IPSECINPUT >> iptables -N IPSECFORWARD >> iptables -N IPSECOUTPUT >> @@ -389,6 +393,9 @@ iptables_init() { >> # run captivectrl >> /usr/local/bin/captivectrl >> >> + # run dnsntpctrl >> + /usr/local/bin/dnsntpctrl >> + >> # POLICY CHAIN >> iptables -N POLICYIN >> iptables -A INPUT -j POLICYIN >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> index 7c3ef7529..6f2733ef0 100644 >> --- a/src/misc-progs/Makefile >> +++ b/src/misc-progs/Makefile >> @@ -26,7 +26,7 @@ PROGS = iowrap >> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >> ipsecctrl timectrl dhcpctrl suricatactrl \ >> rebuildhosts backupctrl collectdctrl \ >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> wirelessctrl getipstat qosctrl \ >> redctrl syslogdctrl extrahdctrl sambactrl \ >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> new file mode 100644 >> index 000000000..f2a3b89e3 >> --- /dev/null >> +++ b/src/misc-progs/dnsntpctrl.c >> @@ -0,0 +1,19 @@ >> +/* This file is part of the IPFire Firewall. >> + * >> + * This program is distributed under the terms of the GNU General Public >> + * Licence. See the file COPYING for details. >> + * >> + */ >> + >> +#include <stdlib.h> >> +#include "setuid.h" >> + >> +int main(void) >> +{ >> + if (!(initsetuid())) >> + exit(1); >> + >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> + >> + return 0; >> +} >> -- >> 2.18.0 >> >> >
Hi, > Gesendet: Freitag, 05. März 2021 um 23:49 Uhr > Von: "Matthias Fischer" <matthias.fischer@ipfire.org> > An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> > Cc: development@lists.ipfire.org > Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP > > Hi, > > On 05.03.2021 21:45, Bernhard Bitsch wrote: > > Hi, > > > > at a first glance I think, the code implements the ideas of the community discussions. > > Thanks - but unfortunately I'm not quite satisfied with my results yet > because I didn't manage to merge the init and the ctrl-file in *one* C > program. The whole is running as I want but... ;-) > > > Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. > > -v please. I don't know if I get this (the translation english => > german) right. > If you mean that I asked for some tips and got some, than of course: > many thanks to everybody! > Sorry if I wasn't specific enough. I mean the extra rules for requests client-->IPFire:53. These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. Best, Bernhard > Best, > Matthias > > > Regards, > > Bernhard > > > >> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr > >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> > >> An: development@lists.ipfire.org > >> Betreff: [PATCH] (V3) Forcing DNS/NTP > >> > >> Originally triggered by: > >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 > >> > >> Current discussion: > >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > >> > >> Summary and functionality: > >> These patches are controlled through "Firewall Options". They add new > >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. > >> They activate/deactivate appropriate REDIRECT rules through a new ctrl file > >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). > >> > >> Default of all new rules is OFF (set in 'lfs/configroot'). > >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP > >> servers specified in IPFire. GUI links to DNS and NTP options were added to make > >> this more transparent. > >> > >> Flaw/ToDo: > >> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual > >> init file, 'dnsntp'. This is actually an unnecessary detour. > >> In fact I wanted to merge these two files in *one* C file, but this was beyond my > >> capabilities, perhaps "someone" else knows how to program this. > >> > >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > >> The corresponding interface options - including 'Masquerade ...' - are only visible if > >> the respective interface actually exists. > >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' > >> or logging options for BLUE available (e.g.). > >> Added text colors for better readability and links to DNS and NTP GUI. > >> Separated logging options per interface. > >> > >> No reboot required: > >> Rules can be switched ON/OFF without rebooting IPFire. > >> Changes immedediatly take effect after clicking 'Save'. > >> > >> Changes to '/etc/rc.d/init.d/firewall': > >> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING > >> chain: DNS_NTP_REDIRECT. > >> This chain is flushed by the init file before before the desired settings are applied. > >> Corrected a 'trafic' typo. > >> > >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > >> --- > >> config/rootfiles/common/aarch64/initscripts | 1 + > >> config/rootfiles/common/armv5tel/initscripts | 1 + > >> config/rootfiles/common/i586/initscripts | 1 + > >> config/rootfiles/common/misc-progs | 1 + > >> config/rootfiles/common/x86_64/initscripts | 1 + > >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > >> langs/de/cgi-bin/de.pl | 15 +++- > >> langs/en/cgi-bin/en.pl | 15 +++- > >> lfs/configroot | 4 + > >> src/initscripts/system/dnsntp | 36 ++++++++ > >> src/initscripts/system/firewall | 9 +- > >> src/misc-progs/Makefile | 2 +- > >> src/misc-progs/dnsntpctrl.c | 19 ++++ > >> 13 files changed, 168 insertions(+), 29 deletions(-) > >> create mode 100644 src/initscripts/system/dnsntp > >> create mode 100644 src/misc-progs/dnsntpctrl.c > >> > >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts > >> index 800005966..f38a3a294 100644 > >> --- a/config/rootfiles/common/aarch64/initscripts > >> +++ b/config/rootfiles/common/aarch64/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts > >> index 800005966..f38a3a294 100644 > >> --- a/config/rootfiles/common/armv5tel/initscripts > >> +++ b/config/rootfiles/common/armv5tel/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts > >> index 18c5a897a..a3a2b47f7 100644 > >> --- a/config/rootfiles/common/i586/initscripts > >> +++ b/config/rootfiles/common/i586/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs > >> index d6594b3f8..4bcb94812 100644 > >> --- a/config/rootfiles/common/misc-progs > >> +++ b/config/rootfiles/common/misc-progs > >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > >> usr/local/bin/collectdctrl > >> usr/local/bin/ddnsctrl > >> usr/local/bin/dhcpctrl > >> +usr/local/bin/dnsntpctrl > >> usr/local/bin/extrahdctrl > >> usr/local/bin/fireinfoctrl > >> usr/local/bin/firewallctrl > >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts > >> index 18c5a897a..a3a2b47f7 100644 > >> --- a/config/rootfiles/common/x86_64/initscripts > >> +++ b/config/rootfiles/common/x86_64/initscripts > >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> etc/rc.d/init.d/console > >> etc/rc.d/init.d/dhcp > >> etc/rc.d/init.d/dhcrelay > >> +etc/rc.d/init.d/dnsntp > >> etc/rc.d/init.d/fcron > >> etc/rc.d/init.d/fireinfo > >> etc/rc.d/init.d/firewall > >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > >> index 321642e82..3fc707e8b 100644 > >> --- a/html/cgi-bin/optionsfw.cgi > >> +++ b/html/cgi-bin/optionsfw.cgi > >> @@ -2,7 +2,7 @@ > >> ############################################################################### > >> # # > >> # IPFire.org - A linux based firewall # > >> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # > >> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # > >> # # > >> # This program is free software: you can redistribute it and/or modify # > >> # it under the terms of the GNU General Public License as published by # > >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> $errormessage .= $Lang::tr{'new optionsfw later'}; > >> &General::writehash($filename, \%settings); # Save good settings > >> system("/usr/local/bin/firewallctrl"); > >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> }else{ > >> if ($settings{'POLICY'} ne ''){ > >> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; > >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); > >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); > >> system("/usr/local/bin/firewallctrl"); > >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> } > >> &General::readhash($filename, \%settings); # Load good settings > >> } > >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele > >> $selected{'MASQUERADE_BLUE'}{'off'} = ''; > >> $selected{'MASQUERADE_BLUE'}{'on'} = ''; > >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; > >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; > >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; > >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; > >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; > >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; > >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; > >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; > >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; > >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; > >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; > >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; > >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; > >> > >> &Header::openbox('100%', 'center',); > >> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; > >> @@ -189,13 +203,44 @@ END > >> END > >> } > >> > >> - print <<END > >> +print <<END; > >> + <table width='95%' cellspacing='0'> > >> + <tr bgcolor='$color{'color20'}'></tr> > >> + <tr> </tr> > >> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> > >> + </tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ > >> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ > >> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> +END > >> + > >> + if (&Header::blue_used()) { > >> + print <<END; > >> + <table width='95%' cellspacing='0'> > >> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > >> + <tr> </tr> > >> + <tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ > >> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ > >> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > >> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > >> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> + </td> > >> + </tr> > >> +END > >> + } > >> + > >> + print <<END; > >> </table> > >> > >> - <br> > >> + <br /> > >> > >> -<table width='95%' cellspacing='0'> > >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> > >> + <table width='95%' cellspacing='0'> > >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> > >> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ > >> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ > >> @@ -206,21 +251,30 @@ END > >> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ > >> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > >> +END > >> + > >> + if (&Header::blue_used()) { > >> + print <<END; > >> + </table> > >> + > >> + <br /> > >> + > >> + <table width='95%' cellspacing='0'> > >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> > >> + <tr> > >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > >> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > >> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> -</table> > >> -<br/> > >> + </tr> > >> +END > >> + } > >> + > >> + print <<END; > >> + </table> > >> + > >> + <br /> > >> > >> -<table width='95%' cellspacing='0'> > >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > >> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > >> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > >> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> -</table> > >> -<br> > >> <table width='95%' cellspacing='0'> > >> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> > >> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ > >> @@ -252,7 +306,7 @@ END > >> > >> <br /> > >> <table width='100%' cellspacing='0'> > >> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > >> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> > >> </form></td></tr> > >> </table> > >> @@ -278,7 +332,7 @@ print <<END; > >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> > >> END > >> print "</tr></table></form>"; > >> - print"<br><br>"; > >> + print"<br /><br />"; > >> print <<END; > >> <form method='post' action='$ENV{'SCRIPT_NAME'}'> > >> <table width='100%' border='0'> > >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > >> index 6a8133807..d6bb234fa 100644 > >> --- a/langs/de/cgi-bin/de.pl > >> +++ b/langs/de/cgi-bin/de.pl > >> @@ -836,6 +836,8 @@ > >> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', > >> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', > >> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', > >> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', > >> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', > >> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', > >> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', > >> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', > >> @@ -1102,9 +1104,12 @@ > >> 'from email server' => 'Von E-Mail-Server', > >> 'from email user' => 'Von E-Mail-Benutzer', > >> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', > >> -'fw blue' => 'Firewalloptionen für das Blaue Interface', > >> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', > >> 'fw default drop' => 'Firewallrichtlinie', > >> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', > >> 'fw logging' => 'Firewallprotokollierung', > >> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', > >> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', > >> 'fw settings' => 'Firewalleinstellungen', > >> 'fw settings color' => 'Farben in Regeltabelle anzeigen', > >> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', > >> @@ -1644,9 +1649,9 @@ > >> 'map to guest' => 'Map to Guest', > >> 'march' => 'März', > >> 'marked' => 'Markiert', > >> -'masquerade blue' => 'NAT auf BLAU', > >> -'masquerade green' => 'NAT auf GRÜN', > >> -'masquerade orange' => 'NAT auf ORANGE', > >> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', > >> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', > >> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', > >> 'masquerading' => 'Masquerading/NAT', > >> 'masquerading disabled' => 'NAT ausgeschaltet', > >> 'masquerading enabled' => 'NAT eingeschaltet', > >> @@ -1814,6 +1819,8 @@ > >> 'november' => 'November', > >> 'ntp common settings' => 'Allgemeine Einstellungen', > >> 'ntp configuration' => 'Zeitserverkonfiguration', > >> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', > >> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', > >> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', > >> 'ntp server' => 'NTP-Server', > >> 'ntp sync' => 'Synchronisation', > >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > >> index 8f7e0c2cf..474612025 100644 > >> --- a/langs/en/cgi-bin/en.pl > >> +++ b/langs/en/cgi-bin/en.pl > >> @@ -859,6 +859,8 @@ > >> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', > >> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', > >> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', > >> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', > >> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', > >> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', > >> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', > >> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', > >> @@ -1128,9 +1130,12 @@ > >> 'from email server' => 'From Email server', > >> 'from email user' => 'From e-mail user', > >> 'from warn email bad' => 'From e-mail address is not valid', > >> -'fw blue' => 'Firewall options for BLUE interface', > >> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', > >> 'fw default drop' => 'Firewall policy', > >> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', > >> 'fw logging' => 'Firewall logging', > >> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', > >> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', > >> 'fw settings' => 'Firewall settings', > >> 'fw settings color' => 'Show colors in ruletable', > >> 'fw settings dropdown' => 'Show all networks on rulecreation site', > >> @@ -1672,9 +1677,9 @@ > >> 'map to guest' => 'Map to Guest', > >> 'march' => 'March', > >> 'marked' => 'Marked', > >> -'masquerade blue' => 'Masquerade BLUE', > >> -'masquerade green' => 'Masquerade GREEN', > >> -'masquerade orange' => 'Masquerade ORANGE', > >> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', > >> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', > >> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', > >> 'masquerading' => 'Masquerading', > >> 'masquerading disabled' => 'Masquerading disabled', > >> 'masquerading enabled' => 'Masquerading enabled', > >> @@ -1844,6 +1849,8 @@ > >> 'november' => 'November', > >> 'ntp common settings' => 'Common settings', > >> 'ntp configuration' => 'NTP Configuration', > >> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', > >> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', > >> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', > >> 'ntp server' => 'NTP Server', > >> 'ntp sync' => 'Synchronization', > >> diff --git a/lfs/configroot b/lfs/configroot > >> index a3e474d70..622793b35 100644 > >> --- a/lfs/configroot > >> +++ b/lfs/configroot > >> @@ -129,6 +129,10 @@ $(TARGET) : > >> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings > >> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings > >> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings > >> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings > >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > >> new file mode 100644 > >> index 000000000..2eafa9d20 > >> --- /dev/null > >> +++ b/src/initscripts/system/dnsntp > >> @@ -0,0 +1,36 @@ > >> +#!/bin/sh > >> +######################################################################## > >> +# Begin $rc_base/init.d/dnsntp > >> +# > >> +# Description : dnsntp init script for DNS/NTP rules only > >> +# > >> +######################################################################## > >> + > >> +# flush chain > >> +iptables -t nat -F DNS_NTP_REDIRECT > >> + > >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > >> + > >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > >> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT > >> +fi > >> + > >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > >> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT > >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT > >> +fi > >> + > >> +# Force NTP REDIRECTs on GREEN (udp, 123) > >> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT > >> +fi > >> + > >> +# Force DNS REDIRECTs on BLUE (udp, 123) > >> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then > >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT > >> +fi > >> + > >> +# End $rc_base/init.d/dnsntp > >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > >> index 65f1c979b..43ae74113 100644 > >> --- a/src/initscripts/system/firewall > >> +++ b/src/initscripts/system/firewall > >> @@ -169,6 +169,10 @@ iptables_init() { > >> # Fix for braindead ISPs > >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > >> > >> + # DNS / NTP REDIRECT > >> + iptables -t nat -N DNS_NTP_REDIRECT > >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > >> + > >> # CUSTOM chains, can be used by the users themselves > >> iptables -N CUSTOMINPUT > >> iptables -A INPUT -j CUSTOMINPUT > >> @@ -281,7 +285,7 @@ iptables_init() { > >> iptables -A INPUT -j LOCATIONBLOCK > >> iptables -A FORWARD -j LOCATIONBLOCK > >> > >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > >> iptables -N IPSECINPUT > >> iptables -N IPSECFORWARD > >> iptables -N IPSECOUTPUT > >> @@ -389,6 +393,9 @@ iptables_init() { > >> # run captivectrl > >> /usr/local/bin/captivectrl > >> > >> + # run dnsntpctrl > >> + /usr/local/bin/dnsntpctrl > >> + > >> # POLICY CHAIN > >> iptables -N POLICYIN > >> iptables -A INPUT -j POLICYIN > >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > >> index 7c3ef7529..6f2733ef0 100644 > >> --- a/src/misc-progs/Makefile > >> +++ b/src/misc-progs/Makefile > >> @@ -26,7 +26,7 @@ PROGS = iowrap > >> SUID_PROGS = squidctrl sshctrl ipfirereboot \ > >> ipsecctrl timectrl dhcpctrl suricatactrl \ > >> rebuildhosts backupctrl collectdctrl \ > >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > >> wirelessctrl getipstat qosctrl \ > >> redctrl syslogdctrl extrahdctrl sambactrl \ > >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > >> new file mode 100644 > >> index 000000000..f2a3b89e3 > >> --- /dev/null > >> +++ b/src/misc-progs/dnsntpctrl.c > >> @@ -0,0 +1,19 @@ > >> +/* This file is part of the IPFire Firewall. > >> + * > >> + * This program is distributed under the terms of the GNU General Public > >> + * Licence. See the file COPYING for details. > >> + * > >> + */ > >> + > >> +#include <stdlib.h> > >> +#include "setuid.h" > >> + > >> +int main(void) > >> +{ > >> + if (!(initsetuid())) > >> + exit(1); > >> + > >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > >> + > >> + return 0; > >> +} > >> -- > >> 2.18.0 > >> > >> > > > >
For forcing DNS we generate ( for example )
iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
To filter allowed DNS requests there is a rule
iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN
To get ${GREEN_ADDRESS} dnsntp needs an additional
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case.
Hope this makes it clear enough.
Best,
Bernhard
> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr
> Von: "Jon Murphy" <jcmurphy26@gmail.com>
> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>
> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP
>
> > I mean the extra rules for requests client-->IPFire:53.
> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules.
>
> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance?
>
> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms.
>
> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote:
> >
> > Hi,
> >
> >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr
> >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>
> >> Cc: development@lists.ipfire.org
> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP
> >>
> >> Hi,
> >>
> >> On 05.03.2021 21:45, Bernhard Bitsch wrote:
> >>> Hi,
> >>>
> >>> at a first glance I think, the code implements the ideas of the community discussions.
> >>
> >> Thanks - but unfortunately I'm not quite satisfied with my results yet
> >> because I didn't manage to merge the init and the ctrl-file in *one* C
> >> program. The whole is running as I want but... ;-)
> >>
> >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN.
> >>
> >> -v please. I don't know if I get this (the translation english =>
> >> german) right.
> >> If you mean that I asked for some tips and got some, than of course:
> >> many thanks to everybody!
> >>
> > Sorry if I wasn't specific enough.
> > I mean the extra rules for requests client-->IPFire:53.
> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules.
> >
> > Best,
> > Bernhard
> >> Best,
> >> Matthias
> >>
> >>> Regards,
> >>> Bernhard
> >>>
> >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr
> >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
> >>>> An: development@lists.ipfire.org
> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP
> >>>>
> >>>> Originally triggered by:
> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
> >>>>
> >>>> Current discussion:
> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
> >>>>
> >>>> Summary and functionality:
> >>>> These patches are controlled through "Firewall Options". They add new
> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
> >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file
> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp').
> >>>>
> >>>> Default of all new rules is OFF (set in 'lfs/configroot').
> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
> >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make
> >>>> this more transparent.
> >>>>
> >>>> Flaw/ToDo:
> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
> >>>> init file, 'dnsntp'. This is actually an unnecessary detour.
> >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my
> >>>> capabilities, perhaps "someone" else knows how to program this.
> >>>>
> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
> >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if
> >>>> the respective interface actually exists.
> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
> >>>> or logging options for BLUE available (e.g.).
> >>>> Added text colors for better readability and links to DNS and NTP GUI.
> >>>> Separated logging options per interface.
> >>>>
> >>>> No reboot required:
> >>>> Rules can be switched ON/OFF without rebooting IPFire.
> >>>> Changes immedediatly take effect after clicking 'Save'.
> >>>>
> >>>> Changes to '/etc/rc.d/init.d/firewall':
> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
> >>>> chain: DNS_NTP_REDIRECT.
> >>>> This chain is flushed by the init file before before the desired settings are applied.
> >>>> Corrected a 'trafic' typo.
> >>>>
> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> >>>> ---
> >>>> config/rootfiles/common/aarch64/initscripts | 1 +
> >>>> config/rootfiles/common/armv5tel/initscripts | 1 +
> >>>> config/rootfiles/common/i586/initscripts | 1 +
> >>>> config/rootfiles/common/misc-progs | 1 +
> >>>> config/rootfiles/common/x86_64/initscripts | 1 +
> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++----
> >>>> langs/de/cgi-bin/de.pl | 15 +++-
> >>>> langs/en/cgi-bin/en.pl | 15 +++-
> >>>> lfs/configroot | 4 +
> >>>> src/initscripts/system/dnsntp | 36 ++++++++
> >>>> src/initscripts/system/firewall | 9 +-
> >>>> src/misc-progs/Makefile | 2 +-
> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++
> >>>> 13 files changed, 168 insertions(+), 29 deletions(-)
> >>>> create mode 100644 src/initscripts/system/dnsntp
> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c
> >>>>
> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
> >>>> index 800005966..f38a3a294 100644
> >>>> --- a/config/rootfiles/common/aarch64/initscripts
> >>>> +++ b/config/rootfiles/common/aarch64/initscripts
> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >>>> etc/rc.d/init.d/console
> >>>> etc/rc.d/init.d/dhcp
> >>>> etc/rc.d/init.d/dhcrelay
> >>>> +etc/rc.d/init.d/dnsntp
> >>>> etc/rc.d/init.d/fcron
> >>>> etc/rc.d/init.d/fireinfo
> >>>> etc/rc.d/init.d/firewall
> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
> >>>> index 800005966..f38a3a294 100644
> >>>> --- a/config/rootfiles/common/armv5tel/initscripts
> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts
> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >>>> etc/rc.d/init.d/console
> >>>> etc/rc.d/init.d/dhcp
> >>>> etc/rc.d/init.d/dhcrelay
> >>>> +etc/rc.d/init.d/dnsntp
> >>>> etc/rc.d/init.d/fcron
> >>>> etc/rc.d/init.d/fireinfo
> >>>> etc/rc.d/init.d/firewall
> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
> >>>> index 18c5a897a..a3a2b47f7 100644
> >>>> --- a/config/rootfiles/common/i586/initscripts
> >>>> +++ b/config/rootfiles/common/i586/initscripts
> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >>>> etc/rc.d/init.d/console
> >>>> etc/rc.d/init.d/dhcp
> >>>> etc/rc.d/init.d/dhcrelay
> >>>> +etc/rc.d/init.d/dnsntp
> >>>> etc/rc.d/init.d/fcron
> >>>> etc/rc.d/init.d/fireinfo
> >>>> etc/rc.d/init.d/firewall
> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
> >>>> index d6594b3f8..4bcb94812 100644
> >>>> --- a/config/rootfiles/common/misc-progs
> >>>> +++ b/config/rootfiles/common/misc-progs
> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
> >>>> usr/local/bin/collectdctrl
> >>>> usr/local/bin/ddnsctrl
> >>>> usr/local/bin/dhcpctrl
> >>>> +usr/local/bin/dnsntpctrl
> >>>> usr/local/bin/extrahdctrl
> >>>> usr/local/bin/fireinfoctrl
> >>>> usr/local/bin/firewallctrl
> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
> >>>> index 18c5a897a..a3a2b47f7 100644
> >>>> --- a/config/rootfiles/common/x86_64/initscripts
> >>>> +++ b/config/rootfiles/common/x86_64/initscripts
> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> >>>> etc/rc.d/init.d/console
> >>>> etc/rc.d/init.d/dhcp
> >>>> etc/rc.d/init.d/dhcrelay
> >>>> +etc/rc.d/init.d/dnsntp
> >>>> etc/rc.d/init.d/fcron
> >>>> etc/rc.d/init.d/fireinfo
> >>>> etc/rc.d/init.d/firewall
> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> >>>> index 321642e82..3fc707e8b 100644
> >>>> --- a/html/cgi-bin/optionsfw.cgi
> >>>> +++ b/html/cgi-bin/optionsfw.cgi
> >>>> @@ -2,7 +2,7 @@
> >>>> ###############################################################################
> >>>> # #
> >>>> # IPFire.org - A linux based firewall #
> >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> #
> >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> #
> >>>> # #
> >>>> # This program is free software: you can redistribute it and/or modify #
> >>>> # it under the terms of the GNU General Public License as published by #
> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> >>>> $errormessage .= $Lang::tr{'new optionsfw later'};
> >>>> &General::writehash($filename, \%settings); # Save good settings
> >>>> system("/usr/local/bin/firewallctrl");
> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> >>>> }else{
> >>>> if ($settings{'POLICY'} ne ''){
> >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> >>>> system("/usr/local/bin/firewallctrl");
> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> >>>> }
> >>>> &General::readhash($filename, \%settings); # Load good settings
> >>>> }
> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
> >>>> $selected{'MASQUERADE_BLUE'}{'off'} = '';
> >>>> $selected{'MASQUERADE_BLUE'}{'on'} = '';
> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
> >>>>
> >>>> &Header::openbox('100%', 'center',);
> >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
> >>>> @@ -189,13 +203,44 @@ END
> >>>> END
> >>>> }
> >>>>
> >>>> - print <<END
> >>>> +print <<END;
> >>>> + <table width='95%' cellspacing='0'>
> >>>> + <tr bgcolor='$color{'color20'}'></tr>
> >>>> + <tr> </tr>
> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
> >>>> + </tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
> >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
> >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> +END
> >>>> +
> >>>> + if (&Header::blue_used()) {
> >>>> + print <<END;
> >>>> + <table width='95%' cellspacing='0'>
> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> >>>> + <tr> </tr>
> >>>> + <tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
> >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
> >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> + </td>
> >>>> + </tr>
> >>>> +END
> >>>> + }
> >>>> +
> >>>> + print <<END;
> >>>> </table>
> >>>>
> >>>> - <br>
> >>>> + <br />
> >>>>
> >>>> -<table width='95%' cellspacing='0'>
> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
> >>>> + <table width='95%' cellspacing='0'>
> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
> >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
> >>>> @@ -206,21 +251,30 @@ END
> >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
> >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> >>>> +END
> >>>> +
> >>>> + if (&Header::blue_used()) {
> >>>> + print <<END;
> >>>> + </table>
> >>>> +
> >>>> + <br />
> >>>> +
> >>>> + <table width='95%' cellspacing='0'>
> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
> >>>> + <tr>
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> -</table>
> >>>> -<br/>
> >>>> + </tr>
> >>>> +END
> >>>> + }
> >>>> +
> >>>> + print <<END;
> >>>> + </table>
> >>>> +
> >>>> + <br />
> >>>>
> >>>> -<table width='95%' cellspacing='0'>
> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> >>>> -</table>
> >>>> -<br>
> >>>> <table width='95%' cellspacing='0'>
> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
> >>>> @@ -252,7 +306,7 @@ END
> >>>>
> >>>> <br />
> >>>> <table width='100%' cellspacing='0'>
> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
> >>>> </form></td></tr>
> >>>> </table>
> >>>> @@ -278,7 +332,7 @@ print <<END;
> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
> >>>> END
> >>>> print "</tr></table></form>";
> >>>> - print"<br><br>";
> >>>> + print"<br /><br />";
> >>>> print <<END;
> >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
> >>>> <table width='100%' border='0'>
> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> >>>> index 6a8133807..d6bb234fa 100644
> >>>> --- a/langs/de/cgi-bin/de.pl
> >>>> +++ b/langs/de/cgi-bin/de.pl
> >>>> @@ -836,6 +836,8 @@
> >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
> >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
> >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
> >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU',
> >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN',
> >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
> >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
> >>>> @@ -1102,9 +1104,12 @@
> >>>> 'from email server' => 'Von E-Mail-Server',
> >>>> 'from email user' => 'Von E-Mail-Benutzer',
> >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
> >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
> >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
> >>>> 'fw default drop' => 'Firewallrichtlinie',
> >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
> >>>> 'fw logging' => 'Firewallprotokollierung',
> >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
> >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
> >>>> 'fw settings' => 'Firewalleinstellungen',
> >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
> >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
> >>>> @@ -1644,9 +1649,9 @@
> >>>> 'map to guest' => 'Map to Guest',
> >>>> 'march' => 'März',
> >>>> 'marked' => 'Markiert',
> >>>> -'masquerade blue' => 'NAT auf BLAU',
> >>>> -'masquerade green' => 'NAT auf GRÜN',
> >>>> -'masquerade orange' => 'NAT auf ORANGE',
> >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
> >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
> >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
> >>>> 'masquerading' => 'Masquerading/NAT',
> >>>> 'masquerading disabled' => 'NAT ausgeschaltet',
> >>>> 'masquerading enabled' => 'NAT eingeschaltet',
> >>>> @@ -1814,6 +1819,8 @@
> >>>> 'november' => 'November',
> >>>> 'ntp common settings' => 'Allgemeine Einstellungen',
> >>>> 'ntp configuration' => 'Zeitserverkonfiguration',
> >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU',
> >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN',
> >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
> >>>> 'ntp server' => 'NTP-Server',
> >>>> 'ntp sync' => 'Synchronisation',
> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> >>>> index 8f7e0c2cf..474612025 100644
> >>>> --- a/langs/en/cgi-bin/en.pl
> >>>> +++ b/langs/en/cgi-bin/en.pl
> >>>> @@ -859,6 +859,8 @@
> >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
> >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
> >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
> >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE',
> >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN',
> >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
> >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
> >>>> @@ -1128,9 +1130,12 @@
> >>>> 'from email server' => 'From Email server',
> >>>> 'from email user' => 'From e-mail user',
> >>>> 'from warn email bad' => 'From e-mail address is not valid',
> >>>> -'fw blue' => 'Firewall options for BLUE interface',
> >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
> >>>> 'fw default drop' => 'Firewall policy',
> >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
> >>>> 'fw logging' => 'Firewall logging',
> >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
> >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
> >>>> 'fw settings' => 'Firewall settings',
> >>>> 'fw settings color' => 'Show colors in ruletable',
> >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site',
> >>>> @@ -1672,9 +1677,9 @@
> >>>> 'map to guest' => 'Map to Guest',
> >>>> 'march' => 'March',
> >>>> 'marked' => 'Marked',
> >>>> -'masquerade blue' => 'Masquerade BLUE',
> >>>> -'masquerade green' => 'Masquerade GREEN',
> >>>> -'masquerade orange' => 'Masquerade ORANGE',
> >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
> >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
> >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
> >>>> 'masquerading' => 'Masquerading',
> >>>> 'masquerading disabled' => 'Masquerading disabled',
> >>>> 'masquerading enabled' => 'Masquerading enabled',
> >>>> @@ -1844,6 +1849,8 @@
> >>>> 'november' => 'November',
> >>>> 'ntp common settings' => 'Common settings',
> >>>> 'ntp configuration' => 'NTP Configuration',
> >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE',
> >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN',
> >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
> >>>> 'ntp server' => 'NTP Server',
> >>>> 'ntp sync' => 'Synchronization',
> >>>> diff --git a/lfs/configroot b/lfs/configroot
> >>>> index a3e474d70..622793b35 100644
> >>>> --- a/lfs/configroot
> >>>> +++ b/lfs/configroot
> >>>> @@ -129,6 +129,10 @@ $(TARGET) :
> >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
> >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
> >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
> >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
> >>>> new file mode 100644
> >>>> index 000000000..2eafa9d20
> >>>> --- /dev/null
> >>>> +++ b/src/initscripts/system/dnsntp
> >>>> @@ -0,0 +1,36 @@
> >>>> +#!/bin/sh
> >>>> +########################################################################
> >>>> +# Begin $rc_base/init.d/dnsntp
> >>>> +#
> >>>> +# Description : dnsntp init script for DNS/NTP rules only
> >>>> +#
> >>>> +########################################################################
> >>>> +
> >>>> +# flush chain
> >>>> +iptables -t nat -F DNS_NTP_REDIRECT
> >>>> +
> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> >>>> +
> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
> >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT
> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
> >>>> +fi
> >>>> +
> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
> >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
> >>>> +fi
> >>>> +
> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
> >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT
> >>>> +fi
> >>>> +
> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
> >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT
> >>>> +fi
> >>>> +
> >>>> +# End $rc_base/init.d/dnsntp
> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> >>>> index 65f1c979b..43ae74113 100644
> >>>> --- a/src/initscripts/system/firewall
> >>>> +++ b/src/initscripts/system/firewall
> >>>> @@ -169,6 +169,10 @@ iptables_init() {
> >>>> # Fix for braindead ISPs
> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> >>>>
> >>>> + # DNS / NTP REDIRECT
> >>>> + iptables -t nat -N DNS_NTP_REDIRECT
> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
> >>>> +
> >>>> # CUSTOM chains, can be used by the users themselves
> >>>> iptables -N CUSTOMINPUT
> >>>> iptables -A INPUT -j CUSTOMINPUT
> >>>> @@ -281,7 +285,7 @@ iptables_init() {
> >>>> iptables -A INPUT -j LOCATIONBLOCK
> >>>> iptables -A FORWARD -j LOCATIONBLOCK
> >>>>
> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> >>>> iptables -N IPSECINPUT
> >>>> iptables -N IPSECFORWARD
> >>>> iptables -N IPSECOUTPUT
> >>>> @@ -389,6 +393,9 @@ iptables_init() {
> >>>> # run captivectrl
> >>>> /usr/local/bin/captivectrl
> >>>>
> >>>> + # run dnsntpctrl
> >>>> + /usr/local/bin/dnsntpctrl
> >>>> +
> >>>> # POLICY CHAIN
> >>>> iptables -N POLICYIN
> >>>> iptables -A INPUT -j POLICYIN
> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
> >>>> index 7c3ef7529..6f2733ef0 100644
> >>>> --- a/src/misc-progs/Makefile
> >>>> +++ b/src/misc-progs/Makefile
> >>>> @@ -26,7 +26,7 @@ PROGS = iowrap
> >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \
> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \
> >>>> rebuildhosts backupctrl collectdctrl \
> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \
> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
> >>>> wirelessctrl getipstat qosctrl \
> >>>> redctrl syslogdctrl extrahdctrl sambactrl \
> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
> >>>> new file mode 100644
> >>>> index 000000000..f2a3b89e3
> >>>> --- /dev/null
> >>>> +++ b/src/misc-progs/dnsntpctrl.c
> >>>> @@ -0,0 +1,19 @@
> >>>> +/* This file is part of the IPFire Firewall.
> >>>> + *
> >>>> + * This program is distributed under the terms of the GNU General Public
> >>>> + * Licence. See the file COPYING for details.
> >>>> + *
> >>>> + */
> >>>> +
> >>>> +#include <stdlib.h>
> >>>> +#include "setuid.h"
> >>>> +
> >>>> +int main(void)
> >>>> +{
> >>>> + if (!(initsetuid()))
> >>>> + exit(1);
> >>>> +
> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
> >>>> +
> >>>> + return 0;
> >>>> +}
> >>>> --
> >>>> 2.18.0
> >>>>
> >>>>
> >>>
> >>
> >>
>
>
But is it really needed and how is that determined? > On Mar 6, 2021, at 3:15 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote: > > For forcing DNS we generate ( for example ) > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > To filter allowed DNS requests there is a rule > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN > To get ${GREEN_ADDRESS} dnsntp needs an additional > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > > Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case. > > Hope this makes it clear enough. > > Best, > Bernhard > >> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr >> Von: "Jon Murphy" <jcmurphy26@gmail.com> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >> >>> I mean the extra rules for requests client-->IPFire:53. >>> These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >> >> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance? >> >> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms. >> >>> On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote: >>> >>> Hi, >>> >>>> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >>>> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >>>> Cc: development@lists.ipfire.org >>>> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >>>> >>>> Hi, >>>> >>>> On 05.03.2021 21:45, Bernhard Bitsch wrote: >>>>> Hi, >>>>> >>>>> at a first glance I think, the code implements the ideas of the community discussions. >>>> >>>> Thanks - but unfortunately I'm not quite satisfied with my results yet >>>> because I didn't manage to merge the init and the ctrl-file in *one* C >>>> program. The whole is running as I want but... ;-) >>>> >>>>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. >>>> >>>> -v please. I don't know if I get this (the translation english => >>>> german) right. >>>> If you mean that I asked for some tips and got some, than of course: >>>> many thanks to everybody! >>>> >>> Sorry if I wasn't specific enough. >>> I mean the extra rules for requests client-->IPFire:53. >>> These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >>> >>> Best, >>> Bernhard >>>> Best, >>>> Matthias >>>> >>>>> Regards, >>>>> Bernhard >>>>> >>>>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr >>>>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >>>>>> An: development@lists.ipfire.org >>>>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >>>>>> >>>>>> Originally triggered by: >>>>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>>>>> >>>>>> Current discussion: >>>>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>>>>> >>>>>> Summary and functionality: >>>>>> These patches are controlled through "Firewall Options". They add new >>>>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >>>>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >>>>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >>>>>> >>>>>> Default of all new rules is OFF (set in 'lfs/configroot'). >>>>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >>>>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >>>>>> this more transparent. >>>>>> >>>>>> Flaw/ToDo: >>>>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >>>>>> init file, 'dnsntp'. This is actually an unnecessary detour. >>>>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >>>>>> capabilities, perhaps "someone" else knows how to program this. >>>>>> >>>>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>>>>> The corresponding interface options - including 'Masquerade ...' - are only visible if >>>>>> the respective interface actually exists. >>>>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >>>>>> or logging options for BLUE available (e.g.). >>>>>> Added text colors for better readability and links to DNS and NTP GUI. >>>>>> Separated logging options per interface. >>>>>> >>>>>> No reboot required: >>>>>> Rules can be switched ON/OFF without rebooting IPFire. >>>>>> Changes immedediatly take effect after clicking 'Save'. >>>>>> >>>>>> Changes to '/etc/rc.d/init.d/firewall': >>>>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >>>>>> chain: DNS_NTP_REDIRECT. >>>>>> This chain is flushed by the init file before before the desired settings are applied. >>>>>> Corrected a 'trafic' typo. >>>>>> >>>>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>>>> --- >>>>>> config/rootfiles/common/aarch64/initscripts | 1 + >>>>>> config/rootfiles/common/armv5tel/initscripts | 1 + >>>>>> config/rootfiles/common/i586/initscripts | 1 + >>>>>> config/rootfiles/common/misc-progs | 1 + >>>>>> config/rootfiles/common/x86_64/initscripts | 1 + >>>>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>>>>> langs/de/cgi-bin/de.pl | 15 +++- >>>>>> langs/en/cgi-bin/en.pl | 15 +++- >>>>>> lfs/configroot | 4 + >>>>>> src/initscripts/system/dnsntp | 36 ++++++++ >>>>>> src/initscripts/system/firewall | 9 +- >>>>>> src/misc-progs/Makefile | 2 +- >>>>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>>>>> 13 files changed, 168 insertions(+), 29 deletions(-) >>>>>> create mode 100644 src/initscripts/system/dnsntp >>>>>> create mode 100644 src/misc-progs/dnsntpctrl.c >>>>>> >>>>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >>>>>> index 800005966..f38a3a294 100644 >>>>>> --- a/config/rootfiles/common/aarch64/initscripts >>>>>> +++ b/config/rootfiles/common/aarch64/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >>>>>> index 800005966..f38a3a294 100644 >>>>>> --- a/config/rootfiles/common/armv5tel/initscripts >>>>>> +++ b/config/rootfiles/common/armv5tel/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >>>>>> index 18c5a897a..a3a2b47f7 100644 >>>>>> --- a/config/rootfiles/common/i586/initscripts >>>>>> +++ b/config/rootfiles/common/i586/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >>>>>> index d6594b3f8..4bcb94812 100644 >>>>>> --- a/config/rootfiles/common/misc-progs >>>>>> +++ b/config/rootfiles/common/misc-progs >>>>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>>>>> usr/local/bin/collectdctrl >>>>>> usr/local/bin/ddnsctrl >>>>>> usr/local/bin/dhcpctrl >>>>>> +usr/local/bin/dnsntpctrl >>>>>> usr/local/bin/extrahdctrl >>>>>> usr/local/bin/fireinfoctrl >>>>>> usr/local/bin/firewallctrl >>>>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >>>>>> index 18c5a897a..a3a2b47f7 100644 >>>>>> --- a/config/rootfiles/common/x86_64/initscripts >>>>>> +++ b/config/rootfiles/common/x86_64/initscripts >>>>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>>>> etc/rc.d/init.d/console >>>>>> etc/rc.d/init.d/dhcp >>>>>> etc/rc.d/init.d/dhcrelay >>>>>> +etc/rc.d/init.d/dnsntp >>>>>> etc/rc.d/init.d/fcron >>>>>> etc/rc.d/init.d/fireinfo >>>>>> etc/rc.d/init.d/firewall >>>>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>>>>> index 321642e82..3fc707e8b 100644 >>>>>> --- a/html/cgi-bin/optionsfw.cgi >>>>>> +++ b/html/cgi-bin/optionsfw.cgi >>>>>> @@ -2,7 +2,7 @@ >>>>>> ############################################################################### >>>>>> # # >>>>>> # IPFire.org - A linux based firewall # >>>>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >>>>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >>>>>> # # >>>>>> # This program is free software: you can redistribute it and/or modify # >>>>>> # it under the terms of the GNU General Public License as published by # >>>>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>>>>> $errormessage .= $Lang::tr{'new optionsfw later'}; >>>>>> &General::writehash($filename, \%settings); # Save good settings >>>>>> system("/usr/local/bin/firewallctrl"); >>>>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>>>>> }else{ >>>>>> if ($settings{'POLICY'} ne ''){ >>>>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >>>>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>>>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>>>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>>>>> system("/usr/local/bin/firewallctrl"); >>>>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>>>>> } >>>>>> &General::readhash($filename, \%settings); # Load good settings >>>>>> } >>>>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >>>>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >>>>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >>>>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >>>>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >>>>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >>>>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >>>>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >>>>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >>>>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >>>>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >>>>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >>>>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >>>>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >>>>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >>>>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >>>>>> >>>>>> &Header::openbox('100%', 'center',); >>>>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >>>>>> @@ -189,13 +203,44 @@ END >>>>>> END >>>>>> } >>>>>> >>>>>> - print <<END >>>>>> +print <<END; >>>>>> + <table width='95%' cellspacing='0'> >>>>>> + <tr bgcolor='$color{'color20'}'></tr> >>>>>> + <tr> </tr> >>>>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >>>>>> + </tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >>>>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >>>>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> +END >>>>>> + >>>>>> + if (&Header::blue_used()) { >>>>>> + print <<END; >>>>>> + <table width='95%' cellspacing='0'> >>>>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>>>>> + <tr> </tr> >>>>>> + <tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >>>>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >>>>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>>>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>>>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> + </td> >>>>>> + </tr> >>>>>> +END >>>>>> + } >>>>>> + >>>>>> + print <<END; >>>>>> </table> >>>>>> >>>>>> - <br> >>>>>> + <br /> >>>>>> >>>>>> -<table width='95%' cellspacing='0'> >>>>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >>>>>> + <table width='95%' cellspacing='0'> >>>>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >>>>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >>>>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >>>>>> @@ -206,21 +251,30 @@ END >>>>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >>>>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>>>>> +END >>>>>> + >>>>>> + if (&Header::blue_used()) { >>>>>> + print <<END; >>>>>> + </table> >>>>>> + >>>>>> + <br /> >>>>>> + >>>>>> + <table width='95%' cellspacing='0'> >>>>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >>>>>> + <tr> >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>>>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>>>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>>>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> -</table> >>>>>> -<br/> >>>>>> + </tr> >>>>>> +END >>>>>> + } >>>>>> + >>>>>> + print <<END; >>>>>> + </table> >>>>>> + >>>>>> + <br /> >>>>>> >>>>>> -<table width='95%' cellspacing='0'> >>>>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>>>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>>>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>>>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>>>> -</table> >>>>>> -<br> >>>>>> <table width='95%' cellspacing='0'> >>>>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >>>>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >>>>>> @@ -252,7 +306,7 @@ END >>>>>> >>>>>> <br /> >>>>>> <table width='100%' cellspacing='0'> >>>>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>>>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>>>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >>>>>> </form></td></tr> >>>>>> </table> >>>>>> @@ -278,7 +332,7 @@ print <<END; >>>>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >>>>>> END >>>>>> print "</tr></table></form>"; >>>>>> - print"<br><br>"; >>>>>> + print"<br /><br />"; >>>>>> print <<END; >>>>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >>>>>> <table width='100%' border='0'> >>>>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>>>>> index 6a8133807..d6bb234fa 100644 >>>>>> --- a/langs/de/cgi-bin/de.pl >>>>>> +++ b/langs/de/cgi-bin/de.pl >>>>>> @@ -836,6 +836,8 @@ >>>>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >>>>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >>>>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >>>>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >>>>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >>>>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >>>>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >>>>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>>>>> @@ -1102,9 +1104,12 @@ >>>>>> 'from email server' => 'Von E-Mail-Server', >>>>>> 'from email user' => 'Von E-Mail-Benutzer', >>>>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >>>>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >>>>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >>>>>> 'fw default drop' => 'Firewallrichtlinie', >>>>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >>>>>> 'fw logging' => 'Firewallprotokollierung', >>>>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >>>>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >>>>>> 'fw settings' => 'Firewalleinstellungen', >>>>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >>>>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >>>>>> @@ -1644,9 +1649,9 @@ >>>>>> 'map to guest' => 'Map to Guest', >>>>>> 'march' => 'März', >>>>>> 'marked' => 'Markiert', >>>>>> -'masquerade blue' => 'NAT auf BLAU', >>>>>> -'masquerade green' => 'NAT auf GRÜN', >>>>>> -'masquerade orange' => 'NAT auf ORANGE', >>>>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >>>>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >>>>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >>>>>> 'masquerading' => 'Masquerading/NAT', >>>>>> 'masquerading disabled' => 'NAT ausgeschaltet', >>>>>> 'masquerading enabled' => 'NAT eingeschaltet', >>>>>> @@ -1814,6 +1819,8 @@ >>>>>> 'november' => 'November', >>>>>> 'ntp common settings' => 'Allgemeine Einstellungen', >>>>>> 'ntp configuration' => 'Zeitserverkonfiguration', >>>>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >>>>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >>>>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >>>>>> 'ntp server' => 'NTP-Server', >>>>>> 'ntp sync' => 'Synchronisation', >>>>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>>>>> index 8f7e0c2cf..474612025 100644 >>>>>> --- a/langs/en/cgi-bin/en.pl >>>>>> +++ b/langs/en/cgi-bin/en.pl >>>>>> @@ -859,6 +859,8 @@ >>>>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >>>>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >>>>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >>>>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >>>>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >>>>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >>>>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >>>>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >>>>>> @@ -1128,9 +1130,12 @@ >>>>>> 'from email server' => 'From Email server', >>>>>> 'from email user' => 'From e-mail user', >>>>>> 'from warn email bad' => 'From e-mail address is not valid', >>>>>> -'fw blue' => 'Firewall options for BLUE interface', >>>>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >>>>>> 'fw default drop' => 'Firewall policy', >>>>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >>>>>> 'fw logging' => 'Firewall logging', >>>>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >>>>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >>>>>> 'fw settings' => 'Firewall settings', >>>>>> 'fw settings color' => 'Show colors in ruletable', >>>>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >>>>>> @@ -1672,9 +1677,9 @@ >>>>>> 'map to guest' => 'Map to Guest', >>>>>> 'march' => 'March', >>>>>> 'marked' => 'Marked', >>>>>> -'masquerade blue' => 'Masquerade BLUE', >>>>>> -'masquerade green' => 'Masquerade GREEN', >>>>>> -'masquerade orange' => 'Masquerade ORANGE', >>>>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >>>>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >>>>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >>>>>> 'masquerading' => 'Masquerading', >>>>>> 'masquerading disabled' => 'Masquerading disabled', >>>>>> 'masquerading enabled' => 'Masquerading enabled', >>>>>> @@ -1844,6 +1849,8 @@ >>>>>> 'november' => 'November', >>>>>> 'ntp common settings' => 'Common settings', >>>>>> 'ntp configuration' => 'NTP Configuration', >>>>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >>>>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >>>>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >>>>>> 'ntp server' => 'NTP Server', >>>>>> 'ntp sync' => 'Synchronization', >>>>>> diff --git a/lfs/configroot b/lfs/configroot >>>>>> index a3e474d70..622793b35 100644 >>>>>> --- a/lfs/configroot >>>>>> +++ b/lfs/configroot >>>>>> @@ -129,6 +129,10 @@ $(TARGET) : >>>>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>>>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>>>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >>>>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>>>>> new file mode 100644 >>>>>> index 000000000..2eafa9d20 >>>>>> --- /dev/null >>>>>> +++ b/src/initscripts/system/dnsntp >>>>>> @@ -0,0 +1,36 @@ >>>>>> +#!/bin/sh >>>>>> +######################################################################## >>>>>> +# Begin $rc_base/init.d/dnsntp >>>>>> +# >>>>>> +# Description : dnsntp init script for DNS/NTP rules only >>>>>> +# >>>>>> +######################################################################## >>>>>> + >>>>>> +# flush chain >>>>>> +iptables -t nat -F DNS_NTP_REDIRECT >>>>>> + >>>>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>>>>> + >>>>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>>>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>>>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>>>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>>>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >>>>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >>>>>> +fi >>>>>> + >>>>>> +# End $rc_base/init.d/dnsntp >>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>>>>> index 65f1c979b..43ae74113 100644 >>>>>> --- a/src/initscripts/system/firewall >>>>>> +++ b/src/initscripts/system/firewall >>>>>> @@ -169,6 +169,10 @@ iptables_init() { >>>>>> # Fix for braindead ISPs >>>>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>>>>> >>>>>> + # DNS / NTP REDIRECT >>>>>> + iptables -t nat -N DNS_NTP_REDIRECT >>>>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>>>>> + >>>>>> # CUSTOM chains, can be used by the users themselves >>>>>> iptables -N CUSTOMINPUT >>>>>> iptables -A INPUT -j CUSTOMINPUT >>>>>> @@ -281,7 +285,7 @@ iptables_init() { >>>>>> iptables -A INPUT -j LOCATIONBLOCK >>>>>> iptables -A FORWARD -j LOCATIONBLOCK >>>>>> >>>>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>>>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>>>>> iptables -N IPSECINPUT >>>>>> iptables -N IPSECFORWARD >>>>>> iptables -N IPSECOUTPUT >>>>>> @@ -389,6 +393,9 @@ iptables_init() { >>>>>> # run captivectrl >>>>>> /usr/local/bin/captivectrl >>>>>> >>>>>> + # run dnsntpctrl >>>>>> + /usr/local/bin/dnsntpctrl >>>>>> + >>>>>> # POLICY CHAIN >>>>>> iptables -N POLICYIN >>>>>> iptables -A INPUT -j POLICYIN >>>>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>>>>> index 7c3ef7529..6f2733ef0 100644 >>>>>> --- a/src/misc-progs/Makefile >>>>>> +++ b/src/misc-progs/Makefile >>>>>> @@ -26,7 +26,7 @@ PROGS = iowrap >>>>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >>>>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>>>>> rebuildhosts backupctrl collectdctrl \ >>>>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>>>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>>>>> wirelessctrl getipstat qosctrl \ >>>>>> redctrl syslogdctrl extrahdctrl sambactrl \ >>>>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>>>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>>>>> new file mode 100644 >>>>>> index 000000000..f2a3b89e3 >>>>>> --- /dev/null >>>>>> +++ b/src/misc-progs/dnsntpctrl.c >>>>>> @@ -0,0 +1,19 @@ >>>>>> +/* This file is part of the IPFire Firewall. >>>>>> + * >>>>>> + * This program is distributed under the terms of the GNU General Public >>>>>> + * Licence. See the file COPYING for details. >>>>>> + * >>>>>> + */ >>>>>> + >>>>>> +#include <stdlib.h> >>>>>> +#include "setuid.h" >>>>>> + >>>>>> +int main(void) >>>>>> +{ >>>>>> + if (!(initsetuid())) >>>>>> + exit(1); >>>>>> + >>>>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>>>>> + >>>>>> + return 0; >>>>>> +} >>>>>> -- >>>>>> 2.18.0 >>>>>> >>>>>> >>>>> >>>> >>>> >> >>
Hi Bernhard, Lol. Funny misunderstanding - I'll try to figure it out: On 06.03.2021 22:15, Bernhard Bitsch wrote: > For forcing DNS we generate ( for example ) > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT That's for *forcing* AKA *bad* requests that don't go the way we want. > To filter allowed DNS requests there is a rule > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN That's for *well-behaving* requests. AH! I see. I think I know what you meant. > To get ${GREEN_ADDRESS} dnsntp needs an additional > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) Funny. I suddenly thought of doing something with '.../ethernet/settings' while writing the v3-commit. But I didn't think of RETURN. > Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case. > > Hope this makes it clear enough. I - really - hope I got it right. ;-) To handle the well-behaving requests, I added RETURN rules prior to the REDIRECT rules like this: ... # Force DNS REDIRECTs on GREEN (udp, tcp, 53) if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p tcp -m tcp --dport 53 -j RETURN iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT fi ... Intention (explanation was translated from https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): If the first - well-behaving - rule matches: => RETURN => "Leave this chain and continue with the caller or execute the chain's policy". Otherwise: => REDIRECT the packet. "This goal ensures that the package is delivered to the local computer. This allows packets to "fantasy targets" to be intercepted and dealt with locally." I'm still not 100 percent sure - but does this correspond to your intention? Best, Matthias > Best, > Bernhard > >> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr >> Von: "Jon Murphy" <jcmurphy26@gmail.com> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >> >> > I mean the extra rules for requests client-->IPFire:53. >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >> >> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance? >> >> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms. >> >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote: >> > >> > Hi, >> > >> >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr >> >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >> >> Cc: development@lists.ipfire.org >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >> >> >> >> Hi, >> >> >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: >> >>> Hi, >> >>> >> >>> at a first glance I think, the code implements the ideas of the community discussions. >> >> >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet >> >> because I didn't manage to merge the init and the ctrl-file in *one* C >> >> program. The whole is running as I want but... ;-) >> >> >> >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. >> >> >> >> -v please. I don't know if I get this (the translation english => >> >> german) right. >> >> If you mean that I asked for some tips and got some, than of course: >> >> many thanks to everybody! >> >> >> > Sorry if I wasn't specific enough. >> > I mean the extra rules for requests client-->IPFire:53. >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >> > >> > Best, >> > Bernhard >> >> Best, >> >> Matthias >> >> >> >>> Regards, >> >>> Bernhard >> >>> >> >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr >> >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >> >>>> An: development@lists.ipfire.org >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >> >>>> >> >>>> Originally triggered by: >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >> >>>> >> >>>> Current discussion: >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >> >>>> >> >>>> Summary and functionality: >> >>>> These patches are controlled through "Firewall Options". They add new >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >> >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >> >>>> >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >> >>>> this more transparent. >> >>>> >> >>>> Flaw/ToDo: >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. >> >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >> >>>> capabilities, perhaps "someone" else knows how to program this. >> >>>> >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if >> >>>> the respective interface actually exists. >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >> >>>> or logging options for BLUE available (e.g.). >> >>>> Added text colors for better readability and links to DNS and NTP GUI. >> >>>> Separated logging options per interface. >> >>>> >> >>>> No reboot required: >> >>>> Rules can be switched ON/OFF without rebooting IPFire. >> >>>> Changes immedediatly take effect after clicking 'Save'. >> >>>> >> >>>> Changes to '/etc/rc.d/init.d/firewall': >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >> >>>> chain: DNS_NTP_REDIRECT. >> >>>> This chain is flushed by the init file before before the desired settings are applied. >> >>>> Corrected a 'trafic' typo. >> >>>> >> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> >>>> --- >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + >> >>>> config/rootfiles/common/i586/initscripts | 1 + >> >>>> config/rootfiles/common/misc-progs | 1 + >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> >>>> langs/de/cgi-bin/de.pl | 15 +++- >> >>>> langs/en/cgi-bin/en.pl | 15 +++- >> >>>> lfs/configroot | 4 + >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ >> >>>> src/initscripts/system/firewall | 9 +- >> >>>> src/misc-progs/Makefile | 2 +- >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) >> >>>> create mode 100644 src/initscripts/system/dnsntp >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c >> >>>> >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >> >>>> index 800005966..f38a3a294 100644 >> >>>> --- a/config/rootfiles/common/aarch64/initscripts >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >> >>>> index 800005966..f38a3a294 100644 >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >>>> --- a/config/rootfiles/common/i586/initscripts >> >>>> +++ b/config/rootfiles/common/i586/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >> >>>> index d6594b3f8..4bcb94812 100644 >> >>>> --- a/config/rootfiles/common/misc-progs >> >>>> +++ b/config/rootfiles/common/misc-progs >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> >>>> usr/local/bin/collectdctrl >> >>>> usr/local/bin/ddnsctrl >> >>>> usr/local/bin/dhcpctrl >> >>>> +usr/local/bin/dnsntpctrl >> >>>> usr/local/bin/extrahdctrl >> >>>> usr/local/bin/fireinfoctrl >> >>>> usr/local/bin/firewallctrl >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >>>> --- a/config/rootfiles/common/x86_64/initscripts >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >>>> etc/rc.d/init.d/console >> >>>> etc/rc.d/init.d/dhcp >> >>>> etc/rc.d/init.d/dhcrelay >> >>>> +etc/rc.d/init.d/dnsntp >> >>>> etc/rc.d/init.d/fcron >> >>>> etc/rc.d/init.d/fireinfo >> >>>> etc/rc.d/init.d/firewall >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> >>>> index 321642e82..3fc707e8b 100644 >> >>>> --- a/html/cgi-bin/optionsfw.cgi >> >>>> +++ b/html/cgi-bin/optionsfw.cgi >> >>>> @@ -2,7 +2,7 @@ >> >>>> ############################################################################### >> >>>> # # >> >>>> # IPFire.org - A linux based firewall # >> >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >> >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >> >>>> # # >> >>>> # This program is free software: you can redistribute it and/or modify # >> >>>> # it under the terms of the GNU General Public License as published by # >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >>>> $errormessage .= $Lang::tr{'new optionsfw later'}; >> >>>> &General::writehash($filename, \%settings); # Save good settings >> >>>> system("/usr/local/bin/firewallctrl"); >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >>>> }else{ >> >>>> if ($settings{'POLICY'} ne ''){ >> >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> >>>> system("/usr/local/bin/firewallctrl"); >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >>>> } >> >>>> &General::readhash($filename, \%settings); # Load good settings >> >>>> } >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >> >>>> >> >>>> &Header::openbox('100%', 'center',); >> >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >> >>>> @@ -189,13 +203,44 @@ END >> >>>> END >> >>>> } >> >>>> >> >>>> - print <<END >> >>>> +print <<END; >> >>>> + <table width='95%' cellspacing='0'> >> >>>> + <tr bgcolor='$color{'color20'}'></tr> >> >>>> + <tr> </tr> >> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >> >>>> + </tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >> >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >> >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> +END >> >>>> + >> >>>> + if (&Header::blue_used()) { >> >>>> + print <<END; >> >>>> + <table width='95%' cellspacing='0'> >> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> >>>> + <tr> </tr> >> >>>> + <tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >> >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >> >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> + </td> >> >>>> + </tr> >> >>>> +END >> >>>> + } >> >>>> + >> >>>> + print <<END; >> >>>> </table> >> >>>> >> >>>> - <br> >> >>>> + <br /> >> >>>> >> >>>> -<table width='95%' cellspacing='0'> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >> >>>> + <table width='95%' cellspacing='0'> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >> >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >> >>>> @@ -206,21 +251,30 @@ END >> >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >> >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> >>>> +END >> >>>> + >> >>>> + if (&Header::blue_used()) { >> >>>> + print <<END; >> >>>> + </table> >> >>>> + >> >>>> + <br /> >> >>>> + >> >>>> + <table width='95%' cellspacing='0'> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >> >>>> + <tr> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> -</table> >> >>>> -<br/> >> >>>> + </tr> >> >>>> +END >> >>>> + } >> >>>> + >> >>>> + print <<END; >> >>>> + </table> >> >>>> + >> >>>> + <br /> >> >>>> >> >>>> -<table width='95%' cellspacing='0'> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >>>> -</table> >> >>>> -<br> >> >>>> <table width='95%' cellspacing='0'> >> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >> >>>> @@ -252,7 +306,7 @@ END >> >>>> >> >>>> <br /> >> >>>> <table width='100%' cellspacing='0'> >> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >> >>>> </form></td></tr> >> >>>> </table> >> >>>> @@ -278,7 +332,7 @@ print <<END; >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >> >>>> END >> >>>> print "</tr></table></form>"; >> >>>> - print"<br><br>"; >> >>>> + print"<br /><br />"; >> >>>> print <<END; >> >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> >>>> <table width='100%' border='0'> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> >>>> index 6a8133807..d6bb234fa 100644 >> >>>> --- a/langs/de/cgi-bin/de.pl >> >>>> +++ b/langs/de/cgi-bin/de.pl >> >>>> @@ -836,6 +836,8 @@ >> >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >> >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >> >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >> >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >> >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >> >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >> >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> >>>> @@ -1102,9 +1104,12 @@ >> >>>> 'from email server' => 'Von E-Mail-Server', >> >>>> 'from email user' => 'Von E-Mail-Benutzer', >> >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >> >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >> >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >> >>>> 'fw default drop' => 'Firewallrichtlinie', >> >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >> >>>> 'fw logging' => 'Firewallprotokollierung', >> >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >> >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >> >>>> 'fw settings' => 'Firewalleinstellungen', >> >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >> >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >> >>>> @@ -1644,9 +1649,9 @@ >> >>>> 'map to guest' => 'Map to Guest', >> >>>> 'march' => 'März', >> >>>> 'marked' => 'Markiert', >> >>>> -'masquerade blue' => 'NAT auf BLAU', >> >>>> -'masquerade green' => 'NAT auf GRÜN', >> >>>> -'masquerade orange' => 'NAT auf ORANGE', >> >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >> >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >> >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >> >>>> 'masquerading' => 'Masquerading/NAT', >> >>>> 'masquerading disabled' => 'NAT ausgeschaltet', >> >>>> 'masquerading enabled' => 'NAT eingeschaltet', >> >>>> @@ -1814,6 +1819,8 @@ >> >>>> 'november' => 'November', >> >>>> 'ntp common settings' => 'Allgemeine Einstellungen', >> >>>> 'ntp configuration' => 'Zeitserverkonfiguration', >> >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >> >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >> >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >> >>>> 'ntp server' => 'NTP-Server', >> >>>> 'ntp sync' => 'Synchronisation', >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> >>>> index 8f7e0c2cf..474612025 100644 >> >>>> --- a/langs/en/cgi-bin/en.pl >> >>>> +++ b/langs/en/cgi-bin/en.pl >> >>>> @@ -859,6 +859,8 @@ >> >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >> >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >> >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >> >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >> >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >> >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >> >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >> >>>> @@ -1128,9 +1130,12 @@ >> >>>> 'from email server' => 'From Email server', >> >>>> 'from email user' => 'From e-mail user', >> >>>> 'from warn email bad' => 'From e-mail address is not valid', >> >>>> -'fw blue' => 'Firewall options for BLUE interface', >> >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >> >>>> 'fw default drop' => 'Firewall policy', >> >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >> >>>> 'fw logging' => 'Firewall logging', >> >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >> >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >> >>>> 'fw settings' => 'Firewall settings', >> >>>> 'fw settings color' => 'Show colors in ruletable', >> >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >> >>>> @@ -1672,9 +1677,9 @@ >> >>>> 'map to guest' => 'Map to Guest', >> >>>> 'march' => 'March', >> >>>> 'marked' => 'Marked', >> >>>> -'masquerade blue' => 'Masquerade BLUE', >> >>>> -'masquerade green' => 'Masquerade GREEN', >> >>>> -'masquerade orange' => 'Masquerade ORANGE', >> >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >> >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >> >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >> >>>> 'masquerading' => 'Masquerading', >> >>>> 'masquerading disabled' => 'Masquerading disabled', >> >>>> 'masquerading enabled' => 'Masquerading enabled', >> >>>> @@ -1844,6 +1849,8 @@ >> >>>> 'november' => 'November', >> >>>> 'ntp common settings' => 'Common settings', >> >>>> 'ntp configuration' => 'NTP Configuration', >> >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >> >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >> >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >> >>>> 'ntp server' => 'NTP Server', >> >>>> 'ntp sync' => 'Synchronization', >> >>>> diff --git a/lfs/configroot b/lfs/configroot >> >>>> index a3e474d70..622793b35 100644 >> >>>> --- a/lfs/configroot >> >>>> +++ b/lfs/configroot >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : >> >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >> >>>> new file mode 100644 >> >>>> index 000000000..2eafa9d20 >> >>>> --- /dev/null >> >>>> +++ b/src/initscripts/system/dnsntp >> >>>> @@ -0,0 +1,36 @@ >> >>>> +#!/bin/sh >> >>>> +######################################################################## >> >>>> +# Begin $rc_base/init.d/dnsntp >> >>>> +# >> >>>> +# Description : dnsntp init script for DNS/NTP rules only >> >>>> +# >> >>>> +######################################################################## >> >>>> + >> >>>> +# flush chain >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT >> >>>> + >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> >>>> + >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >> >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >> >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >> >>>> +fi >> >>>> + >> >>>> +# End $rc_base/init.d/dnsntp >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> >>>> index 65f1c979b..43ae74113 100644 >> >>>> --- a/src/initscripts/system/firewall >> >>>> +++ b/src/initscripts/system/firewall >> >>>> @@ -169,6 +169,10 @@ iptables_init() { >> >>>> # Fix for braindead ISPs >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >> >>>> >> >>>> + # DNS / NTP REDIRECT >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> >>>> + >> >>>> # CUSTOM chains, can be used by the users themselves >> >>>> iptables -N CUSTOMINPUT >> >>>> iptables -A INPUT -j CUSTOMINPUT >> >>>> @@ -281,7 +285,7 @@ iptables_init() { >> >>>> iptables -A INPUT -j LOCATIONBLOCK >> >>>> iptables -A FORWARD -j LOCATIONBLOCK >> >>>> >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> >>>> iptables -N IPSECINPUT >> >>>> iptables -N IPSECFORWARD >> >>>> iptables -N IPSECOUTPUT >> >>>> @@ -389,6 +393,9 @@ iptables_init() { >> >>>> # run captivectrl >> >>>> /usr/local/bin/captivectrl >> >>>> >> >>>> + # run dnsntpctrl >> >>>> + /usr/local/bin/dnsntpctrl >> >>>> + >> >>>> # POLICY CHAIN >> >>>> iptables -N POLICYIN >> >>>> iptables -A INPUT -j POLICYIN >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> >>>> index 7c3ef7529..6f2733ef0 100644 >> >>>> --- a/src/misc-progs/Makefile >> >>>> +++ b/src/misc-progs/Makefile >> >>>> @@ -26,7 +26,7 @@ PROGS = iowrap >> >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >> >>>> rebuildhosts backupctrl collectdctrl \ >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> >>>> wirelessctrl getipstat qosctrl \ >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> >>>> new file mode 100644 >> >>>> index 000000000..f2a3b89e3 >> >>>> --- /dev/null >> >>>> +++ b/src/misc-progs/dnsntpctrl.c >> >>>> @@ -0,0 +1,19 @@ >> >>>> +/* This file is part of the IPFire Firewall. >> >>>> + * >> >>>> + * This program is distributed under the terms of the GNU General Public >> >>>> + * Licence. See the file COPYING for details. >> >>>> + * >> >>>> + */ >> >>>> + >> >>>> +#include <stdlib.h> >> >>>> +#include "setuid.h" >> >>>> + >> >>>> +int main(void) >> >>>> +{ >> >>>> + if (!(initsetuid())) >> >>>> + exit(1); >> >>>> + >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> >>>> + >> >>>> + return 0; >> >>>> +} >> >>>> -- >> >>>> 2.18.0 >> >>>> >> >>>> >> >>> >> >> >> >> >> >> >
Hi Matthias, yes. You got it. I use these rules now for some time, based on the scripts and discussions in the community. The RETURN rules do not weaken the aim of REDIRECT rules. Because I can do not know a measurement tool, I can't say something about performance. But I'll try to record the behaviour of those 'bad devices' through logging rules, both for REDIRECT and RETURN. Best, Bernhard > Gesendet: Sonntag, 07. März 2021 um 09:06 Uhr > Von: "Matthias Fischer" <matthias.fischer@ipfire.org> > An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>, "Jon Murphy" <jcmurphy26@gmail.com> > Cc: "IPFire Development" <development@lists.ipfire.org> > Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP > > Hi Bernhard, > > Lol. Funny misunderstanding - I'll try to figure it out: > > On 06.03.2021 22:15, Bernhard Bitsch wrote: > > For forcing DNS we generate ( for example ) > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > > That's for *forcing* AKA *bad* requests that don't go the way we want. > > > To filter allowed DNS requests there is a rule > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN > > That's for *well-behaving* requests. > > AH! I see. I think I know what you meant. > > > To get ${GREEN_ADDRESS} dnsntp needs an additional > > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > > Funny. I suddenly thought of doing something with > '.../ethernet/settings' while writing the v3-commit. But I didn't think > of RETURN. > > > Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case. > > > > Hope this makes it clear enough. > > I - really - hope I got it right. ;-) > > To handle the well-behaving requests, I added RETURN rules prior to the > REDIRECT rules like this: > > ... > # Force DNS REDIRECTs on GREEN (udp, tcp, 53) > if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p > udp -m udp --dport 53 -j RETURN > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 > -j REDIRECT > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p > tcp -m tcp --dport 53 -j RETURN > > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 > -j REDIRECT > fi > ... > > Intention (explanation was translated from > https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): > If the first - well-behaving - rule matches: > => RETURN => "Leave this chain and continue with the caller or execute > the chain's policy". > > Otherwise: > => REDIRECT the packet. "This goal ensures that the package is delivered > to the local computer. This allows packets to "fantasy targets" to be > intercepted and dealt with locally." > > I'm still not 100 percent sure - but does this correspond to your intention? > > Best, > Matthias > > > Best, > > Bernhard > > > >> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr > >> Von: "Jon Murphy" <jcmurphy26@gmail.com> > >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> > >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP > >> > >> > I mean the extra rules for requests client-->IPFire:53. > >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. > >> > >> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance? > >> > >> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms. > >> > >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote: > >> > > >> > Hi, > >> > > >> >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr > >> >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> > >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> > >> >> Cc: development@lists.ipfire.org > >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP > >> >> > >> >> Hi, > >> >> > >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: > >> >>> Hi, > >> >>> > >> >>> at a first glance I think, the code implements the ideas of the community discussions. > >> >> > >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet > >> >> because I didn't manage to merge the init and the ctrl-file in *one* C > >> >> program. The whole is running as I want but... ;-) > >> >> > >> >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. > >> >> > >> >> -v please. I don't know if I get this (the translation english => > >> >> german) right. > >> >> If you mean that I asked for some tips and got some, than of course: > >> >> many thanks to everybody! > >> >> > >> > Sorry if I wasn't specific enough. > >> > I mean the extra rules for requests client-->IPFire:53. > >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. > >> > > >> > Best, > >> > Bernhard > >> >> Best, > >> >> Matthias > >> >> > >> >>> Regards, > >> >>> Bernhard > >> >>> > >> >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr > >> >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> > >> >>>> An: development@lists.ipfire.org > >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP > >> >>>> > >> >>>> Originally triggered by: > >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 > >> >>>> > >> >>>> Current discussion: > >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > >> >>>> > >> >>>> Summary and functionality: > >> >>>> These patches are controlled through "Firewall Options". They add new > >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. > >> >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file > >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). > >> >>>> > >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). > >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP > >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make > >> >>>> this more transparent. > >> >>>> > >> >>>> Flaw/ToDo: > >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual > >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. > >> >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my > >> >>>> capabilities, perhaps "someone" else knows how to program this. > >> >>>> > >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > >> >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if > >> >>>> the respective interface actually exists. > >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' > >> >>>> or logging options for BLUE available (e.g.). > >> >>>> Added text colors for better readability and links to DNS and NTP GUI. > >> >>>> Separated logging options per interface. > >> >>>> > >> >>>> No reboot required: > >> >>>> Rules can be switched ON/OFF without rebooting IPFire. > >> >>>> Changes immedediatly take effect after clicking 'Save'. > >> >>>> > >> >>>> Changes to '/etc/rc.d/init.d/firewall': > >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING > >> >>>> chain: DNS_NTP_REDIRECT. > >> >>>> This chain is flushed by the init file before before the desired settings are applied. > >> >>>> Corrected a 'trafic' typo. > >> >>>> > >> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > >> >>>> --- > >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + > >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + > >> >>>> config/rootfiles/common/i586/initscripts | 1 + > >> >>>> config/rootfiles/common/misc-progs | 1 + > >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + > >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > >> >>>> langs/de/cgi-bin/de.pl | 15 +++- > >> >>>> langs/en/cgi-bin/en.pl | 15 +++- > >> >>>> lfs/configroot | 4 + > >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ > >> >>>> src/initscripts/system/firewall | 9 +- > >> >>>> src/misc-progs/Makefile | 2 +- > >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ > >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) > >> >>>> create mode 100644 src/initscripts/system/dnsntp > >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c > >> >>>> > >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts > >> >>>> index 800005966..f38a3a294 100644 > >> >>>> --- a/config/rootfiles/common/aarch64/initscripts > >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts > >> >>>> index 800005966..f38a3a294 100644 > >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts > >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts > >> >>>> index 18c5a897a..a3a2b47f7 100644 > >> >>>> --- a/config/rootfiles/common/i586/initscripts > >> >>>> +++ b/config/rootfiles/common/i586/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs > >> >>>> index d6594b3f8..4bcb94812 100644 > >> >>>> --- a/config/rootfiles/common/misc-progs > >> >>>> +++ b/config/rootfiles/common/misc-progs > >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > >> >>>> usr/local/bin/collectdctrl > >> >>>> usr/local/bin/ddnsctrl > >> >>>> usr/local/bin/dhcpctrl > >> >>>> +usr/local/bin/dnsntpctrl > >> >>>> usr/local/bin/extrahdctrl > >> >>>> usr/local/bin/fireinfoctrl > >> >>>> usr/local/bin/firewallctrl > >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts > >> >>>> index 18c5a897a..a3a2b47f7 100644 > >> >>>> --- a/config/rootfiles/common/x86_64/initscripts > >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts > >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > >> >>>> etc/rc.d/init.d/console > >> >>>> etc/rc.d/init.d/dhcp > >> >>>> etc/rc.d/init.d/dhcrelay > >> >>>> +etc/rc.d/init.d/dnsntp > >> >>>> etc/rc.d/init.d/fcron > >> >>>> etc/rc.d/init.d/fireinfo > >> >>>> etc/rc.d/init.d/firewall > >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > >> >>>> index 321642e82..3fc707e8b 100644 > >> >>>> --- a/html/cgi-bin/optionsfw.cgi > >> >>>> +++ b/html/cgi-bin/optionsfw.cgi > >> >>>> @@ -2,7 +2,7 @@ > >> >>>> ############################################################################### > >> >>>> # # > >> >>>> # IPFire.org - A linux based firewall # > >> >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # > >> >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # > >> >>>> # # > >> >>>> # This program is free software: you can redistribute it and/or modify # > >> >>>> # it under the terms of the GNU General Public License as published by # > >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> >>>> $errormessage .= $Lang::tr{'new optionsfw later'}; > >> >>>> &General::writehash($filename, \%settings); # Save good settings > >> >>>> system("/usr/local/bin/firewallctrl"); > >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> >>>> }else{ > >> >>>> if ($settings{'POLICY'} ne ''){ > >> >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; > >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); > >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); > >> >>>> system("/usr/local/bin/firewallctrl"); > >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > >> >>>> } > >> >>>> &General::readhash($filename, \%settings); # Load good settings > >> >>>> } > >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele > >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; > >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; > >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; > >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; > >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; > >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; > >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; > >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; > >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; > >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; > >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; > >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; > >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; > >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; > >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; > >> >>>> > >> >>>> &Header::openbox('100%', 'center',); > >> >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; > >> >>>> @@ -189,13 +203,44 @@ END > >> >>>> END > >> >>>> } > >> >>>> > >> >>>> - print <<END > >> >>>> +print <<END; > >> >>>> + <table width='95%' cellspacing='0'> > >> >>>> + <tr bgcolor='$color{'color20'}'></tr> > >> >>>> + <tr> </tr> > >> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> > >> >>>> + </tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ > >> >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ > >> >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> +END > >> >>>> + > >> >>>> + if (&Header::blue_used()) { > >> >>>> + print <<END; > >> >>>> + <table width='95%' cellspacing='0'> > >> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > >> >>>> + <tr> </tr> > >> >>>> + <tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ > >> >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ > >> >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > >> >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > >> >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> + </td> > >> >>>> + </tr> > >> >>>> +END > >> >>>> + } > >> >>>> + > >> >>>> + print <<END; > >> >>>> </table> > >> >>>> > >> >>>> - <br> > >> >>>> + <br /> > >> >>>> > >> >>>> -<table width='95%' cellspacing='0'> > >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> > >> >>>> + <table width='95%' cellspacing='0'> > >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> > >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ > >> >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ > >> >>>> @@ -206,21 +251,30 @@ END > >> >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ > >> >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > >> >>>> +END > >> >>>> + > >> >>>> + if (&Header::blue_used()) { > >> >>>> + print <<END; > >> >>>> + </table> > >> >>>> + > >> >>>> + <br /> > >> >>>> + > >> >>>> + <table width='95%' cellspacing='0'> > >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> > >> >>>> + <tr> > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > >> >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > >> >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> -</table> > >> >>>> -<br/> > >> >>>> + </tr> > >> >>>> +END > >> >>>> + } > >> >>>> + > >> >>>> + print <<END; > >> >>>> + </table> > >> >>>> + > >> >>>> + <br /> > >> >>>> > >> >>>> -<table width='95%' cellspacing='0'> > >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > >> >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > >> >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > >> >>>> -</table> > >> >>>> -<br> > >> >>>> <table width='95%' cellspacing='0'> > >> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> > >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ > >> >>>> @@ -252,7 +306,7 @@ END > >> >>>> > >> >>>> <br /> > >> >>>> <table width='100%' cellspacing='0'> > >> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > >> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> > >> >>>> </form></td></tr> > >> >>>> </table> > >> >>>> @@ -278,7 +332,7 @@ print <<END; > >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> > >> >>>> END > >> >>>> print "</tr></table></form>"; > >> >>>> - print"<br><br>"; > >> >>>> + print"<br /><br />"; > >> >>>> print <<END; > >> >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> > >> >>>> <table width='100%' border='0'> > >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > >> >>>> index 6a8133807..d6bb234fa 100644 > >> >>>> --- a/langs/de/cgi-bin/de.pl > >> >>>> +++ b/langs/de/cgi-bin/de.pl > >> >>>> @@ -836,6 +836,8 @@ > >> >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', > >> >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', > >> >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', > >> >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', > >> >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', > >> >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', > >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', > >> >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', > >> >>>> @@ -1102,9 +1104,12 @@ > >> >>>> 'from email server' => 'Von E-Mail-Server', > >> >>>> 'from email user' => 'Von E-Mail-Benutzer', > >> >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', > >> >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', > >> >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', > >> >>>> 'fw default drop' => 'Firewallrichtlinie', > >> >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', > >> >>>> 'fw logging' => 'Firewallprotokollierung', > >> >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', > >> >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', > >> >>>> 'fw settings' => 'Firewalleinstellungen', > >> >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', > >> >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', > >> >>>> @@ -1644,9 +1649,9 @@ > >> >>>> 'map to guest' => 'Map to Guest', > >> >>>> 'march' => 'März', > >> >>>> 'marked' => 'Markiert', > >> >>>> -'masquerade blue' => 'NAT auf BLAU', > >> >>>> -'masquerade green' => 'NAT auf GRÜN', > >> >>>> -'masquerade orange' => 'NAT auf ORANGE', > >> >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', > >> >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', > >> >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', > >> >>>> 'masquerading' => 'Masquerading/NAT', > >> >>>> 'masquerading disabled' => 'NAT ausgeschaltet', > >> >>>> 'masquerading enabled' => 'NAT eingeschaltet', > >> >>>> @@ -1814,6 +1819,8 @@ > >> >>>> 'november' => 'November', > >> >>>> 'ntp common settings' => 'Allgemeine Einstellungen', > >> >>>> 'ntp configuration' => 'Zeitserverkonfiguration', > >> >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', > >> >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', > >> >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', > >> >>>> 'ntp server' => 'NTP-Server', > >> >>>> 'ntp sync' => 'Synchronisation', > >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > >> >>>> index 8f7e0c2cf..474612025 100644 > >> >>>> --- a/langs/en/cgi-bin/en.pl > >> >>>> +++ b/langs/en/cgi-bin/en.pl > >> >>>> @@ -859,6 +859,8 @@ > >> >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', > >> >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', > >> >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', > >> >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', > >> >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', > >> >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', > >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', > >> >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', > >> >>>> @@ -1128,9 +1130,12 @@ > >> >>>> 'from email server' => 'From Email server', > >> >>>> 'from email user' => 'From e-mail user', > >> >>>> 'from warn email bad' => 'From e-mail address is not valid', > >> >>>> -'fw blue' => 'Firewall options for BLUE interface', > >> >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', > >> >>>> 'fw default drop' => 'Firewall policy', > >> >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', > >> >>>> 'fw logging' => 'Firewall logging', > >> >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', > >> >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', > >> >>>> 'fw settings' => 'Firewall settings', > >> >>>> 'fw settings color' => 'Show colors in ruletable', > >> >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', > >> >>>> @@ -1672,9 +1677,9 @@ > >> >>>> 'map to guest' => 'Map to Guest', > >> >>>> 'march' => 'March', > >> >>>> 'marked' => 'Marked', > >> >>>> -'masquerade blue' => 'Masquerade BLUE', > >> >>>> -'masquerade green' => 'Masquerade GREEN', > >> >>>> -'masquerade orange' => 'Masquerade ORANGE', > >> >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', > >> >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', > >> >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', > >> >>>> 'masquerading' => 'Masquerading', > >> >>>> 'masquerading disabled' => 'Masquerading disabled', > >> >>>> 'masquerading enabled' => 'Masquerading enabled', > >> >>>> @@ -1844,6 +1849,8 @@ > >> >>>> 'november' => 'November', > >> >>>> 'ntp common settings' => 'Common settings', > >> >>>> 'ntp configuration' => 'NTP Configuration', > >> >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', > >> >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', > >> >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', > >> >>>> 'ntp server' => 'NTP Server', > >> >>>> 'ntp sync' => 'Synchronization', > >> >>>> diff --git a/lfs/configroot b/lfs/configroot > >> >>>> index a3e474d70..622793b35 100644 > >> >>>> --- a/lfs/configroot > >> >>>> +++ b/lfs/configroot > >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : > >> >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > >> >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings > >> >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings > >> >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings > >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > >> >>>> new file mode 100644 > >> >>>> index 000000000..2eafa9d20 > >> >>>> --- /dev/null > >> >>>> +++ b/src/initscripts/system/dnsntp > >> >>>> @@ -0,0 +1,36 @@ > >> >>>> +#!/bin/sh > >> >>>> +######################################################################## > >> >>>> +# Begin $rc_base/init.d/dnsntp > >> >>>> +# > >> >>>> +# Description : dnsntp init script for DNS/NTP rules only > >> >>>> +# > >> >>>> +######################################################################## > >> >>>> + > >> >>>> +# flush chain > >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT > >> >>>> + > >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > >> >>>> + > >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > >> >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > >> >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) > >> >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) > >> >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then > >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT > >> >>>> +fi > >> >>>> + > >> >>>> +# End $rc_base/init.d/dnsntp > >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > >> >>>> index 65f1c979b..43ae74113 100644 > >> >>>> --- a/src/initscripts/system/firewall > >> >>>> +++ b/src/initscripts/system/firewall > >> >>>> @@ -169,6 +169,10 @@ iptables_init() { > >> >>>> # Fix for braindead ISPs > >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > >> >>>> > >> >>>> + # DNS / NTP REDIRECT > >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT > >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > >> >>>> + > >> >>>> # CUSTOM chains, can be used by the users themselves > >> >>>> iptables -N CUSTOMINPUT > >> >>>> iptables -A INPUT -j CUSTOMINPUT > >> >>>> @@ -281,7 +285,7 @@ iptables_init() { > >> >>>> iptables -A INPUT -j LOCATIONBLOCK > >> >>>> iptables -A FORWARD -j LOCATIONBLOCK > >> >>>> > >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > >> >>>> iptables -N IPSECINPUT > >> >>>> iptables -N IPSECFORWARD > >> >>>> iptables -N IPSECOUTPUT > >> >>>> @@ -389,6 +393,9 @@ iptables_init() { > >> >>>> # run captivectrl > >> >>>> /usr/local/bin/captivectrl > >> >>>> > >> >>>> + # run dnsntpctrl > >> >>>> + /usr/local/bin/dnsntpctrl > >> >>>> + > >> >>>> # POLICY CHAIN > >> >>>> iptables -N POLICYIN > >> >>>> iptables -A INPUT -j POLICYIN > >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > >> >>>> index 7c3ef7529..6f2733ef0 100644 > >> >>>> --- a/src/misc-progs/Makefile > >> >>>> +++ b/src/misc-progs/Makefile > >> >>>> @@ -26,7 +26,7 @@ PROGS = iowrap > >> >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ > >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ > >> >>>> rebuildhosts backupctrl collectdctrl \ > >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > >> >>>> wirelessctrl getipstat qosctrl \ > >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ > >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > >> >>>> new file mode 100644 > >> >>>> index 000000000..f2a3b89e3 > >> >>>> --- /dev/null > >> >>>> +++ b/src/misc-progs/dnsntpctrl.c > >> >>>> @@ -0,0 +1,19 @@ > >> >>>> +/* This file is part of the IPFire Firewall. > >> >>>> + * > >> >>>> + * This program is distributed under the terms of the GNU General Public > >> >>>> + * Licence. See the file COPYING for details. > >> >>>> + * > >> >>>> + */ > >> >>>> + > >> >>>> +#include <stdlib.h> > >> >>>> +#include "setuid.h" > >> >>>> + > >> >>>> +int main(void) > >> >>>> +{ > >> >>>> + if (!(initsetuid())) > >> >>>> + exit(1); > >> >>>> + > >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > >> >>>> + > >> >>>> + return 0; > >> >>>> +} > >> >>>> -- > >> >>>> 2.18.0 > >> >>>> > >> >>>> > >> >>> > >> >> > >> >> > >> > >> > > > >
Hi Bernhard, On 07.03.2021 11:20, Bernhard Bitsch wrote: > Hi Matthias, > > yes. You got it. Very good. ;-) > I use these rules now for some time, based on the scripts and discussions in the community. > The RETURN rules do not weaken the aim of REDIRECT rules. Running here since ~12 hours. Absolutely no problems. Just for fun, I even told Firefox to use DoH. And: I told my client PC to use 1.2.3.4 as DNS-server. He had no chance. DNS was still working as before. Furthermore I can see the redirections from our blue clients (nasty programmed apps). Settings: DNS-Server with nine DNSSEC-entries, status on 'dhcp.cgi' is "Working", DNS-Protocol: TLS, QNAME-Minmisation: Strict. Running 'unbound 1.13.1'. > Because I can do not know a measurement tool, I can't say something about performance. What about something like this? => https://github.com/DNS-OARC/dnsperf/blob/master/README.md > But I'll try to record the behaviour of those 'bad devices' through logging rules, both for REDIRECT and RETURN. From time to time I take a look at the IPTables-GUI - right now its...: Chain DNS_NTP_REDIRECT (1 references) pkts bytes target prot opt in out source destination 82 5532 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:53 24 1734 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 RETURN tcp -- green0 * 0.0.0.0/0 192.168.100.254 tcp dpt:53 0 0 REDIRECT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 459 31772 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:53 40 2861 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 RETURN tcp -- blue0 * 0.0.0.0/0 192.168.101.254 tcp dpt:53 0 0 REDIRECT tcp -- blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 983 74708 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:123 0 0 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:123 18 1368 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 Opinions? Best, Matthias P.S.: One (last?) thing to do would be to merge 'dnsntp' (init) and 'dnsntpctrl'.(c) into one C file to get rid of the still remaining init-file. But sorry, that's for someone else, please... > > Best, > Bernhard > >> Gesendet: Sonntag, 07. März 2021 um 09:06 Uhr >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>, "Jon Murphy" <jcmurphy26@gmail.com> >> Cc: "IPFire Development" <development@lists.ipfire.org> >> Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP >> >> Hi Bernhard, >> >> Lol. Funny misunderstanding - I'll try to figure it out: >> >> On 06.03.2021 22:15, Bernhard Bitsch wrote: >> > For forcing DNS we generate ( for example ) >> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >> >> That's for *forcing* AKA *bad* requests that don't go the way we want. >> >> > To filter allowed DNS requests there is a rule >> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN >> >> That's for *well-behaving* requests. >> >> AH! I see. I think I know what you meant. >> >> > To get ${GREEN_ADDRESS} dnsntp needs an additional >> > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) >> >> Funny. I suddenly thought of doing something with >> '.../ethernet/settings' while writing the v3-commit. But I didn't think >> of RETURN. >> >> > Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case. >> > >> > Hope this makes it clear enough. >> >> I - really - hope I got it right. ;-) >> >> To handle the well-behaving requests, I added RETURN rules prior to the >> REDIRECT rules like this: >> >> ... >> # Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p >> udp -m udp --dport 53 -j RETURN >> >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 >> -j REDIRECT >> >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p >> tcp -m tcp --dport 53 -j RETURN >> >> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 >> -j REDIRECT >> fi >> ... >> >> Intention (explanation was translated from >> https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): >> If the first - well-behaving - rule matches: >> => RETURN => "Leave this chain and continue with the caller or execute >> the chain's policy". >> >> Otherwise: >> => REDIRECT the packet. "This goal ensures that the package is delivered >> to the local computer. This allows packets to "fantasy targets" to be >> intercepted and dealt with locally." >> >> I'm still not 100 percent sure - but does this correspond to your intention? >> >> Best, >> Matthias >> >> > Best, >> > Bernhard >> > >> >> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr >> >> Von: "Jon Murphy" <jcmurphy26@gmail.com> >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >> >> >> >> > I mean the extra rules for requests client-->IPFire:53. >> >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >> >> >> >> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance? >> >> >> >> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms. >> >> >> >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote: >> >> > >> >> > Hi, >> >> > >> >> >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr >> >> >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >> >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >> >> >> Cc: development@lists.ipfire.org >> >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >> >> >> >> >> >> Hi, >> >> >> >> >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: >> >> >>> Hi, >> >> >>> >> >> >>> at a first glance I think, the code implements the ideas of the community discussions. >> >> >> >> >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet >> >> >> because I didn't manage to merge the init and the ctrl-file in *one* C >> >> >> program. The whole is running as I want but... ;-) >> >> >> >> >> >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. >> >> >> >> >> >> -v please. I don't know if I get this (the translation english => >> >> >> german) right. >> >> >> If you mean that I asked for some tips and got some, than of course: >> >> >> many thanks to everybody! >> >> >> >> >> > Sorry if I wasn't specific enough. >> >> > I mean the extra rules for requests client-->IPFire:53. >> >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >> >> > >> >> > Best, >> >> > Bernhard >> >> >> Best, >> >> >> Matthias >> >> >> >> >> >>> Regards, >> >> >>> Bernhard >> >> >>> >> >> >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr >> >> >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >> >> >>>> An: development@lists.ipfire.org >> >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >> >> >>>> >> >> >>>> Originally triggered by: >> >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >> >> >>>> >> >> >>>> Current discussion: >> >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >> >> >>>> >> >> >>>> Summary and functionality: >> >> >>>> These patches are controlled through "Firewall Options". They add new >> >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >> >> >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >> >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >> >> >>>> >> >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). >> >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >> >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >> >> >>>> this more transparent. >> >> >>>> >> >> >>>> Flaw/ToDo: >> >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >> >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. >> >> >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >> >> >>>> capabilities, perhaps "someone" else knows how to program this. >> >> >>>> >> >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> >> >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if >> >> >>>> the respective interface actually exists. >> >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >> >> >>>> or logging options for BLUE available (e.g.). >> >> >>>> Added text colors for better readability and links to DNS and NTP GUI. >> >> >>>> Separated logging options per interface. >> >> >>>> >> >> >>>> No reboot required: >> >> >>>> Rules can be switched ON/OFF without rebooting IPFire. >> >> >>>> Changes immedediatly take effect after clicking 'Save'. >> >> >>>> >> >> >>>> Changes to '/etc/rc.d/init.d/firewall': >> >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >> >> >>>> chain: DNS_NTP_REDIRECT. >> >> >>>> This chain is flushed by the init file before before the desired settings are applied. >> >> >>>> Corrected a 'trafic' typo. >> >> >>>> >> >> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> >> >>>> --- >> >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + >> >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + >> >> >>>> config/rootfiles/common/i586/initscripts | 1 + >> >> >>>> config/rootfiles/common/misc-progs | 1 + >> >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + >> >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> >> >>>> langs/de/cgi-bin/de.pl | 15 +++- >> >> >>>> langs/en/cgi-bin/en.pl | 15 +++- >> >> >>>> lfs/configroot | 4 + >> >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ >> >> >>>> src/initscripts/system/firewall | 9 +- >> >> >>>> src/misc-progs/Makefile | 2 +- >> >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >> >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) >> >> >>>> create mode 100644 src/initscripts/system/dnsntp >> >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c >> >> >>>> >> >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >> >> >>>> index 800005966..f38a3a294 100644 >> >> >>>> --- a/config/rootfiles/common/aarch64/initscripts >> >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >> >> >>>> index 800005966..f38a3a294 100644 >> >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts >> >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >> >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >> >>>> --- a/config/rootfiles/common/i586/initscripts >> >> >>>> +++ b/config/rootfiles/common/i586/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >> >> >>>> index d6594b3f8..4bcb94812 100644 >> >> >>>> --- a/config/rootfiles/common/misc-progs >> >> >>>> +++ b/config/rootfiles/common/misc-progs >> >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> >> >>>> usr/local/bin/collectdctrl >> >> >>>> usr/local/bin/ddnsctrl >> >> >>>> usr/local/bin/dhcpctrl >> >> >>>> +usr/local/bin/dnsntpctrl >> >> >>>> usr/local/bin/extrahdctrl >> >> >>>> usr/local/bin/fireinfoctrl >> >> >>>> usr/local/bin/firewallctrl >> >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >> >> >>>> index 18c5a897a..a3a2b47f7 100644 >> >> >>>> --- a/config/rootfiles/common/x86_64/initscripts >> >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts >> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> >> >>>> etc/rc.d/init.d/console >> >> >>>> etc/rc.d/init.d/dhcp >> >> >>>> etc/rc.d/init.d/dhcrelay >> >> >>>> +etc/rc.d/init.d/dnsntp >> >> >>>> etc/rc.d/init.d/fcron >> >> >>>> etc/rc.d/init.d/fireinfo >> >> >>>> etc/rc.d/init.d/firewall >> >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> >> >>>> index 321642e82..3fc707e8b 100644 >> >> >>>> --- a/html/cgi-bin/optionsfw.cgi >> >> >>>> +++ b/html/cgi-bin/optionsfw.cgi >> >> >>>> @@ -2,7 +2,7 @@ >> >> >>>> ############################################################################### >> >> >>>> # # >> >> >>>> # IPFire.org - A linux based firewall # >> >> >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >> >> >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >> >> >>>> # # >> >> >>>> # This program is free software: you can redistribute it and/or modify # >> >> >>>> # it under the terms of the GNU General Public License as published by # >> >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >> >>>> $errormessage .= $Lang::tr{'new optionsfw later'}; >> >> >>>> &General::writehash($filename, \%settings); # Save good settings >> >> >>>> system("/usr/local/bin/firewallctrl"); >> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >> >>>> }else{ >> >> >>>> if ($settings{'POLICY'} ne ''){ >> >> >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >> >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> >> >>>> system("/usr/local/bin/firewallctrl"); >> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> >> >>>> } >> >> >>>> &General::readhash($filename, \%settings); # Load good settings >> >> >>>> } >> >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >> >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >> >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >> >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >> >> >>>> >> >> >>>> &Header::openbox('100%', 'center',); >> >> >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >> >> >>>> @@ -189,13 +203,44 @@ END >> >> >>>> END >> >> >>>> } >> >> >>>> >> >> >>>> - print <<END >> >> >>>> +print <<END; >> >> >>>> + <table width='95%' cellspacing='0'> >> >> >>>> + <tr bgcolor='$color{'color20'}'></tr> >> >> >>>> + <tr> </tr> >> >> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >> >> >>>> + </tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >> >> >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >> >> >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> +END >> >> >>>> + >> >> >>>> + if (&Header::blue_used()) { >> >> >>>> + print <<END; >> >> >>>> + <table width='95%' cellspacing='0'> >> >> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> >> >>>> + <tr> </tr> >> >> >>>> + <tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >> >> >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >> >> >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> >> >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> >> >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> + </td> >> >> >>>> + </tr> >> >> >>>> +END >> >> >>>> + } >> >> >>>> + >> >> >>>> + print <<END; >> >> >>>> </table> >> >> >>>> >> >> >>>> - <br> >> >> >>>> + <br /> >> >> >>>> >> >> >>>> -<table width='95%' cellspacing='0'> >> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >> >> >>>> + <table width='95%' cellspacing='0'> >> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >> >> >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >> >> >>>> @@ -206,21 +251,30 @@ END >> >> >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >> >> >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> >> >>>> +END >> >> >>>> + >> >> >>>> + if (&Header::blue_used()) { >> >> >>>> + print <<END; >> >> >>>> + </table> >> >> >>>> + >> >> >>>> + <br /> >> >> >>>> + >> >> >>>> + <table width='95%' cellspacing='0'> >> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >> >> >>>> + <tr> >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> >> >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> >> >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> -</table> >> >> >>>> -<br/> >> >> >>>> + </tr> >> >> >>>> +END >> >> >>>> + } >> >> >>>> + >> >> >>>> + print <<END; >> >> >>>> + </table> >> >> >>>> + >> >> >>>> + <br /> >> >> >>>> >> >> >>>> -<table width='95%' cellspacing='0'> >> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> >> >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> >> >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> >> >>>> -</table> >> >> >>>> -<br> >> >> >>>> <table width='95%' cellspacing='0'> >> >> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >> >> >>>> @@ -252,7 +306,7 @@ END >> >> >>>> >> >> >>>> <br /> >> >> >>>> <table width='100%' cellspacing='0'> >> >> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> >> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >> >> >>>> </form></td></tr> >> >> >>>> </table> >> >> >>>> @@ -278,7 +332,7 @@ print <<END; >> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >> >> >>>> END >> >> >>>> print "</tr></table></form>"; >> >> >>>> - print"<br><br>"; >> >> >>>> + print"<br /><br />"; >> >> >>>> print <<END; >> >> >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> >> >>>> <table width='100%' border='0'> >> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> >> >>>> index 6a8133807..d6bb234fa 100644 >> >> >>>> --- a/langs/de/cgi-bin/de.pl >> >> >>>> +++ b/langs/de/cgi-bin/de.pl >> >> >>>> @@ -836,6 +836,8 @@ >> >> >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >> >> >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >> >> >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >> >> >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >> >> >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >> >> >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >> >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >> >> >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> >> >>>> @@ -1102,9 +1104,12 @@ >> >> >>>> 'from email server' => 'Von E-Mail-Server', >> >> >>>> 'from email user' => 'Von E-Mail-Benutzer', >> >> >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >> >> >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >> >> >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >> >> >>>> 'fw default drop' => 'Firewallrichtlinie', >> >> >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >> >> >>>> 'fw logging' => 'Firewallprotokollierung', >> >> >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >> >> >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >> >> >>>> 'fw settings' => 'Firewalleinstellungen', >> >> >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >> >> >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >> >> >>>> @@ -1644,9 +1649,9 @@ >> >> >>>> 'map to guest' => 'Map to Guest', >> >> >>>> 'march' => 'März', >> >> >>>> 'marked' => 'Markiert', >> >> >>>> -'masquerade blue' => 'NAT auf BLAU', >> >> >>>> -'masquerade green' => 'NAT auf GRÜN', >> >> >>>> -'masquerade orange' => 'NAT auf ORANGE', >> >> >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >> >> >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >> >> >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >> >> >>>> 'masquerading' => 'Masquerading/NAT', >> >> >>>> 'masquerading disabled' => 'NAT ausgeschaltet', >> >> >>>> 'masquerading enabled' => 'NAT eingeschaltet', >> >> >>>> @@ -1814,6 +1819,8 @@ >> >> >>>> 'november' => 'November', >> >> >>>> 'ntp common settings' => 'Allgemeine Einstellungen', >> >> >>>> 'ntp configuration' => 'Zeitserverkonfiguration', >> >> >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >> >> >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >> >> >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >> >> >>>> 'ntp server' => 'NTP-Server', >> >> >>>> 'ntp sync' => 'Synchronisation', >> >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> >> >>>> index 8f7e0c2cf..474612025 100644 >> >> >>>> --- a/langs/en/cgi-bin/en.pl >> >> >>>> +++ b/langs/en/cgi-bin/en.pl >> >> >>>> @@ -859,6 +859,8 @@ >> >> >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >> >> >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >> >> >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >> >> >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >> >> >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >> >> >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >> >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >> >> >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >> >> >>>> @@ -1128,9 +1130,12 @@ >> >> >>>> 'from email server' => 'From Email server', >> >> >>>> 'from email user' => 'From e-mail user', >> >> >>>> 'from warn email bad' => 'From e-mail address is not valid', >> >> >>>> -'fw blue' => 'Firewall options for BLUE interface', >> >> >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >> >> >>>> 'fw default drop' => 'Firewall policy', >> >> >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >> >> >>>> 'fw logging' => 'Firewall logging', >> >> >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >> >> >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >> >> >>>> 'fw settings' => 'Firewall settings', >> >> >>>> 'fw settings color' => 'Show colors in ruletable', >> >> >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >> >> >>>> @@ -1672,9 +1677,9 @@ >> >> >>>> 'map to guest' => 'Map to Guest', >> >> >>>> 'march' => 'March', >> >> >>>> 'marked' => 'Marked', >> >> >>>> -'masquerade blue' => 'Masquerade BLUE', >> >> >>>> -'masquerade green' => 'Masquerade GREEN', >> >> >>>> -'masquerade orange' => 'Masquerade ORANGE', >> >> >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >> >> >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >> >> >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >> >> >>>> 'masquerading' => 'Masquerading', >> >> >>>> 'masquerading disabled' => 'Masquerading disabled', >> >> >>>> 'masquerading enabled' => 'Masquerading enabled', >> >> >>>> @@ -1844,6 +1849,8 @@ >> >> >>>> 'november' => 'November', >> >> >>>> 'ntp common settings' => 'Common settings', >> >> >>>> 'ntp configuration' => 'NTP Configuration', >> >> >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >> >> >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >> >> >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >> >> >>>> 'ntp server' => 'NTP Server', >> >> >>>> 'ntp sync' => 'Synchronization', >> >> >>>> diff --git a/lfs/configroot b/lfs/configroot >> >> >>>> index a3e474d70..622793b35 100644 >> >> >>>> --- a/lfs/configroot >> >> >>>> +++ b/lfs/configroot >> >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : >> >> >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> >> >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> >> >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> >> >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >> >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >> >> >>>> new file mode 100644 >> >> >>>> index 000000000..2eafa9d20 >> >> >>>> --- /dev/null >> >> >>>> +++ b/src/initscripts/system/dnsntp >> >> >>>> @@ -0,0 +1,36 @@ >> >> >>>> +#!/bin/sh >> >> >>>> +######################################################################## >> >> >>>> +# Begin $rc_base/init.d/dnsntp >> >> >>>> +# >> >> >>>> +# Description : dnsntp init script for DNS/NTP rules only >> >> >>>> +# >> >> >>>> +######################################################################## >> >> >>>> + >> >> >>>> +# flush chain >> >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT >> >> >>>> + >> >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> >> >>>> + >> >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> >> >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> >> >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >> >> >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >> >> >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >> >> >>>> +fi >> >> >>>> + >> >> >>>> +# End $rc_base/init.d/dnsntp >> >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> >> >>>> index 65f1c979b..43ae74113 100644 >> >> >>>> --- a/src/initscripts/system/firewall >> >> >>>> +++ b/src/initscripts/system/firewall >> >> >>>> @@ -169,6 +169,10 @@ iptables_init() { >> >> >>>> # Fix for braindead ISPs >> >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >> >> >>>> >> >> >>>> + # DNS / NTP REDIRECT >> >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT >> >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> >> >>>> + >> >> >>>> # CUSTOM chains, can be used by the users themselves >> >> >>>> iptables -N CUSTOMINPUT >> >> >>>> iptables -A INPUT -j CUSTOMINPUT >> >> >>>> @@ -281,7 +285,7 @@ iptables_init() { >> >> >>>> iptables -A INPUT -j LOCATIONBLOCK >> >> >>>> iptables -A FORWARD -j LOCATIONBLOCK >> >> >>>> >> >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> >> >>>> iptables -N IPSECINPUT >> >> >>>> iptables -N IPSECFORWARD >> >> >>>> iptables -N IPSECOUTPUT >> >> >>>> @@ -389,6 +393,9 @@ iptables_init() { >> >> >>>> # run captivectrl >> >> >>>> /usr/local/bin/captivectrl >> >> >>>> >> >> >>>> + # run dnsntpctrl >> >> >>>> + /usr/local/bin/dnsntpctrl >> >> >>>> + >> >> >>>> # POLICY CHAIN >> >> >>>> iptables -N POLICYIN >> >> >>>> iptables -A INPUT -j POLICYIN >> >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> >> >>>> index 7c3ef7529..6f2733ef0 100644 >> >> >>>> --- a/src/misc-progs/Makefile >> >> >>>> +++ b/src/misc-progs/Makefile >> >> >>>> @@ -26,7 +26,7 @@ PROGS = iowrap >> >> >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >> >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >> >> >>>> rebuildhosts backupctrl collectdctrl \ >> >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> >> >>>> wirelessctrl getipstat qosctrl \ >> >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ >> >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> >> >>>> new file mode 100644 >> >> >>>> index 000000000..f2a3b89e3 >> >> >>>> --- /dev/null >> >> >>>> +++ b/src/misc-progs/dnsntpctrl.c >> >> >>>> @@ -0,0 +1,19 @@ >> >> >>>> +/* This file is part of the IPFire Firewall. >> >> >>>> + * >> >> >>>> + * This program is distributed under the terms of the GNU General Public >> >> >>>> + * Licence. See the file COPYING for details. >> >> >>>> + * >> >> >>>> + */ >> >> >>>> + >> >> >>>> +#include <stdlib.h> >> >> >>>> +#include "setuid.h" >> >> >>>> + >> >> >>>> +int main(void) >> >> >>>> +{ >> >> >>>> + if (!(initsetuid())) >> >> >>>> + exit(1); >> >> >>>> + >> >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> >> >>>> + >> >> >>>> + return 0; >> >> >>>> +} >> >> >>>> -- >> >> >>>> 2.18.0 >> >> >>>> >> >> >>>> >> >> >>> >> >> >> >> >> >> >> >> >> >> >> > >> >> >
Hello! Hope everyone is healthy! I am just curious if this was approved by the Developers? Jon > On Mar 5, 2021, at 1:40 PM, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Originally triggered by: > https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 > > Current discussion: > https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > > Summary and functionality: > These patches are controlled through "Firewall Options". They add new > firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. > They activate/deactivate appropriate REDIRECT rules through a new ctrl file > ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). > > Default of all new rules is OFF (set in 'lfs/configroot'). > If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP > servers specified in IPFire. GUI links to DNS and NTP options were added to make > this more transparent. > > Flaw/ToDo: > To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual > init file, 'dnsntp'. This is actually an unnecessary detour. > In fact I wanted to merge these two files in *one* C file, but this was beyond my > capabilities, perhaps "someone" else knows how to program this. > > Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > The corresponding interface options - including 'Masquerade ...' - are only visible if > the respective interface actually exists. > If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' > or logging options for BLUE available (e.g.). > Added text colors for better readability and links to DNS and NTP GUI. > Separated logging options per interface. > > No reboot required: > Rules can be switched ON/OFF without rebooting IPFire. > Changes immedediatly take effect after clicking 'Save'. > > Changes to '/etc/rc.d/init.d/firewall': > To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING > chain: DNS_NTP_REDIRECT. > This chain is flushed by the init file before before the desired settings are applied. > Corrected a 'trafic' typo. > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/rootfiles/common/aarch64/initscripts | 1 + > config/rootfiles/common/armv5tel/initscripts | 1 + > config/rootfiles/common/i586/initscripts | 1 + > config/rootfiles/common/misc-progs | 1 + > config/rootfiles/common/x86_64/initscripts | 1 + > html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > langs/de/cgi-bin/de.pl | 15 +++- > langs/en/cgi-bin/en.pl | 15 +++- > lfs/configroot | 4 + > src/initscripts/system/dnsntp | 36 ++++++++ > src/initscripts/system/firewall | 9 +- > src/misc-progs/Makefile | 2 +- > src/misc-progs/dnsntpctrl.c | 19 ++++ > 13 files changed, 168 insertions(+), 29 deletions(-) > create mode 100644 src/initscripts/system/dnsntp > create mode 100644 src/misc-progs/dnsntpctrl.c > > diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/aarch64/initscripts > +++ b/config/rootfiles/common/aarch64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/armv5tel/initscripts > +++ b/config/rootfiles/common/armv5tel/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/i586/initscripts > +++ b/config/rootfiles/common/i586/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs > index d6594b3f8..4bcb94812 100644 > --- a/config/rootfiles/common/misc-progs > +++ b/config/rootfiles/common/misc-progs > @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > usr/local/bin/collectdctrl > usr/local/bin/ddnsctrl > usr/local/bin/dhcpctrl > +usr/local/bin/dnsntpctrl > usr/local/bin/extrahdctrl > usr/local/bin/fireinfoctrl > usr/local/bin/firewallctrl > diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/x86_64/initscripts > +++ b/config/rootfiles/common/x86_64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > index 321642e82..3fc707e8b 100644 > --- a/html/cgi-bin/optionsfw.cgi > +++ b/html/cgi-bin/optionsfw.cgi > @@ -2,7 +2,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > $errormessage .= $Lang::tr{'new optionsfw later'}; > &General::writehash($filename, \%settings); # Save good settings > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > }else{ > if ($settings{'POLICY'} ne ''){ > $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; > @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); > &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > } > &General::readhash($filename, \%settings); # Load good settings > } > @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele > $selected{'MASQUERADE_BLUE'}{'off'} = ''; > $selected{'MASQUERADE_BLUE'}{'on'} = ''; > $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; > +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; > +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; > +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; > +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; > +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; > +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; > +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; > +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; > +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; > +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; > +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; > +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; > > &Header::openbox('100%', 'center',); > print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; > @@ -189,13 +203,44 @@ END > END > } > > - print <<END > +print <<END; > + <table width='95%' cellspacing='0'> > + <tr bgcolor='$color{'color20'}'></tr> > + <tr> </tr> > + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> > + </tr> > + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ > + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ > + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > +END > + > + if (&Header::blue_used()) { > + print <<END; > + <table width='95%' cellspacing='0'> > + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > + <tr> </tr> > + <tr> > + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ > + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ > + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > + </td> > + </tr> > +END > + } > + > + print <<END; > </table> > > - <br> > + <br /> > > -<table width='95%' cellspacing='0'> > -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> > + <table width='95%' cellspacing='0'> > +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ > <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ > @@ -206,21 +251,30 @@ END > <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ > <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > +END > + > + if (&Header::blue_used()) { > + print <<END; > + </table> > + > + <br /> > + > + <table width='95%' cellspacing='0'> > +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> > + <tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> > -</table> > -<br/> > + </tr> > +END > + } > + > + print <<END; > + </table> > + > + <br /> > > -<table width='95%' cellspacing='0'> > -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > -</table> > -<br> > <table width='95%' cellspacing='0'> > <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ > @@ -252,7 +306,7 @@ END > > <br /> > <table width='100%' cellspacing='0'> > -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> > </form></td></tr> > </table> > @@ -278,7 +332,7 @@ print <<END; > <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> > END > print "</tr></table></form>"; > - print"<br><br>"; > + print"<br /><br />"; > print <<END; > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <table width='100%' border='0'> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 6a8133807..d6bb234fa 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -836,6 +836,8 @@ > 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', > 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', > 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', > +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', > +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', > 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', > 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', > 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', > @@ -1102,9 +1104,12 @@ > 'from email server' => 'Von E-Mail-Server', > 'from email user' => 'Von E-Mail-Benutzer', > 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', > -'fw blue' => 'Firewalloptionen für das Blaue Interface', > +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', > 'fw default drop' => 'Firewallrichtlinie', > +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', > 'fw logging' => 'Firewallprotokollierung', > +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', > +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', > 'fw settings' => 'Firewalleinstellungen', > 'fw settings color' => 'Farben in Regeltabelle anzeigen', > 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', > @@ -1644,9 +1649,9 @@ > 'map to guest' => 'Map to Guest', > 'march' => 'März', > 'marked' => 'Markiert', > -'masquerade blue' => 'NAT auf BLAU', > -'masquerade green' => 'NAT auf GRÜN', > -'masquerade orange' => 'NAT auf ORANGE', > +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', > +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', > +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', > 'masquerading' => 'Masquerading/NAT', > 'masquerading disabled' => 'NAT ausgeschaltet', > 'masquerading enabled' => 'NAT eingeschaltet', > @@ -1814,6 +1819,8 @@ > 'november' => 'November', > 'ntp common settings' => 'Allgemeine Einstellungen', > 'ntp configuration' => 'Zeitserverkonfiguration', > +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', > +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', > 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', > 'ntp server' => 'NTP-Server', > 'ntp sync' => 'Synchronisation', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index 8f7e0c2cf..474612025 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -859,6 +859,8 @@ > 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', > 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', > 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', > +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', > +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', > 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', > 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', > 'dns header' => 'Assign DNS server addresses only for DHCP on red0', > @@ -1128,9 +1130,12 @@ > 'from email server' => 'From Email server', > 'from email user' => 'From e-mail user', > 'from warn email bad' => 'From e-mail address is not valid', > -'fw blue' => 'Firewall options for BLUE interface', > +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', > 'fw default drop' => 'Firewall policy', > +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', > 'fw logging' => 'Firewall logging', > +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', > +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', > 'fw settings' => 'Firewall settings', > 'fw settings color' => 'Show colors in ruletable', > 'fw settings dropdown' => 'Show all networks on rulecreation site', > @@ -1672,9 +1677,9 @@ > 'map to guest' => 'Map to Guest', > 'march' => 'March', > 'marked' => 'Marked', > -'masquerade blue' => 'Masquerade BLUE', > -'masquerade green' => 'Masquerade GREEN', > -'masquerade orange' => 'Masquerade ORANGE', > +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', > +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', > +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', > 'masquerading' => 'Masquerading', > 'masquerading disabled' => 'Masquerading disabled', > 'masquerading enabled' => 'Masquerading enabled', > @@ -1844,6 +1849,8 @@ > 'november' => 'November', > 'ntp common settings' => 'Common settings', > 'ntp configuration' => 'NTP Configuration', > +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', > +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', > 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', > 'ntp server' => 'NTP Server', > 'ntp sync' => 'Synchronization', > diff --git a/lfs/configroot b/lfs/configroot > index a3e474d70..622793b35 100644 > --- a/lfs/configroot > +++ b/lfs/configroot > @@ -129,6 +129,10 @@ $(TARGET) : > echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings > diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > new file mode 100644 > index 000000000..2eafa9d20 > --- /dev/null > +++ b/src/initscripts/system/dnsntp > @@ -0,0 +1,36 @@ > +#!/bin/sh > +######################################################################## > +# Begin $rc_base/init.d/dnsntp > +# > +# Description : dnsntp init script for DNS/NTP rules only > +# > +######################################################################## > + > +# flush chain > +iptables -t nat -F DNS_NTP_REDIRECT > + > +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > + > +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT > +fi > + > +# Force NTP REDIRECTs on GREEN (udp, 123) > +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, 123) > +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT > +fi > + > +# End $rc_base/init.d/dnsntp > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 65f1c979b..43ae74113 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -169,6 +169,10 @@ iptables_init() { > # Fix for braindead ISPs > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > + # DNS / NTP REDIRECT > + iptables -t nat -N DNS_NTP_REDIRECT > + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > + > # CUSTOM chains, can be used by the users themselves > iptables -N CUSTOMINPUT > iptables -A INPUT -j CUSTOMINPUT > @@ -281,7 +285,7 @@ iptables_init() { > iptables -A INPUT -j LOCATIONBLOCK > iptables -A FORWARD -j LOCATIONBLOCK > > - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > iptables -N IPSECINPUT > iptables -N IPSECFORWARD > iptables -N IPSECOUTPUT > @@ -389,6 +393,9 @@ iptables_init() { > # run captivectrl > /usr/local/bin/captivectrl > > + # run dnsntpctrl > + /usr/local/bin/dnsntpctrl > + > # POLICY CHAIN > iptables -N POLICYIN > iptables -A INPUT -j POLICYIN > diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > index 7c3ef7529..6f2733ef0 100644 > --- a/src/misc-progs/Makefile > +++ b/src/misc-progs/Makefile > @@ -26,7 +26,7 @@ PROGS = iowrap > SUID_PROGS = squidctrl sshctrl ipfirereboot \ > ipsecctrl timectrl dhcpctrl suricatactrl \ > rebuildhosts backupctrl collectdctrl \ > - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > wirelessctrl getipstat qosctrl \ > redctrl syslogdctrl extrahdctrl sambactrl \ > smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > new file mode 100644 > index 000000000..f2a3b89e3 > --- /dev/null > +++ b/src/misc-progs/dnsntpctrl.c > @@ -0,0 +1,19 @@ > +/* This file is part of the IPFire Firewall. > + * > + * This program is distributed under the terms of the GNU General Public > + * Licence. See the file COPYING for details. > + * > + */ > + > +#include <stdlib.h> > +#include "setuid.h" > + > +int main(void) > +{ > + if (!(initsetuid())) > + exit(1); > + > + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > + > + return 0; > +} > -- > 2.18.0 >
Hello, I did not have a look at this because I got last in the last conversation about this. I still do not understand why this would be necessary functionality and why we did not go with adding support for REDIRECT rules to the existing UI which could then be used for all sorts of protocols and won’t be hardcoded to just those two. -Michael > On 29 Mar 2021, at 22:34, Jon Murphy <jcmurphy26@gmail.com> wrote: > > Hello! Hope everyone is healthy! > > I am just curious if this was approved by the Developers? > > Jon > >> On Mar 5, 2021, at 1:40 PM, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> Originally triggered by: >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >> >> Current discussion: >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >> >> Summary and functionality: >> These patches are controlled through "Firewall Options". They add new >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >> >> Default of all new rules is OFF (set in 'lfs/configroot'). >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >> servers specified in IPFire. GUI links to DNS and NTP options were added to make >> this more transparent. >> >> Flaw/ToDo: >> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >> init file, 'dnsntp'. This is actually an unnecessary detour. >> In fact I wanted to merge these two files in *one* C file, but this was beyond my >> capabilities, perhaps "someone" else knows how to program this. >> >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> The corresponding interface options - including 'Masquerade ...' - are only visible if >> the respective interface actually exists. >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >> or logging options for BLUE available (e.g.). >> Added text colors for better readability and links to DNS and NTP GUI. >> Separated logging options per interface. >> >> No reboot required: >> Rules can be switched ON/OFF without rebooting IPFire. >> Changes immedediatly take effect after clicking 'Save'. >> >> Changes to '/etc/rc.d/init.d/firewall': >> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >> chain: DNS_NTP_REDIRECT. >> This chain is flushed by the init file before before the desired settings are applied. >> Corrected a 'trafic' typo. >> >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> config/rootfiles/common/aarch64/initscripts | 1 + >> config/rootfiles/common/armv5tel/initscripts | 1 + >> config/rootfiles/common/i586/initscripts | 1 + >> config/rootfiles/common/misc-progs | 1 + >> config/rootfiles/common/x86_64/initscripts | 1 + >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> langs/de/cgi-bin/de.pl | 15 +++- >> langs/en/cgi-bin/en.pl | 15 +++- >> lfs/configroot | 4 + >> src/initscripts/system/dnsntp | 36 ++++++++ >> src/initscripts/system/firewall | 9 +- >> src/misc-progs/Makefile | 2 +- >> src/misc-progs/dnsntpctrl.c | 19 ++++ >> 13 files changed, 168 insertions(+), 29 deletions(-) >> create mode 100644 src/initscripts/system/dnsntp >> create mode 100644 src/misc-progs/dnsntpctrl.c >> >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/aarch64/initscripts >> +++ b/config/rootfiles/common/aarch64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/armv5tel/initscripts >> +++ b/config/rootfiles/common/armv5tel/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/i586/initscripts >> +++ b/config/rootfiles/common/i586/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >> index d6594b3f8..4bcb94812 100644 >> --- a/config/rootfiles/common/misc-progs >> +++ b/config/rootfiles/common/misc-progs >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> usr/local/bin/collectdctrl >> usr/local/bin/ddnsctrl >> usr/local/bin/dhcpctrl >> +usr/local/bin/dnsntpctrl >> usr/local/bin/extrahdctrl >> usr/local/bin/fireinfoctrl >> usr/local/bin/firewallctrl >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/x86_64/initscripts >> +++ b/config/rootfiles/common/x86_64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> index 321642e82..3fc707e8b 100644 >> --- a/html/cgi-bin/optionsfw.cgi >> +++ b/html/cgi-bin/optionsfw.cgi >> @@ -2,7 +2,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> $errormessage .= $Lang::tr{'new optionsfw later'}; >> &General::writehash($filename, \%settings); # Save good settings >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> }else{ >> if ($settings{'POLICY'} ne ''){ >> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> } >> &General::readhash($filename, \%settings); # Load good settings >> } >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >> >> &Header::openbox('100%', 'center',); >> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >> @@ -189,13 +203,44 @@ END >> END >> } >> >> - print <<END >> +print <<END; >> + <table width='95%' cellspacing='0'> >> + <tr bgcolor='$color{'color20'}'></tr> >> + <tr> </tr> >> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >> + </tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> +END >> + >> + if (&Header::blue_used()) { >> + print <<END; >> + <table width='95%' cellspacing='0'> >> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> + <tr> </tr> >> + <tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + </td> >> + </tr> >> +END >> + } >> + >> + print <<END; >> </table> >> >> - <br> >> + <br /> >> >> -<table width='95%' cellspacing='0'> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >> + <table width='95%' cellspacing='0'> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >> @@ -206,21 +251,30 @@ END >> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> +END >> + >> + if (&Header::blue_used()) { >> + print <<END; >> + </table> >> + >> + <br /> >> + >> + <table width='95%' cellspacing='0'> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >> + <tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -</table> >> -<br/> >> + </tr> >> +END >> + } >> + >> + print <<END; >> + </table> >> + >> + <br /> >> >> -<table width='95%' cellspacing='0'> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -</table> >> -<br> >> <table width='95%' cellspacing='0'> >> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >> @@ -252,7 +306,7 @@ END >> >> <br /> >> <table width='100%' cellspacing='0'> >> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >> </form></td></tr> >> </table> >> @@ -278,7 +332,7 @@ print <<END; >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >> END >> print "</tr></table></form>"; >> - print"<br><br>"; >> + print"<br /><br />"; >> print <<END; >> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <table width='100%' border='0'> >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 6a8133807..d6bb234fa 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -836,6 +836,8 @@ >> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> @@ -1102,9 +1104,12 @@ >> 'from email server' => 'Von E-Mail-Server', >> 'from email user' => 'Von E-Mail-Benutzer', >> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >> 'fw default drop' => 'Firewallrichtlinie', >> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >> 'fw logging' => 'Firewallprotokollierung', >> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >> 'fw settings' => 'Firewalleinstellungen', >> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >> @@ -1644,9 +1649,9 @@ >> 'map to guest' => 'Map to Guest', >> 'march' => 'März', >> 'marked' => 'Markiert', >> -'masquerade blue' => 'NAT auf BLAU', >> -'masquerade green' => 'NAT auf GRÜN', >> -'masquerade orange' => 'NAT auf ORANGE', >> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >> 'masquerading' => 'Masquerading/NAT', >> 'masquerading disabled' => 'NAT ausgeschaltet', >> 'masquerading enabled' => 'NAT eingeschaltet', >> @@ -1814,6 +1819,8 @@ >> 'november' => 'November', >> 'ntp common settings' => 'Allgemeine Einstellungen', >> 'ntp configuration' => 'Zeitserverkonfiguration', >> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >> 'ntp server' => 'NTP-Server', >> 'ntp sync' => 'Synchronisation', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index 8f7e0c2cf..474612025 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -859,6 +859,8 @@ >> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >> @@ -1128,9 +1130,12 @@ >> 'from email server' => 'From Email server', >> 'from email user' => 'From e-mail user', >> 'from warn email bad' => 'From e-mail address is not valid', >> -'fw blue' => 'Firewall options for BLUE interface', >> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >> 'fw default drop' => 'Firewall policy', >> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >> 'fw logging' => 'Firewall logging', >> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >> 'fw settings' => 'Firewall settings', >> 'fw settings color' => 'Show colors in ruletable', >> 'fw settings dropdown' => 'Show all networks on rulecreation site', >> @@ -1672,9 +1677,9 @@ >> 'map to guest' => 'Map to Guest', >> 'march' => 'March', >> 'marked' => 'Marked', >> -'masquerade blue' => 'Masquerade BLUE', >> -'masquerade green' => 'Masquerade GREEN', >> -'masquerade orange' => 'Masquerade ORANGE', >> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >> 'masquerading' => 'Masquerading', >> 'masquerading disabled' => 'Masquerading disabled', >> 'masquerading enabled' => 'Masquerading enabled', >> @@ -1844,6 +1849,8 @@ >> 'november' => 'November', >> 'ntp common settings' => 'Common settings', >> 'ntp configuration' => 'NTP Configuration', >> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >> 'ntp server' => 'NTP Server', >> 'ntp sync' => 'Synchronization', >> diff --git a/lfs/configroot b/lfs/configroot >> index a3e474d70..622793b35 100644 >> --- a/lfs/configroot >> +++ b/lfs/configroot >> @@ -129,6 +129,10 @@ $(TARGET) : >> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >> new file mode 100644 >> index 000000000..2eafa9d20 >> --- /dev/null >> +++ b/src/initscripts/system/dnsntp >> @@ -0,0 +1,36 @@ >> +#!/bin/sh >> +######################################################################## >> +# Begin $rc_base/init.d/dnsntp >> +# >> +# Description : dnsntp init script for DNS/NTP rules only >> +# >> +######################################################################## >> + >> +# flush chain >> +iptables -t nat -F DNS_NTP_REDIRECT >> + >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> + >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >> +fi >> + >> +# Force NTP REDIRECTs on GREEN (udp, 123) >> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, 123) >> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >> +fi >> + >> +# End $rc_base/init.d/dnsntp >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 65f1c979b..43ae74113 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -169,6 +169,10 @@ iptables_init() { >> # Fix for braindead ISPs >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >> >> + # DNS / NTP REDIRECT >> + iptables -t nat -N DNS_NTP_REDIRECT >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> + >> # CUSTOM chains, can be used by the users themselves >> iptables -N CUSTOMINPUT >> iptables -A INPUT -j CUSTOMINPUT >> @@ -281,7 +285,7 @@ iptables_init() { >> iptables -A INPUT -j LOCATIONBLOCK >> iptables -A FORWARD -j LOCATIONBLOCK >> >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> iptables -N IPSECINPUT >> iptables -N IPSECFORWARD >> iptables -N IPSECOUTPUT >> @@ -389,6 +393,9 @@ iptables_init() { >> # run captivectrl >> /usr/local/bin/captivectrl >> >> + # run dnsntpctrl >> + /usr/local/bin/dnsntpctrl >> + >> # POLICY CHAIN >> iptables -N POLICYIN >> iptables -A INPUT -j POLICYIN >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> index 7c3ef7529..6f2733ef0 100644 >> --- a/src/misc-progs/Makefile >> +++ b/src/misc-progs/Makefile >> @@ -26,7 +26,7 @@ PROGS = iowrap >> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >> ipsecctrl timectrl dhcpctrl suricatactrl \ >> rebuildhosts backupctrl collectdctrl \ >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> wirelessctrl getipstat qosctrl \ >> redctrl syslogdctrl extrahdctrl sambactrl \ >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> new file mode 100644 >> index 000000000..f2a3b89e3 >> --- /dev/null >> +++ b/src/misc-progs/dnsntpctrl.c >> @@ -0,0 +1,19 @@ >> +/* This file is part of the IPFire Firewall. >> + * >> + * This program is distributed under the terms of the GNU General Public >> + * Licence. See the file COPYING for details. >> + * >> + */ >> + >> +#include <stdlib.h> >> +#include "setuid.h" >> + >> +int main(void) >> +{ >> + if (!(initsetuid())) >> + exit(1); >> + >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> + >> + return 0; >> +} >> -- >> 2.18.0 >> >
Hello, Please see my other email about *why* we need this. I will reply to some technical things on here... > On 5 Mar 2021, at 19:40, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Originally triggered by: > https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 > > Current discussion: > https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 > > Summary and functionality: > These patches are controlled through "Firewall Options". They add new > firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. > They activate/deactivate appropriate REDIRECT rules through a new ctrl file > ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). > > Default of all new rules is OFF (set in 'lfs/configroot'). > If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP > servers specified in IPFire. GUI links to DNS and NTP options were added to make > this more transparent. > > Flaw/ToDo: > To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual > init file, 'dnsntp'. This is actually an unnecessary detour. > In fact I wanted to merge these two files in *one* C file, but this was beyond my > capabilities, perhaps "someone" else knows how to program this. Why is this not part of the regular firewall scripts and being reloading with them? That would avoid the extra SUID binary. “ipsec-policy” is for example something that is an extra script. > Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: > The corresponding interface options - including 'Masquerade ...' - are only visible if > the respective interface actually exists. > If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' > or logging options for BLUE available (e.g.). > Added text colors for better readability and links to DNS and NTP GUI. > Separated logging options per interface. > > No reboot required: > Rules can be switched ON/OFF without rebooting IPFire. > Changes immedediatly take effect after clicking 'Save'. > > Changes to '/etc/rc.d/init.d/firewall': > To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING > chain: DNS_NTP_REDIRECT. > This chain is flushed by the init file before before the desired settings are applied. > Corrected a 'trafic' typo. > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/rootfiles/common/aarch64/initscripts | 1 + > config/rootfiles/common/armv5tel/initscripts | 1 + > config/rootfiles/common/i586/initscripts | 1 + > config/rootfiles/common/misc-progs | 1 + > config/rootfiles/common/x86_64/initscripts | 1 + > html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- > langs/de/cgi-bin/de.pl | 15 +++- > langs/en/cgi-bin/en.pl | 15 +++- > lfs/configroot | 4 + > src/initscripts/system/dnsntp | 36 ++++++++ > src/initscripts/system/firewall | 9 +- > src/misc-progs/Makefile | 2 +- > src/misc-progs/dnsntpctrl.c | 19 ++++ > 13 files changed, 168 insertions(+), 29 deletions(-) > create mode 100644 src/initscripts/system/dnsntp > create mode 100644 src/misc-progs/dnsntpctrl.c > > diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/aarch64/initscripts > +++ b/config/rootfiles/common/aarch64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts > index 800005966..f38a3a294 100644 > --- a/config/rootfiles/common/armv5tel/initscripts > +++ b/config/rootfiles/common/armv5tel/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/i586/initscripts > +++ b/config/rootfiles/common/i586/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs > index d6594b3f8..4bcb94812 100644 > --- a/config/rootfiles/common/misc-progs > +++ b/config/rootfiles/common/misc-progs > @@ -5,6 +5,7 @@ usr/local/bin/captivectrl > usr/local/bin/collectdctrl > usr/local/bin/ddnsctrl > usr/local/bin/dhcpctrl > +usr/local/bin/dnsntpctrl > usr/local/bin/extrahdctrl > usr/local/bin/fireinfoctrl > usr/local/bin/firewallctrl > diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts > index 18c5a897a..a3a2b47f7 100644 > --- a/config/rootfiles/common/x86_64/initscripts > +++ b/config/rootfiles/common/x86_64/initscripts > @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd > etc/rc.d/init.d/console > etc/rc.d/init.d/dhcp > etc/rc.d/init.d/dhcrelay > +etc/rc.d/init.d/dnsntp > etc/rc.d/init.d/fcron > etc/rc.d/init.d/fireinfo > etc/rc.d/init.d/firewall > diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > index 321642e82..3fc707e8b 100644 > --- a/html/cgi-bin/optionsfw.cgi > +++ b/html/cgi-bin/optionsfw.cgi > @@ -2,7 +2,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > $errormessage .= $Lang::tr{'new optionsfw later'}; > &General::writehash($filename, \%settings); # Save good settings > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > }else{ > if ($settings{'POLICY'} ne ''){ > $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; > @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { > &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); > &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); > system("/usr/local/bin/firewallctrl"); > + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); > } > &General::readhash($filename, \%settings); # Load good settings > } > @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele > $selected{'MASQUERADE_BLUE'}{'off'} = ''; > $selected{'MASQUERADE_BLUE'}{'on'} = ''; > $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; > +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; > +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; > +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; > +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; > +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; > +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; > +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; > +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; > +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; > +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; > +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; > +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; > > &Header::openbox('100%', 'center',); > print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; > @@ -189,13 +203,44 @@ END > END > } > > - print <<END > +print <<END; > + <table width='95%' cellspacing='0'> > + <tr bgcolor='$color{'color20'}'></tr> > + <tr> </tr> > + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> > + </tr> > + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ > + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ > + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> > +END > + > + if (&Header::blue_used()) { > + print <<END; > + <table width='95%' cellspacing='0'> > + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > + <tr> </tr> > + <tr> > + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ > + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ > + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > + </td> > + </tr> > +END > + } > + > + print <<END; > </table> > > - <br> > + <br /> > > -<table width='95%' cellspacing='0'> > -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> > + <table width='95%' cellspacing='0'> > +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ > <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ > @@ -206,21 +251,30 @@ END > <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ > <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > +END > + > + if (&Header::blue_used()) { > + print <<END; > + </table> > + > + <br /> > + > + <table width='95%' cellspacing='0'> > +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> > + <tr> > + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ > <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ > <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> > -</table> > -<br/> > + </tr> > +END > + } > + > + print <<END; > + </table> > + > + <br /> > > -<table width='95%' cellspacing='0'> > -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ > - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> > -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ > - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> > -</table> > -<br> > <table width='95%' cellspacing='0'> > <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> > <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ > @@ -252,7 +306,7 @@ END > > <br /> > <table width='100%' cellspacing='0'> > -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> > </form></td></tr> > </table> > @@ -278,7 +332,7 @@ print <<END; > <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> > END > print "</tr></table></form>"; > - print"<br><br>"; > + print"<br /><br />"; > print <<END; > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <table width='100%' border='0'> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 6a8133807..d6bb234fa 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -836,6 +836,8 @@ > 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', > 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', > 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', > +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', > +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', > 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', > 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', > 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', > @@ -1102,9 +1104,12 @@ > 'from email server' => 'Von E-Mail-Server', > 'from email user' => 'Von E-Mail-Benutzer', > 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', > -'fw blue' => 'Firewalloptionen für das Blaue Interface', > +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', > 'fw default drop' => 'Firewallrichtlinie', > +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', > 'fw logging' => 'Firewallprotokollierung', > +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', > +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', > 'fw settings' => 'Firewalleinstellungen', > 'fw settings color' => 'Farben in Regeltabelle anzeigen', > 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', > @@ -1644,9 +1649,9 @@ > 'map to guest' => 'Map to Guest', > 'march' => 'März', > 'marked' => 'Markiert', > -'masquerade blue' => 'NAT auf BLAU', > -'masquerade green' => 'NAT auf GRÜN', > -'masquerade orange' => 'NAT auf ORANGE', > +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', > +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', > +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', > 'masquerading' => 'Masquerading/NAT', > 'masquerading disabled' => 'NAT ausgeschaltet', > 'masquerading enabled' => 'NAT eingeschaltet', > @@ -1814,6 +1819,8 @@ > 'november' => 'November', > 'ntp common settings' => 'Allgemeine Einstellungen', > 'ntp configuration' => 'Zeitserverkonfiguration', > +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', > +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', > 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', > 'ntp server' => 'NTP-Server', > 'ntp sync' => 'Synchronisation', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index 8f7e0c2cf..474612025 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -859,6 +859,8 @@ > 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', > 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', > 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', > +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', > +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', > 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', > 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', > 'dns header' => 'Assign DNS server addresses only for DHCP on red0', > @@ -1128,9 +1130,12 @@ > 'from email server' => 'From Email server', > 'from email user' => 'From e-mail user', > 'from warn email bad' => 'From e-mail address is not valid', > -'fw blue' => 'Firewall options for BLUE interface', > +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', > 'fw default drop' => 'Firewall policy', > +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', > 'fw logging' => 'Firewall logging', > +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', > +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', > 'fw settings' => 'Firewall settings', > 'fw settings color' => 'Show colors in ruletable', > 'fw settings dropdown' => 'Show all networks on rulecreation site', > @@ -1672,9 +1677,9 @@ > 'map to guest' => 'Map to Guest', > 'march' => 'March', > 'marked' => 'Marked', > -'masquerade blue' => 'Masquerade BLUE', > -'masquerade green' => 'Masquerade GREEN', > -'masquerade orange' => 'Masquerade ORANGE', > +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', > +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', > +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', > 'masquerading' => 'Masquerading', > 'masquerading disabled' => 'Masquerading disabled', > 'masquerading enabled' => 'Masquerading enabled', > @@ -1844,6 +1849,8 @@ > 'november' => 'November', > 'ntp common settings' => 'Common settings', > 'ntp configuration' => 'NTP Configuration', > +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', > +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', > 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', > 'ntp server' => 'NTP Server', > 'ntp sync' => 'Synchronization', > diff --git a/lfs/configroot b/lfs/configroot > index a3e474d70..622793b35 100644 > --- a/lfs/configroot > +++ b/lfs/configroot > @@ -129,6 +129,10 @@ $(TARGET) : > echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings > echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings > + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings > echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings > echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings > diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp > new file mode 100644 > index 000000000..2eafa9d20 > --- /dev/null > +++ b/src/initscripts/system/dnsntp > @@ -0,0 +1,36 @@ > +#!/bin/sh > +######################################################################## > +# Begin $rc_base/init.d/dnsntp > +# > +# Description : dnsntp init script for DNS/NTP rules only > +# > +######################################################################## > + > +# flush chain > +iptables -t nat -F DNS_NTP_REDIRECT > + > +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > + > +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) > +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT > +fi > + > +# Force NTP REDIRECTs on GREEN (udp, 123) > +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT > +fi > + > +# Force DNS REDIRECTs on BLUE (udp, 123) > +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then > + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT > +fi > + > +# End $rc_base/init.d/dnsntp > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall This script hardcodes the interface names which should be read from /var/ipfire/ethernet/settings instead. They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but you can never be too sure. This script is also hardcoding the port numbers. I am not sure what users might expect here when you say “DNS”. Does that include DoT and DoH? Those can obviously not be redirected, but shouldn’t they be blocked instead? > index 65f1c979b..43ae74113 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -169,6 +169,10 @@ iptables_init() { > # Fix for braindead ISPs > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > + # DNS / NTP REDIRECT > + iptables -t nat -N DNS_NTP_REDIRECT > + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > + The CUSTOM* chains are always the first ones. The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do not have to send every single packet through them. This would have a massive performance impact on really fast networks. Those rules should also come after suricata so that the IPS can scan NTP and DNS traffic. How about before/after WIRELESSFORWARD? > # CUSTOM chains, can be used by the users themselves > iptables -N CUSTOMINPUT > iptables -A INPUT -j CUSTOMINPUT > @@ -281,7 +285,7 @@ iptables_init() { > iptables -A INPUT -j LOCATIONBLOCK > iptables -A FORWARD -j LOCATIONBLOCK > > - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything > iptables -N IPSECINPUT > iptables -N IPSECFORWARD > iptables -N IPSECOUTPUT > @@ -389,6 +393,9 @@ iptables_init() { > # run captivectrl > /usr/local/bin/captivectrl > > + # run dnsntpctrl > + /usr/local/bin/dnsntpctrl > + > # POLICY CHAIN > iptables -N POLICYIN > iptables -A INPUT -j POLICYIN > diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile > index 7c3ef7529..6f2733ef0 100644 > --- a/src/misc-progs/Makefile > +++ b/src/misc-progs/Makefile > @@ -26,7 +26,7 @@ PROGS = iowrap > SUID_PROGS = squidctrl sshctrl ipfirereboot \ > ipsecctrl timectrl dhcpctrl suricatactrl \ > rebuildhosts backupctrl collectdctrl \ > - logwatch wioscan wiohelper openvpnctrl firewallctrl \ > + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ > wirelessctrl getipstat qosctrl \ > redctrl syslogdctrl extrahdctrl sambactrl \ > smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ > diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c > new file mode 100644 > index 000000000..f2a3b89e3 > --- /dev/null > +++ b/src/misc-progs/dnsntpctrl.c > @@ -0,0 +1,19 @@ > +/* This file is part of the IPFire Firewall. > + * > + * This program is distributed under the terms of the GNU General Public > + * Licence. See the file COPYING for details. > + * > + */ > + > +#include <stdlib.h> > +#include "setuid.h" > + > +int main(void) > +{ > + if (!(initsetuid())) > + exit(1); > + > + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); > + > + return 0; > +} > -- > 2.18.0 > -Michael
Hi, I added my comments / questions below: On 01.04.2021 12:29, Michael Tremer wrote: > Hello, > > Please see my other email about *why* we need this. > > I will reply to some technical things on here... > >> On 5 Mar 2021, at 19:40, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> Originally triggered by: >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >> >> Current discussion: >> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >> >> Summary and functionality: >> These patches are controlled through "Firewall Options". They add new >> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >> >> Default of all new rules is OFF (set in 'lfs/configroot'). >> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >> servers specified in IPFire. GUI links to DNS and NTP options were added to make >> this more transparent. >> >> Flaw/ToDo: >> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >> init file, 'dnsntp'. This is actually an unnecessary detour. >> In fact I wanted to merge these two files in *one* C file, but this was beyond my >> capabilities, perhaps "someone" else knows how to program this. The idea of using a *single* C file came up because I wasn't able to load and delete the needed iptable rules by calling '/etc/init.d/rc.d/dnsntp' directly from 'optionsfw.cgi'. It just doesn't work. Actually Stefan gave me some hints for the current version: => https://lists.ipfire.org/pipermail/development/2021-January/009087.html > Why is this not part of the regular firewall scripts and being reloading with them? That would avoid the extra SUID binary. I'd really like to do so, but couldn't get it to work. > “ipsec-policy” is for example something that is an extra script. Yes. But. Tried. Failed. Nothing happens. Rules won't be added or deleted. As a test, I moved '/etc/init.d/rc.d/dnsntp' to '/usr/lib/firewall/dnsntp'. - Changed 'optionsfw.cgi' to call '/usr/lib/firewall/dnsntp'. - Checked rights. No luck. Results: To change the iptable rules according to the choosen DNS/NTP settings, I still need an administrative console or a reboot. It is not possible to add or delete specific iptable rules by calling an init script through 'optionsfw.cgi' without an extra SUID binary. If someone has another idea or a hint, I would be thankful. >> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >> The corresponding interface options - including 'Masquerade ...' - are only visible if >> the respective interface actually exists. >> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >> or logging options for BLUE available (e.g.). >> Added text colors for better readability and links to DNS and NTP GUI. >> Separated logging options per interface. >> >> No reboot required: >> Rules can be switched ON/OFF without rebooting IPFire. >> Changes immedediatly take effect after clicking 'Save'. >> >> Changes to '/etc/rc.d/init.d/firewall': >> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >> chain: DNS_NTP_REDIRECT. >> This chain is flushed by the init file before before the desired settings are applied. >> Corrected a 'trafic' typo. >> >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> config/rootfiles/common/aarch64/initscripts | 1 + >> config/rootfiles/common/armv5tel/initscripts | 1 + >> config/rootfiles/common/i586/initscripts | 1 + >> config/rootfiles/common/misc-progs | 1 + >> config/rootfiles/common/x86_64/initscripts | 1 + >> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >> langs/de/cgi-bin/de.pl | 15 +++- >> langs/en/cgi-bin/en.pl | 15 +++- >> lfs/configroot | 4 + >> src/initscripts/system/dnsntp | 36 ++++++++ >> src/initscripts/system/firewall | 9 +- >> src/misc-progs/Makefile | 2 +- >> src/misc-progs/dnsntpctrl.c | 19 ++++ >> 13 files changed, 168 insertions(+), 29 deletions(-) >> create mode 100644 src/initscripts/system/dnsntp >> create mode 100644 src/misc-progs/dnsntpctrl.c >> >> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/aarch64/initscripts >> +++ b/config/rootfiles/common/aarch64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >> index 800005966..f38a3a294 100644 >> --- a/config/rootfiles/common/armv5tel/initscripts >> +++ b/config/rootfiles/common/armv5tel/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/i586/initscripts >> +++ b/config/rootfiles/common/i586/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >> index d6594b3f8..4bcb94812 100644 >> --- a/config/rootfiles/common/misc-progs >> +++ b/config/rootfiles/common/misc-progs >> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >> usr/local/bin/collectdctrl >> usr/local/bin/ddnsctrl >> usr/local/bin/dhcpctrl >> +usr/local/bin/dnsntpctrl >> usr/local/bin/extrahdctrl >> usr/local/bin/fireinfoctrl >> usr/local/bin/firewallctrl >> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >> index 18c5a897a..a3a2b47f7 100644 >> --- a/config/rootfiles/common/x86_64/initscripts >> +++ b/config/rootfiles/common/x86_64/initscripts >> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >> etc/rc.d/init.d/console >> etc/rc.d/init.d/dhcp >> etc/rc.d/init.d/dhcrelay >> +etc/rc.d/init.d/dnsntp >> etc/rc.d/init.d/fcron >> etc/rc.d/init.d/fireinfo >> etc/rc.d/init.d/firewall >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> index 321642e82..3fc707e8b 100644 >> --- a/html/cgi-bin/optionsfw.cgi >> +++ b/html/cgi-bin/optionsfw.cgi >> @@ -2,7 +2,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> $errormessage .= $Lang::tr{'new optionsfw later'}; >> &General::writehash($filename, \%settings); # Save good settings >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> }else{ >> if ($settings{'POLICY'} ne ''){ >> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >> system("/usr/local/bin/firewallctrl"); >> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >> } >> &General::readhash($filename, \%settings); # Load good settings >> } >> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >> >> &Header::openbox('100%', 'center',); >> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >> @@ -189,13 +203,44 @@ END >> END >> } >> >> - print <<END >> +print <<END; >> + <table width='95%' cellspacing='0'> >> + <tr bgcolor='$color{'color20'}'></tr> >> + <tr> </tr> >> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >> + </tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> +END >> + >> + if (&Header::blue_used()) { >> + print <<END; >> + <table width='95%' cellspacing='0'> >> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> + <tr> </tr> >> + <tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> + </td> >> + </tr> >> +END >> + } >> + >> + print <<END; >> </table> >> >> - <br> >> + <br /> >> >> -<table width='95%' cellspacing='0'> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >> + <table width='95%' cellspacing='0'> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >> @@ -206,21 +251,30 @@ END >> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> +END >> + >> + if (&Header::blue_used()) { >> + print <<END; >> + </table> >> + >> + <br /> >> + >> + <table width='95%' cellspacing='0'> >> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >> + <tr> >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -</table> >> -<br/> >> + </tr> >> +END >> + } >> + >> + print <<END; >> + </table> >> + >> + <br /> >> >> -<table width='95%' cellspacing='0'> >> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >> -</table> >> -<br> >> <table width='95%' cellspacing='0'> >> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >> @@ -252,7 +306,7 @@ END >> >> <br /> >> <table width='100%' cellspacing='0'> >> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >> </form></td></tr> >> </table> >> @@ -278,7 +332,7 @@ print <<END; >> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >> END >> print "</tr></table></form>"; >> - print"<br><br>"; >> + print"<br /><br />"; >> print <<END; >> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <table width='100%' border='0'> >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 6a8133807..d6bb234fa 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -836,6 +836,8 @@ >> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >> @@ -1102,9 +1104,12 @@ >> 'from email server' => 'Von E-Mail-Server', >> 'from email user' => 'Von E-Mail-Benutzer', >> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >> 'fw default drop' => 'Firewallrichtlinie', >> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >> 'fw logging' => 'Firewallprotokollierung', >> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >> 'fw settings' => 'Firewalleinstellungen', >> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >> @@ -1644,9 +1649,9 @@ >> 'map to guest' => 'Map to Guest', >> 'march' => 'März', >> 'marked' => 'Markiert', >> -'masquerade blue' => 'NAT auf BLAU', >> -'masquerade green' => 'NAT auf GRÜN', >> -'masquerade orange' => 'NAT auf ORANGE', >> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >> 'masquerading' => 'Masquerading/NAT', >> 'masquerading disabled' => 'NAT ausgeschaltet', >> 'masquerading enabled' => 'NAT eingeschaltet', >> @@ -1814,6 +1819,8 @@ >> 'november' => 'November', >> 'ntp common settings' => 'Allgemeine Einstellungen', >> 'ntp configuration' => 'Zeitserverkonfiguration', >> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >> 'ntp server' => 'NTP-Server', >> 'ntp sync' => 'Synchronisation', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index 8f7e0c2cf..474612025 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -859,6 +859,8 @@ >> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >> @@ -1128,9 +1130,12 @@ >> 'from email server' => 'From Email server', >> 'from email user' => 'From e-mail user', >> 'from warn email bad' => 'From e-mail address is not valid', >> -'fw blue' => 'Firewall options for BLUE interface', >> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >> 'fw default drop' => 'Firewall policy', >> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >> 'fw logging' => 'Firewall logging', >> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >> 'fw settings' => 'Firewall settings', >> 'fw settings color' => 'Show colors in ruletable', >> 'fw settings dropdown' => 'Show all networks on rulecreation site', >> @@ -1672,9 +1677,9 @@ >> 'map to guest' => 'Map to Guest', >> 'march' => 'March', >> 'marked' => 'Marked', >> -'masquerade blue' => 'Masquerade BLUE', >> -'masquerade green' => 'Masquerade GREEN', >> -'masquerade orange' => 'Masquerade ORANGE', >> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >> 'masquerading' => 'Masquerading', >> 'masquerading disabled' => 'Masquerading disabled', >> 'masquerading enabled' => 'Masquerading enabled', >> @@ -1844,6 +1849,8 @@ >> 'november' => 'November', >> 'ntp common settings' => 'Common settings', >> 'ntp configuration' => 'NTP Configuration', >> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >> 'ntp server' => 'NTP Server', >> 'ntp sync' => 'Synchronization', >> diff --git a/lfs/configroot b/lfs/configroot >> index a3e474d70..622793b35 100644 >> --- a/lfs/configroot >> +++ b/lfs/configroot >> @@ -129,6 +129,10 @@ $(TARGET) : >> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >> new file mode 100644 >> index 000000000..2eafa9d20 >> --- /dev/null >> +++ b/src/initscripts/system/dnsntp >> @@ -0,0 +1,36 @@ >> +#!/bin/sh >> +######################################################################## >> +# Begin $rc_base/init.d/dnsntp >> +# >> +# Description : dnsntp init script for DNS/NTP rules only >> +# >> +######################################################################## >> + >> +# flush chain >> +iptables -t nat -F DNS_NTP_REDIRECT >> + >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> + >> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >> +fi >> + >> +# Force NTP REDIRECTs on GREEN (udp, 123) >> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >> +fi >> + >> +# Force DNS REDIRECTs on BLUE (udp, 123) >> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >> +fi >> + >> +# End $rc_base/init.d/dnsntp >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > > This script hardcodes the interface names which should be read from /var/ipfire/ethernet/settings instead. > > They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but you can never be too sure. I thought of this, but had something on my eyes. Added ${GREEN/BLUE_DEV} variables. Thanks. ;-) > This script is also hardcoding the port numbers. I am not sure what users might expect here when you say “DNS”. Does that include DoT and DoH? Those can obviously not be redirected, but shouldn’t they be blocked instead? Hm. At the moment I don't know how to do this. >> index 65f1c979b..43ae74113 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -169,6 +169,10 @@ iptables_init() { >> # Fix for braindead ISPs >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >> >> + # DNS / NTP REDIRECT >> + iptables -t nat -N DNS_NTP_REDIRECT >> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >> + > > The CUSTOM* chains are always the first ones. > > The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do not have to send every single packet through them. This would have a massive performance impact on really fast networks. > > Those rules should also come after suricata so that the IPS can scan NTP and DNS traffic. > > How about before/after WIRELESSFORWARD? Sorry, if this sounds naive, but I'm a bit puzzled and not 100% familiar with the different chains and the sequences in the firewall init. If I get you right, then this means that you would prefer to move the following code block in '/etc/init.d/rc.d/firewall'? Move: ... # DNS / NTP REDIRECT iptables -t nat -N DNS_NTP_REDIRECT iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT ... *Behind* this block: ... # WIRELESS chains iptables -N WIRELESSINPUT iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT iptables -N WIRELESSFORWARD iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD ... Is this what you meant!? >> # CUSTOM chains, can be used by the users themselves >> iptables -N CUSTOMINPUT >> iptables -A INPUT -j CUSTOMINPUT >> @@ -281,7 +285,7 @@ iptables_init() { >> iptables -A INPUT -j LOCATIONBLOCK >> iptables -A FORWARD -j LOCATIONBLOCK >> >> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >> iptables -N IPSECINPUT >> iptables -N IPSECFORWARD >> iptables -N IPSECOUTPUT >> @@ -389,6 +393,9 @@ iptables_init() { >> # run captivectrl >> /usr/local/bin/captivectrl >> >> + # run dnsntpctrl >> + /usr/local/bin/dnsntpctrl >> + >> # POLICY CHAIN >> iptables -N POLICYIN >> iptables -A INPUT -j POLICYIN >> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >> index 7c3ef7529..6f2733ef0 100644 >> --- a/src/misc-progs/Makefile >> +++ b/src/misc-progs/Makefile >> @@ -26,7 +26,7 @@ PROGS = iowrap >> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >> ipsecctrl timectrl dhcpctrl suricatactrl \ >> rebuildhosts backupctrl collectdctrl \ >> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >> wirelessctrl getipstat qosctrl \ >> redctrl syslogdctrl extrahdctrl sambactrl \ >> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >> new file mode 100644 >> index 000000000..f2a3b89e3 >> --- /dev/null >> +++ b/src/misc-progs/dnsntpctrl.c >> @@ -0,0 +1,19 @@ >> +/* This file is part of the IPFire Firewall. >> + * >> + * This program is distributed under the terms of the GNU General Public >> + * Licence. See the file COPYING for details. >> + * >> + */ >> + >> +#include <stdlib.h> >> +#include "setuid.h" >> + >> +int main(void) >> +{ >> + if (!(initsetuid())) >> + exit(1); >> + >> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >> + >> + return 0; >> +} >> -- >> 2.18.0 >> > > -Michael >
Hello, > On 2 Apr 2021, at 00:18, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi, > > I added my comments / questions below: > > On 01.04.2021 12:29, Michael Tremer wrote: >> Hello, >> >> Please see my other email about *why* we need this. >> >> I will reply to some technical things on here... >> >>> On 5 Mar 2021, at 19:40, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> Originally triggered by: >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>> >>> Current discussion: >>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>> >>> Summary and functionality: >>> These patches are controlled through "Firewall Options". They add new >>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >>> >>> Default of all new rules is OFF (set in 'lfs/configroot'). >>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >>> this more transparent. >>> >>> Flaw/ToDo: >>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >>> init file, 'dnsntp'. This is actually an unnecessary detour. >>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >>> capabilities, perhaps "someone" else knows how to program this. > > The idea of using a *single* C file came up because I wasn't able to > load and delete the needed iptable rules by calling > '/etc/init.d/rc.d/dnsntp' directly from 'optionsfw.cgi'. It just doesn't > work. Actually Stefan gave me some hints for the current version: > => https://lists.ipfire.org/pipermail/development/2021-January/009087.html You will be able to call a script, just as a non-privileged user which obviously cannot alter the iptables ruleset. >> Why is this not part of the regular firewall scripts and being reloading with them? That would avoid the extra SUID binary. > > I'd really like to do so, but couldn't get it to work. > >> “ipsec-policy” is for example something that is an extra script. > > Yes. But. > Tried. Failed. Nothing happens. Rules won't be added or deleted. > > As a test, I moved '/etc/init.d/rc.d/dnsntp' to '/usr/lib/firewall/dnsntp'. > - Changed 'optionsfw.cgi' to call '/usr/lib/firewall/dnsntp'. > - Checked rights. > > No luck. You would change the firewall scripts to call your scripts and the CGI script would call firewallctrl. That is the way to go. > Results: > To change the iptable rules according to the choosen DNS/NTP settings, I > still need an administrative console or a reboot. It is not possible to > add or delete specific iptable rules by calling an init script through > 'optionsfw.cgi' without an extra SUID binary. Exactly. > If someone has another idea or a hint, I would be thankful. > >>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>> The corresponding interface options - including 'Masquerade ...' - are only visible if >>> the respective interface actually exists. >>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >>> or logging options for BLUE available (e.g.). >>> Added text colors for better readability and links to DNS and NTP GUI. >>> Separated logging options per interface. >>> >>> No reboot required: >>> Rules can be switched ON/OFF without rebooting IPFire. >>> Changes immedediatly take effect after clicking 'Save'. >>> >>> Changes to '/etc/rc.d/init.d/firewall': >>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >>> chain: DNS_NTP_REDIRECT. >>> This chain is flushed by the init file before before the desired settings are applied. >>> Corrected a 'trafic' typo. >>> >>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>> --- >>> config/rootfiles/common/aarch64/initscripts | 1 + >>> config/rootfiles/common/armv5tel/initscripts | 1 + >>> config/rootfiles/common/i586/initscripts | 1 + >>> config/rootfiles/common/misc-progs | 1 + >>> config/rootfiles/common/x86_64/initscripts | 1 + >>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>> langs/de/cgi-bin/de.pl | 15 +++- >>> langs/en/cgi-bin/en.pl | 15 +++- >>> lfs/configroot | 4 + >>> src/initscripts/system/dnsntp | 36 ++++++++ >>> src/initscripts/system/firewall | 9 +- >>> src/misc-progs/Makefile | 2 +- >>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>> 13 files changed, 168 insertions(+), 29 deletions(-) >>> create mode 100644 src/initscripts/system/dnsntp >>> create mode 100644 src/misc-progs/dnsntpctrl.c >>> >>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/aarch64/initscripts >>> +++ b/config/rootfiles/common/aarch64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/armv5tel/initscripts >>> +++ b/config/rootfiles/common/armv5tel/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/i586/initscripts >>> +++ b/config/rootfiles/common/i586/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >>> index d6594b3f8..4bcb94812 100644 >>> --- a/config/rootfiles/common/misc-progs >>> +++ b/config/rootfiles/common/misc-progs >>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>> usr/local/bin/collectdctrl >>> usr/local/bin/ddnsctrl >>> usr/local/bin/dhcpctrl >>> +usr/local/bin/dnsntpctrl >>> usr/local/bin/extrahdctrl >>> usr/local/bin/fireinfoctrl >>> usr/local/bin/firewallctrl >>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/x86_64/initscripts >>> +++ b/config/rootfiles/common/x86_64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>> index 321642e82..3fc707e8b 100644 >>> --- a/html/cgi-bin/optionsfw.cgi >>> +++ b/html/cgi-bin/optionsfw.cgi >>> @@ -2,7 +2,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> $errormessage .= $Lang::tr{'new optionsfw later'}; >>> &General::writehash($filename, \%settings); # Save good settings >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> }else{ >>> if ($settings{'POLICY'} ne ''){ >>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> } >>> &General::readhash($filename, \%settings); # Load good settings >>> } >>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >>> >>> &Header::openbox('100%', 'center',); >>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >>> @@ -189,13 +203,44 @@ END >>> END >>> } >>> >>> - print <<END >>> +print <<END; >>> + <table width='95%' cellspacing='0'> >>> + <tr bgcolor='$color{'color20'}'></tr> >>> + <tr> </tr> >>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >>> + </tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <<END; >>> + <table width='95%' cellspacing='0'> >>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>> + <tr> </tr> >>> + <tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + </td> >>> + </tr> >>> +END >>> + } >>> + >>> + print <<END; >>> </table> >>> >>> - <br> >>> + <br /> >>> >>> -<table width='95%' cellspacing='0'> >>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >>> + <table width='95%' cellspacing='0'> >>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >>> @@ -206,21 +251,30 @@ END >>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <<END; >>> + </table> >>> + >>> + <br /> >>> + >>> + <table width='95%' cellspacing='0'> >>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >>> + <tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -</table> >>> -<br/> >>> + </tr> >>> +END >>> + } >>> + >>> + print <<END; >>> + </table> >>> + >>> + <br /> >>> >>> -<table width='95%' cellspacing='0'> >>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -</table> >>> -<br> >>> <table width='95%' cellspacing='0'> >>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >>> @@ -252,7 +306,7 @@ END >>> >>> <br /> >>> <table width='100%' cellspacing='0'> >>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >>> </form></td></tr> >>> </table> >>> @@ -278,7 +332,7 @@ print <<END; >>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >>> END >>> print "</tr></table></form>"; >>> - print"<br><br>"; >>> + print"<br /><br />"; >>> print <<END; >>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> <table width='100%' border='0'> >>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> index 6a8133807..d6bb234fa 100644 >>> --- a/langs/de/cgi-bin/de.pl >>> +++ b/langs/de/cgi-bin/de.pl >>> @@ -836,6 +836,8 @@ >>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>> @@ -1102,9 +1104,12 @@ >>> 'from email server' => 'Von E-Mail-Server', >>> 'from email user' => 'Von E-Mail-Benutzer', >>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >>> 'fw default drop' => 'Firewallrichtlinie', >>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >>> 'fw logging' => 'Firewallprotokollierung', >>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >>> 'fw settings' => 'Firewalleinstellungen', >>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >>> @@ -1644,9 +1649,9 @@ >>> 'map to guest' => 'Map to Guest', >>> 'march' => 'März', >>> 'marked' => 'Markiert', >>> -'masquerade blue' => 'NAT auf BLAU', >>> -'masquerade green' => 'NAT auf GRÜN', >>> -'masquerade orange' => 'NAT auf ORANGE', >>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >>> 'masquerading' => 'Masquerading/NAT', >>> 'masquerading disabled' => 'NAT ausgeschaltet', >>> 'masquerading enabled' => 'NAT eingeschaltet', >>> @@ -1814,6 +1819,8 @@ >>> 'november' => 'November', >>> 'ntp common settings' => 'Allgemeine Einstellungen', >>> 'ntp configuration' => 'Zeitserverkonfiguration', >>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >>> 'ntp server' => 'NTP-Server', >>> 'ntp sync' => 'Synchronisation', >>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> index 8f7e0c2cf..474612025 100644 >>> --- a/langs/en/cgi-bin/en.pl >>> +++ b/langs/en/cgi-bin/en.pl >>> @@ -859,6 +859,8 @@ >>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >>> @@ -1128,9 +1130,12 @@ >>> 'from email server' => 'From Email server', >>> 'from email user' => 'From e-mail user', >>> 'from warn email bad' => 'From e-mail address is not valid', >>> -'fw blue' => 'Firewall options for BLUE interface', >>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >>> 'fw default drop' => 'Firewall policy', >>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >>> 'fw logging' => 'Firewall logging', >>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >>> 'fw settings' => 'Firewall settings', >>> 'fw settings color' => 'Show colors in ruletable', >>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >>> @@ -1672,9 +1677,9 @@ >>> 'map to guest' => 'Map to Guest', >>> 'march' => 'March', >>> 'marked' => 'Marked', >>> -'masquerade blue' => 'Masquerade BLUE', >>> -'masquerade green' => 'Masquerade GREEN', >>> -'masquerade orange' => 'Masquerade ORANGE', >>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >>> 'masquerading' => 'Masquerading', >>> 'masquerading disabled' => 'Masquerading disabled', >>> 'masquerading enabled' => 'Masquerading enabled', >>> @@ -1844,6 +1849,8 @@ >>> 'november' => 'November', >>> 'ntp common settings' => 'Common settings', >>> 'ntp configuration' => 'NTP Configuration', >>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >>> 'ntp server' => 'NTP Server', >>> 'ntp sync' => 'Synchronization', >>> diff --git a/lfs/configroot b/lfs/configroot >>> index a3e474d70..622793b35 100644 >>> --- a/lfs/configroot >>> +++ b/lfs/configroot >>> @@ -129,6 +129,10 @@ $(TARGET) : >>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>> new file mode 100644 >>> index 000000000..2eafa9d20 >>> --- /dev/null >>> +++ b/src/initscripts/system/dnsntp >>> @@ -0,0 +1,36 @@ >>> +#!/bin/sh >>> +######################################################################## >>> +# Begin $rc_base/init.d/dnsntp >>> +# >>> +# Description : dnsntp init script for DNS/NTP rules only >>> +# >>> +######################################################################## >>> + >>> +# flush chain >>> +iptables -t nat -F DNS_NTP_REDIRECT >>> + >>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>> + >>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >>> +fi >>> + >>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >>> +fi >>> + >>> +# End $rc_base/init.d/dnsntp >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> >> This script hardcodes the interface names which should be read from /var/ipfire/ethernet/settings instead. >> >> They are in GREEN_DEV and BLUE_DEV. Normally, those should not change, but you can never be too sure. > > I thought of this, but had something on my eyes. Added ${GREEN/BLUE_DEV} > variables. Thanks. ;-) > >> This script is also hardcoding the port numbers. I am not sure what users might expect here when you say “DNS”. Does that include DoT and DoH? Those can obviously not be redirected, but shouldn’t they be blocked instead? > > Hm. At the moment I don't know how to do this. Doing what? >>> index 65f1c979b..43ae74113 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -169,6 +169,10 @@ iptables_init() { >>> # Fix for braindead ISPs >>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>> >>> + # DNS / NTP REDIRECT >>> + iptables -t nat -N DNS_NTP_REDIRECT >>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>> + >> >> The CUSTOM* chains are always the first ones. >> >> The DNS_NTP_REDIRECT chains should come way after CONNTRACK so that we do not have to send every single packet through them. This would have a massive performance impact on really fast networks. >> >> Those rules should also come after suricata so that the IPS can scan NTP and DNS traffic. >> >> How about before/after WIRELESSFORWARD? > > Sorry, if this sounds naive, but I'm a bit puzzled and not 100% familiar > with the different chains and the sequences in the firewall init. No problems. That is why we have this list, so that we can all combine our brains :) > If I get you right, then this means that you would prefer to move the > following code block in '/etc/init.d/rc.d/firewall'? > > Move: > ... > # DNS / NTP REDIRECT > iptables -t nat -N DNS_NTP_REDIRECT > iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT > ... > > *Behind* this block: > > ... > # WIRELESS chains > iptables -N WIRELESSINPUT > iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT > iptables -N WIRELESSFORWARD > iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD > > ... > > Is this what you meant!? Yes. >>> # CUSTOM chains, can be used by the users themselves >>> iptables -N CUSTOMINPUT >>> iptables -A INPUT -j CUSTOMINPUT >>> @@ -281,7 +285,7 @@ iptables_init() { >>> iptables -A INPUT -j LOCATIONBLOCK >>> iptables -A FORWARD -j LOCATIONBLOCK >>> >>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> iptables -N IPSECINPUT >>> iptables -N IPSECFORWARD >>> iptables -N IPSECOUTPUT >>> @@ -389,6 +393,9 @@ iptables_init() { >>> # run captivectrl >>> /usr/local/bin/captivectrl >>> >>> + # run dnsntpctrl >>> + /usr/local/bin/dnsntpctrl >>> + >>> # POLICY CHAIN >>> iptables -N POLICYIN >>> iptables -A INPUT -j POLICYIN >>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>> index 7c3ef7529..6f2733ef0 100644 >>> --- a/src/misc-progs/Makefile >>> +++ b/src/misc-progs/Makefile >>> @@ -26,7 +26,7 @@ PROGS = iowrap >>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>> rebuildhosts backupctrl collectdctrl \ >>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>> wirelessctrl getipstat qosctrl \ >>> redctrl syslogdctrl extrahdctrl sambactrl \ >>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>> new file mode 100644 >>> index 000000000..f2a3b89e3 >>> --- /dev/null >>> +++ b/src/misc-progs/dnsntpctrl.c >>> @@ -0,0 +1,19 @@ >>> +/* This file is part of the IPFire Firewall. >>> + * >>> + * This program is distributed under the terms of the GNU General Public >>> + * Licence. See the file COPYING for details. >>> + * >>> + */ >>> + >>> +#include <stdlib.h> >>> +#include "setuid.h" >>> + >>> +int main(void) >>> +{ >>> + if (!(initsetuid())) >>> + exit(1); >>> + >>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>> + >>> + return 0; >>> +} >>> -- >>> 2.18.0 >>> >> >> -Michael
Hi, I'm working on pushing v4 - coming soon... For the records: v4-statistics of the the last 62 days can be found attached (screenshot). IMHO: works as intended - performance is normal. No problems. E.g., 'blue0' is NOT "well-behaving" regarding DNS (domain) and NTP (ntp)... ;-) Best, Matthias On 07.03.2021 14:02, Matthias Fischer wrote: > Hi Bernhard, > > On 07.03.2021 11:20, Bernhard Bitsch wrote: >> Hi Matthias, >> >> yes. You got it. > > Very good. ;-) > >> I use these rules now for some time, based on the scripts and discussions in the community. >> The RETURN rules do not weaken the aim of REDIRECT rules. > > Running here since ~12 hours. Absolutely no problems. Just for fun, I > even told Firefox to use DoH. > And: I told my client PC to use 1.2.3.4 as DNS-server. He had no chance. > DNS was still working as before. > Furthermore I can see the redirections from our blue clients (nasty > programmed apps). > > Settings: > DNS-Server with nine DNSSEC-entries, status on 'dhcp.cgi' is "Working", > DNS-Protocol: TLS, QNAME-Minmisation: Strict. Running 'unbound 1.13.1'. > >> Because I can do not know a measurement tool, I can't say something about performance. > > What about something like this? > > => https://github.com/DNS-OARC/dnsperf/blob/master/README.md > >> But I'll try to record the behaviour of those 'bad devices' through logging rules, both for REDIRECT and RETURN. > >>From time to time I take a look at the IPTables-GUI - right now its...: > > Chain DNS_NTP_REDIRECT (1 references) > pkts bytes target prot opt in out source destination > > 82 5532 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:53 > 24 1734 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > 0 0 RETURN tcp -- green0 * 0.0.0.0/0 192.168.100.254 tcp dpt:53 > 0 0 REDIRECT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 > 459 31772 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:53 > 40 2861 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > 0 0 RETURN tcp -- blue0 * 0.0.0.0/0 192.168.101.254 tcp dpt:53 > 0 0 REDIRECT tcp -- blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 > 983 74708 RETURN udp -- green0 * 0.0.0.0/0 192.168.100.254 udp dpt:123 > 0 0 REDIRECT udp -- green0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > 0 0 RETURN udp -- blue0 * 0.0.0.0/0 192.168.101.254 udp dpt:123 > 18 1368 REDIRECT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > > Opinions? > > Best, > Matthias > > P.S.: > One (last?) thing to do would be to merge 'dnsntp' (init) and > 'dnsntpctrl'.(c) into one C file to get rid of the still remaining > init-file. But sorry, that's for someone else, please... > >> >> Best, >> Bernhard >> >>> Gesendet: Sonntag, 07. März 2021 um 09:06 Uhr >>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >>> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de>, "Jon Murphy" <jcmurphy26@gmail.com> >>> Cc: "IPFire Development" <development@lists.ipfire.org> >>> Betreff: Re: Aw: Re: [PATCH] (V3) Forcing DNS/NTP >>> >>> Hi Bernhard, >>> >>> Lol. Funny misunderstanding - I'll try to figure it out: >>> >>> On 06.03.2021 22:15, Bernhard Bitsch wrote: >>> > For forcing DNS we generate ( for example ) >>> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>> >>> That's for *forcing* AKA *bad* requests that don't go the way we want. >>> >>> > To filter allowed DNS requests there is a rule >>> > iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p udp -m udp --dport 53 -j RETURN >>> >>> That's for *well-behaving* requests. >>> >>> AH! I see. I think I know what you meant. >>> >>> > To get ${GREEN_ADDRESS} dnsntp needs an additional >>> > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) >>> >>> Funny. I suddenly thought of doing something with >>> '.../ethernet/settings' while writing the v3-commit. But I didn't think >>> of RETURN. >>> >>> > Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN ( DNS requests direct to IPFire ) should be nearly 100%. DNS and NTP servrs are published by DHCP or should be configured in the static case. >>> > >>> > Hope this makes it clear enough. >>> >>> I - really - hope I got it right. ;-) >>> >>> To handle the well-behaving requests, I added RETURN rules prior to the >>> REDIRECT rules like this: >>> >>> ... >>> # Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p >>> udp -m udp --dport 53 -j RETURN >>> >>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 >>> -j REDIRECT >>> >>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -d ${GREEN_ADDRESS} -p >>> tcp -m tcp --dport 53 -j RETURN >>> >>> iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 >>> -j REDIRECT >>> fi >>> ... >>> >>> Intention (explanation was translated from >>> https://www.pro-linux.de/artikel/2/761/6,aufruf-konventionen-2.html): >>> If the first - well-behaving - rule matches: >>> => RETURN => "Leave this chain and continue with the caller or execute >>> the chain's policy". >>> >>> Otherwise: >>> => REDIRECT the packet. "This goal ensures that the package is delivered >>> to the local computer. This allows packets to "fantasy targets" to be >>> intercepted and dealt with locally." >>> >>> I'm still not 100 percent sure - but does this correspond to your intention? >>> >>> Best, >>> Matthias >>> >>> > Best, >>> > Bernhard >>> > >>> >> Gesendet: Samstag, 06. März 2021 um 21:51 Uhr >>> >> Von: "Jon Murphy" <jcmurphy26@gmail.com> >>> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >>> >> Betreff: Re: [PATCH] (V3) Forcing DNS/NTP >>> >> >>> >> > I mean the extra rules for requests client-->IPFire:53. >>> >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >>> >> >>> >> How do we determine if a 'well-behaving' client is being redirected? Or how do we measure performance? >>> >> >>> >> When I tried to measure DNS "speed" in the past, the cache gets in there and makes every look like 38 to 44 ms. >>> >> >>> >> > On Mar 6, 2021, at 1:47 PM, Bernhard Bitsch <Bernhard.Bitsch@gmx.de> wrote: >>> >> > >>> >> > Hi, >>> >> > >>> >> >> Gesendet: Freitag, 05. März 2021 um 23:49 Uhr >>> >> >> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >>> >> >> An: "Bernhard Bitsch" <Bernhard.Bitsch@gmx.de> >>> >> >> Cc: development@lists.ipfire.org >>> >> >> Betreff: Re: Aw: [PATCH] (V3) Forcing DNS/NTP >>> >> >> >>> >> >> Hi, >>> >> >> >>> >> >> On 05.03.2021 21:45, Bernhard Bitsch wrote: >>> >> >>> Hi, >>> >> >>> >>> >> >>> at a first glance I think, the code implements the ideas of the community discussions. >>> >> >> >>> >> >> Thanks - but unfortunately I'm not quite satisfied with my results yet >>> >> >> because I didn't manage to merge the init and the ctrl-file in *one* C >>> >> >> program. The whole is running as I want but... ;-) >>> >> >> >>> >> >>> Just one annotation. As mentioned in a post, it could help to honor 'well-behaving' requests ( to IPFire ) by a RETURN. >>> >> >> >>> >> >> -v please. I don't know if I get this (the translation english => >>> >> >> german) right. >>> >> >> If you mean that I asked for some tips and got some, than of course: >>> >> >> many thanks to everybody! >>> >> >> >>> >> > Sorry if I wasn't specific enough. >>> >> > I mean the extra rules for requests client-->IPFire:53. >>> >> > These are 'well-behaving' and must/should not be redirected. Didn't measure if the performance is equal with or without these extra rules. >>> >> > >>> >> > Best, >>> >> > Bernhard >>> >> >> Best, >>> >> >> Matthias >>> >> >> >>> >> >>> Regards, >>> >> >>> Bernhard >>> >> >>> >>> >> >>>> Gesendet: Freitag, 05. März 2021 um 20:40 Uhr >>> >> >>>> Von: "Matthias Fischer" <matthias.fischer@ipfire.org> >>> >> >>>> An: development@lists.ipfire.org >>> >> >>>> Betreff: [PATCH] (V3) Forcing DNS/NTP >>> >> >>>> >>> >> >>>> Originally triggered by: >>> >> >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>> >> >>>> >>> >> >>>> Current discussion: >>> >> >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>> >> >>>> >>> >> >>>> Summary and functionality: >>> >> >>>> These patches are controlled through "Firewall Options". They add new >>> >> >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >>> >> >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >>> >> >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >>> >> >>>> >>> >> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). >>> >> >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >>> >> >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >>> >> >>>> this more transparent. >>> >> >>>> >>> >> >>>> Flaw/ToDo: >>> >> >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >>> >> >>>> init file, 'dnsntp'. This is actually an unnecessary detour. >>> >> >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >>> >> >>>> capabilities, perhaps "someone" else knows how to program this. >>> >> >>>> >>> >> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>> >> >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if >>> >> >>>> the respective interface actually exists. >>> >> >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >>> >> >>>> or logging options for BLUE available (e.g.). >>> >> >>>> Added text colors for better readability and links to DNS and NTP GUI. >>> >> >>>> Separated logging options per interface. >>> >> >>>> >>> >> >>>> No reboot required: >>> >> >>>> Rules can be switched ON/OFF without rebooting IPFire. >>> >> >>>> Changes immedediatly take effect after clicking 'Save'. >>> >> >>>> >>> >> >>>> Changes to '/etc/rc.d/init.d/firewall': >>> >> >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >>> >> >>>> chain: DNS_NTP_REDIRECT. >>> >> >>>> This chain is flushed by the init file before before the desired settings are applied. >>> >> >>>> Corrected a 'trafic' typo. >>> >> >>>> >>> >> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>> >> >>>> --- >>> >> >>>> config/rootfiles/common/aarch64/initscripts | 1 + >>> >> >>>> config/rootfiles/common/armv5tel/initscripts | 1 + >>> >> >>>> config/rootfiles/common/i586/initscripts | 1 + >>> >> >>>> config/rootfiles/common/misc-progs | 1 + >>> >> >>>> config/rootfiles/common/x86_64/initscripts | 1 + >>> >> >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>> >> >>>> langs/de/cgi-bin/de.pl | 15 +++- >>> >> >>>> langs/en/cgi-bin/en.pl | 15 +++- >>> >> >>>> lfs/configroot | 4 + >>> >> >>>> src/initscripts/system/dnsntp | 36 ++++++++ >>> >> >>>> src/initscripts/system/firewall | 9 +- >>> >> >>>> src/misc-progs/Makefile | 2 +- >>> >> >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>> >> >>>> 13 files changed, 168 insertions(+), 29 deletions(-) >>> >> >>>> create mode 100644 src/initscripts/system/dnsntp >>> >> >>>> create mode 100644 src/misc-progs/dnsntpctrl.c >>> >> >>>> >>> >> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >>> >> >>>> index 800005966..f38a3a294 100644 >>> >> >>>> --- a/config/rootfiles/common/aarch64/initscripts >>> >> >>>> +++ b/config/rootfiles/common/aarch64/initscripts >>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> >> >>>> etc/rc.d/init.d/console >>> >> >>>> etc/rc.d/init.d/dhcp >>> >> >>>> etc/rc.d/init.d/dhcrelay >>> >> >>>> +etc/rc.d/init.d/dnsntp >>> >> >>>> etc/rc.d/init.d/fcron >>> >> >>>> etc/rc.d/init.d/fireinfo >>> >> >>>> etc/rc.d/init.d/firewall >>> >> >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >>> >> >>>> index 800005966..f38a3a294 100644 >>> >> >>>> --- a/config/rootfiles/common/armv5tel/initscripts >>> >> >>>> +++ b/config/rootfiles/common/armv5tel/initscripts >>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> >> >>>> etc/rc.d/init.d/console >>> >> >>>> etc/rc.d/init.d/dhcp >>> >> >>>> etc/rc.d/init.d/dhcrelay >>> >> >>>> +etc/rc.d/init.d/dnsntp >>> >> >>>> etc/rc.d/init.d/fcron >>> >> >>>> etc/rc.d/init.d/fireinfo >>> >> >>>> etc/rc.d/init.d/firewall >>> >> >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >>> >> >>>> index 18c5a897a..a3a2b47f7 100644 >>> >> >>>> --- a/config/rootfiles/common/i586/initscripts >>> >> >>>> +++ b/config/rootfiles/common/i586/initscripts >>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> >> >>>> etc/rc.d/init.d/console >>> >> >>>> etc/rc.d/init.d/dhcp >>> >> >>>> etc/rc.d/init.d/dhcrelay >>> >> >>>> +etc/rc.d/init.d/dnsntp >>> >> >>>> etc/rc.d/init.d/fcron >>> >> >>>> etc/rc.d/init.d/fireinfo >>> >> >>>> etc/rc.d/init.d/firewall >>> >> >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >>> >> >>>> index d6594b3f8..4bcb94812 100644 >>> >> >>>> --- a/config/rootfiles/common/misc-progs >>> >> >>>> +++ b/config/rootfiles/common/misc-progs >>> >> >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>> >> >>>> usr/local/bin/collectdctrl >>> >> >>>> usr/local/bin/ddnsctrl >>> >> >>>> usr/local/bin/dhcpctrl >>> >> >>>> +usr/local/bin/dnsntpctrl >>> >> >>>> usr/local/bin/extrahdctrl >>> >> >>>> usr/local/bin/fireinfoctrl >>> >> >>>> usr/local/bin/firewallctrl >>> >> >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >>> >> >>>> index 18c5a897a..a3a2b47f7 100644 >>> >> >>>> --- a/config/rootfiles/common/x86_64/initscripts >>> >> >>>> +++ b/config/rootfiles/common/x86_64/initscripts >>> >> >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> >> >>>> etc/rc.d/init.d/console >>> >> >>>> etc/rc.d/init.d/dhcp >>> >> >>>> etc/rc.d/init.d/dhcrelay >>> >> >>>> +etc/rc.d/init.d/dnsntp >>> >> >>>> etc/rc.d/init.d/fcron >>> >> >>>> etc/rc.d/init.d/fireinfo >>> >> >>>> etc/rc.d/init.d/firewall >>> >> >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>> >> >>>> index 321642e82..3fc707e8b 100644 >>> >> >>>> --- a/html/cgi-bin/optionsfw.cgi >>> >> >>>> +++ b/html/cgi-bin/optionsfw.cgi >>> >> >>>> @@ -2,7 +2,7 @@ >>> >> >>>> ############################################################################### >>> >> >>>> # # >>> >> >>>> # IPFire.org - A linux based firewall # >>> >> >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >>> >> >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >>> >> >>>> # # >>> >> >>>> # This program is free software: you can redistribute it and/or modify # >>> >> >>>> # it under the terms of the GNU General Public License as published by # >>> >> >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> >> >>>> $errormessage .= $Lang::tr{'new optionsfw later'}; >>> >> >>>> &General::writehash($filename, \%settings); # Save good settings >>> >> >>>> system("/usr/local/bin/firewallctrl"); >>> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> >> >>>> }else{ >>> >> >>>> if ($settings{'POLICY'} ne ''){ >>> >> >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >>> >> >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> >> >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> >> >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> >> >>>> system("/usr/local/bin/firewallctrl"); >>> >> >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> >> >>>> } >>> >> >>>> &General::readhash($filename, \%settings); # Load good settings >>> >> >>>> } >>> >> >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >>> >> >>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >>> >> >>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >>> >> >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >>> >> >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >>> >> >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >>> >> >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >>> >> >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >>> >> >>>> >>> >> >>>> &Header::openbox('100%', 'center',); >>> >> >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >>> >> >>>> @@ -189,13 +203,44 @@ END >>> >> >>>> END >>> >> >>>> } >>> >> >>>> >>> >> >>>> - print <<END >>> >> >>>> +print <<END; >>> >> >>>> + <table width='95%' cellspacing='0'> >>> >> >>>> + <tr bgcolor='$color{'color20'}'></tr> >>> >> >>>> + <tr> </tr> >>> >> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >>> >> >>>> + </tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >>> >> >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >>> >> >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> +END >>> >> >>>> + >>> >> >>>> + if (&Header::blue_used()) { >>> >> >>>> + print <<END; >>> >> >>>> + <table width='95%' cellspacing='0'> >>> >> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>> >> >>>> + <tr> </tr> >>> >> >>>> + <tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >>> >> >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >>> >> >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>> >> >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>> >> >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> + </td> >>> >> >>>> + </tr> >>> >> >>>> +END >>> >> >>>> + } >>> >> >>>> + >>> >> >>>> + print <<END; >>> >> >>>> </table> >>> >> >>>> >>> >> >>>> - <br> >>> >> >>>> + <br /> >>> >> >>>> >>> >> >>>> -<table width='95%' cellspacing='0'> >>> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >>> >> >>>> + <table width='95%' cellspacing='0'> >>> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >>> >> >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >>> >> >>>> @@ -206,21 +251,30 @@ END >>> >> >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >>> >> >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>> >> >>>> +END >>> >> >>>> + >>> >> >>>> + if (&Header::blue_used()) { >>> >> >>>> + print <<END; >>> >> >>>> + </table> >>> >> >>>> + >>> >> >>>> + <br /> >>> >> >>>> + >>> >> >>>> + <table width='95%' cellspacing='0'> >>> >> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >>> >> >>>> + <tr> >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>> >> >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>> >> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>> >> >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> -</table> >>> >> >>>> -<br/> >>> >> >>>> + </tr> >>> >> >>>> +END >>> >> >>>> + } >>> >> >>>> + >>> >> >>>> + print <<END; >>> >> >>>> + </table> >>> >> >>>> + >>> >> >>>> + <br /> >>> >> >>>> >>> >> >>>> -<table width='95%' cellspacing='0'> >>> >> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>> >> >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>> >> >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> >> >>>> -</table> >>> >> >>>> -<br> >>> >> >>>> <table width='95%' cellspacing='0'> >>> >> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >>> >> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >>> >> >>>> @@ -252,7 +306,7 @@ END >>> >> >>>> >>> >> >>>> <br /> >>> >> >>>> <table width='100%' cellspacing='0'> >>> >> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> >> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >>> >> >>>> </form></td></tr> >>> >> >>>> </table> >>> >> >>>> @@ -278,7 +332,7 @@ print <<END; >>> >> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >>> >> >>>> END >>> >> >>>> print "</tr></table></form>"; >>> >> >>>> - print"<br><br>"; >>> >> >>>> + print"<br /><br />"; >>> >> >>>> print <<END; >>> >> >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> >> >>>> <table width='100%' border='0'> >>> >> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> >> >>>> index 6a8133807..d6bb234fa 100644 >>> >> >>>> --- a/langs/de/cgi-bin/de.pl >>> >> >>>> +++ b/langs/de/cgi-bin/de.pl >>> >> >>>> @@ -836,6 +836,8 @@ >>> >> >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >>> >> >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >>> >> >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >>> >> >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >>> >> >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >>> >> >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >>> >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >>> >> >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>> >> >>>> @@ -1102,9 +1104,12 @@ >>> >> >>>> 'from email server' => 'Von E-Mail-Server', >>> >> >>>> 'from email user' => 'Von E-Mail-Benutzer', >>> >> >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >>> >> >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >>> >> >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >>> >> >>>> 'fw default drop' => 'Firewallrichtlinie', >>> >> >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >>> >> >>>> 'fw logging' => 'Firewallprotokollierung', >>> >> >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >>> >> >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >>> >> >>>> 'fw settings' => 'Firewalleinstellungen', >>> >> >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >>> >> >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >>> >> >>>> @@ -1644,9 +1649,9 @@ >>> >> >>>> 'map to guest' => 'Map to Guest', >>> >> >>>> 'march' => 'März', >>> >> >>>> 'marked' => 'Markiert', >>> >> >>>> -'masquerade blue' => 'NAT auf BLAU', >>> >> >>>> -'masquerade green' => 'NAT auf GRÜN', >>> >> >>>> -'masquerade orange' => 'NAT auf ORANGE', >>> >> >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >>> >> >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >>> >> >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >>> >> >>>> 'masquerading' => 'Masquerading/NAT', >>> >> >>>> 'masquerading disabled' => 'NAT ausgeschaltet', >>> >> >>>> 'masquerading enabled' => 'NAT eingeschaltet', >>> >> >>>> @@ -1814,6 +1819,8 @@ >>> >> >>>> 'november' => 'November', >>> >> >>>> 'ntp common settings' => 'Allgemeine Einstellungen', >>> >> >>>> 'ntp configuration' => 'Zeitserverkonfiguration', >>> >> >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >>> >> >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >>> >> >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >>> >> >>>> 'ntp server' => 'NTP-Server', >>> >> >>>> 'ntp sync' => 'Synchronisation', >>> >> >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> >> >>>> index 8f7e0c2cf..474612025 100644 >>> >> >>>> --- a/langs/en/cgi-bin/en.pl >>> >> >>>> +++ b/langs/en/cgi-bin/en.pl >>> >> >>>> @@ -859,6 +859,8 @@ >>> >> >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >>> >> >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >>> >> >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >>> >> >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >>> >> >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >>> >> >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >>> >> >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >>> >> >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >>> >> >>>> @@ -1128,9 +1130,12 @@ >>> >> >>>> 'from email server' => 'From Email server', >>> >> >>>> 'from email user' => 'From e-mail user', >>> >> >>>> 'from warn email bad' => 'From e-mail address is not valid', >>> >> >>>> -'fw blue' => 'Firewall options for BLUE interface', >>> >> >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >>> >> >>>> 'fw default drop' => 'Firewall policy', >>> >> >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >>> >> >>>> 'fw logging' => 'Firewall logging', >>> >> >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >>> >> >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >>> >> >>>> 'fw settings' => 'Firewall settings', >>> >> >>>> 'fw settings color' => 'Show colors in ruletable', >>> >> >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >>> >> >>>> @@ -1672,9 +1677,9 @@ >>> >> >>>> 'map to guest' => 'Map to Guest', >>> >> >>>> 'march' => 'March', >>> >> >>>> 'marked' => 'Marked', >>> >> >>>> -'masquerade blue' => 'Masquerade BLUE', >>> >> >>>> -'masquerade green' => 'Masquerade GREEN', >>> >> >>>> -'masquerade orange' => 'Masquerade ORANGE', >>> >> >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >>> >> >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >>> >> >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >>> >> >>>> 'masquerading' => 'Masquerading', >>> >> >>>> 'masquerading disabled' => 'Masquerading disabled', >>> >> >>>> 'masquerading enabled' => 'Masquerading enabled', >>> >> >>>> @@ -1844,6 +1849,8 @@ >>> >> >>>> 'november' => 'November', >>> >> >>>> 'ntp common settings' => 'Common settings', >>> >> >>>> 'ntp configuration' => 'NTP Configuration', >>> >> >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >>> >> >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >>> >> >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >>> >> >>>> 'ntp server' => 'NTP Server', >>> >> >>>> 'ntp sync' => 'Synchronization', >>> >> >>>> diff --git a/lfs/configroot b/lfs/configroot >>> >> >>>> index a3e474d70..622793b35 100644 >>> >> >>>> --- a/lfs/configroot >>> >> >>>> +++ b/lfs/configroot >>> >> >>>> @@ -129,6 +129,10 @@ $(TARGET) : >>> >> >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> >> >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> >> >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> >> >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >>> >> >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>> >> >>>> new file mode 100644 >>> >> >>>> index 000000000..2eafa9d20 >>> >> >>>> --- /dev/null >>> >> >>>> +++ b/src/initscripts/system/dnsntp >>> >> >>>> @@ -0,0 +1,36 @@ >>> >> >>>> +#!/bin/sh >>> >> >>>> +######################################################################## >>> >> >>>> +# Begin $rc_base/init.d/dnsntp >>> >> >>>> +# >>> >> >>>> +# Description : dnsntp init script for DNS/NTP rules only >>> >> >>>> +# >>> >> >>>> +######################################################################## >>> >> >>>> + >>> >> >>>> +# flush chain >>> >> >>>> +iptables -t nat -F DNS_NTP_REDIRECT >>> >> >>>> + >>> >> >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>> >> >>>> + >>> >> >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> >> >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >>> >> >>>> +fi >>> >> >>>> + >>> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>> >> >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >>> >> >>>> +fi >>> >> >>>> + >>> >> >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>> >> >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >>> >> >>>> +fi >>> >> >>>> + >>> >> >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>> >> >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >>> >> >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >>> >> >>>> +fi >>> >> >>>> + >>> >> >>>> +# End $rc_base/init.d/dnsntp >>> >> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>> >> >>>> index 65f1c979b..43ae74113 100644 >>> >> >>>> --- a/src/initscripts/system/firewall >>> >> >>>> +++ b/src/initscripts/system/firewall >>> >> >>>> @@ -169,6 +169,10 @@ iptables_init() { >>> >> >>>> # Fix for braindead ISPs >>> >> >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>> >> >>>> >>> >> >>>> + # DNS / NTP REDIRECT >>> >> >>>> + iptables -t nat -N DNS_NTP_REDIRECT >>> >> >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>> >> >>>> + >>> >> >>>> # CUSTOM chains, can be used by the users themselves >>> >> >>>> iptables -N CUSTOMINPUT >>> >> >>>> iptables -A INPUT -j CUSTOMINPUT >>> >> >>>> @@ -281,7 +285,7 @@ iptables_init() { >>> >> >>>> iptables -A INPUT -j LOCATIONBLOCK >>> >> >>>> iptables -A FORWARD -j LOCATIONBLOCK >>> >> >>>> >>> >> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> >> >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> >> >>>> iptables -N IPSECINPUT >>> >> >>>> iptables -N IPSECFORWARD >>> >> >>>> iptables -N IPSECOUTPUT >>> >> >>>> @@ -389,6 +393,9 @@ iptables_init() { >>> >> >>>> # run captivectrl >>> >> >>>> /usr/local/bin/captivectrl >>> >> >>>> >>> >> >>>> + # run dnsntpctrl >>> >> >>>> + /usr/local/bin/dnsntpctrl >>> >> >>>> + >>> >> >>>> # POLICY CHAIN >>> >> >>>> iptables -N POLICYIN >>> >> >>>> iptables -A INPUT -j POLICYIN >>> >> >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>> >> >>>> index 7c3ef7529..6f2733ef0 100644 >>> >> >>>> --- a/src/misc-progs/Makefile >>> >> >>>> +++ b/src/misc-progs/Makefile >>> >> >>>> @@ -26,7 +26,7 @@ PROGS = iowrap >>> >> >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >>> >> >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>> >> >>>> rebuildhosts backupctrl collectdctrl \ >>> >> >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>> >> >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>> >> >>>> wirelessctrl getipstat qosctrl \ >>> >> >>>> redctrl syslogdctrl extrahdctrl sambactrl \ >>> >> >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>> >> >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>> >> >>>> new file mode 100644 >>> >> >>>> index 000000000..f2a3b89e3 >>> >> >>>> --- /dev/null >>> >> >>>> +++ b/src/misc-progs/dnsntpctrl.c >>> >> >>>> @@ -0,0 +1,19 @@ >>> >> >>>> +/* This file is part of the IPFire Firewall. >>> >> >>>> + * >>> >> >>>> + * This program is distributed under the terms of the GNU General Public >>> >> >>>> + * Licence. See the file COPYING for details. >>> >> >>>> + * >>> >> >>>> + */ >>> >> >>>> + >>> >> >>>> +#include <stdlib.h> >>> >> >>>> +#include "setuid.h" >>> >> >>>> + >>> >> >>>> +int main(void) >>> >> >>>> +{ >>> >> >>>> + if (!(initsetuid())) >>> >> >>>> + exit(1); >>> >> >>>> + >>> >> >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>> >> >>>> + >>> >> >>>> + return 0; >>> >> >>>> +} >>> >> >>>> -- >>> >> >>>> 2.18.0 >>> >> >>>> >>> >> >>>> >>> >> >>> >>> >> >> >>> >> >> >>> >> >>> >> >>> > >>> >>> >> >
Hi, On 01.04.2021 12:22, Michael Tremer wrote: > Hello, > > I did not have a look at this because I got last in the last conversation about this. > > I still do not understand why this would be necessary functionality and why we did not go with adding support for REDIRECT rules to the existing UI which could then be used for all sorts of protocols and won’t be hardcoded to just those two. Any new opinions on this? Because: My programming skills were enough for these DNS and NTP and adding the functionalitiy you mention above is perhaps wanted (is it!?). But adding rules for REDIRECTing or RETURNing all sort of protocols seems a bit too much for me, sorry. I'm a little too cautious to experiment to this extent with such a complicated interface as the firewall UI and the underlying rules. I have my current solution - with a few minor changes - now running for over 60 days with no seen problems. In MY configuration, of course. Would it make sense to push this so that "someone" else can test/tune/discuss this version or should I wait? Best, Matthias > > -Michael > >> On 29 Mar 2021, at 22:34, Jon Murphy <jcmurphy26@gmail.com> wrote: >> >> Hello! Hope everyone is healthy! >> >> I am just curious if this was approved by the Developers? >> >> Jon >> >>> On Mar 5, 2021, at 1:40 PM, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> Originally triggered by: >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>> >>> Current discussion: >>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>> >>> Summary and functionality: >>> These patches are controlled through "Firewall Options". They add new >>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >>> >>> Default of all new rules is OFF (set in 'lfs/configroot'). >>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >>> this more transparent. >>> >>> Flaw/ToDo: >>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >>> init file, 'dnsntp'. This is actually an unnecessary detour. >>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >>> capabilities, perhaps "someone" else knows how to program this. >>> >>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>> The corresponding interface options - including 'Masquerade ...' - are only visible if >>> the respective interface actually exists. >>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >>> or logging options for BLUE available (e.g.). >>> Added text colors for better readability and links to DNS and NTP GUI. >>> Separated logging options per interface. >>> >>> No reboot required: >>> Rules can be switched ON/OFF without rebooting IPFire. >>> Changes immedediatly take effect after clicking 'Save'. >>> >>> Changes to '/etc/rc.d/init.d/firewall': >>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >>> chain: DNS_NTP_REDIRECT. >>> This chain is flushed by the init file before before the desired settings are applied. >>> Corrected a 'trafic' typo. >>> >>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>> --- >>> config/rootfiles/common/aarch64/initscripts | 1 + >>> config/rootfiles/common/armv5tel/initscripts | 1 + >>> config/rootfiles/common/i586/initscripts | 1 + >>> config/rootfiles/common/misc-progs | 1 + >>> config/rootfiles/common/x86_64/initscripts | 1 + >>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>> langs/de/cgi-bin/de.pl | 15 +++- >>> langs/en/cgi-bin/en.pl | 15 +++- >>> lfs/configroot | 4 + >>> src/initscripts/system/dnsntp | 36 ++++++++ >>> src/initscripts/system/firewall | 9 +- >>> src/misc-progs/Makefile | 2 +- >>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>> 13 files changed, 168 insertions(+), 29 deletions(-) >>> create mode 100644 src/initscripts/system/dnsntp >>> create mode 100644 src/misc-progs/dnsntpctrl.c >>> >>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/aarch64/initscripts >>> +++ b/config/rootfiles/common/aarch64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >>> index 800005966..f38a3a294 100644 >>> --- a/config/rootfiles/common/armv5tel/initscripts >>> +++ b/config/rootfiles/common/armv5tel/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/i586/initscripts >>> +++ b/config/rootfiles/common/i586/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >>> index d6594b3f8..4bcb94812 100644 >>> --- a/config/rootfiles/common/misc-progs >>> +++ b/config/rootfiles/common/misc-progs >>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>> usr/local/bin/collectdctrl >>> usr/local/bin/ddnsctrl >>> usr/local/bin/dhcpctrl >>> +usr/local/bin/dnsntpctrl >>> usr/local/bin/extrahdctrl >>> usr/local/bin/fireinfoctrl >>> usr/local/bin/firewallctrl >>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >>> index 18c5a897a..a3a2b47f7 100644 >>> --- a/config/rootfiles/common/x86_64/initscripts >>> +++ b/config/rootfiles/common/x86_64/initscripts >>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>> etc/rc.d/init.d/console >>> etc/rc.d/init.d/dhcp >>> etc/rc.d/init.d/dhcrelay >>> +etc/rc.d/init.d/dnsntp >>> etc/rc.d/init.d/fcron >>> etc/rc.d/init.d/fireinfo >>> etc/rc.d/init.d/firewall >>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>> index 321642e82..3fc707e8b 100644 >>> --- a/html/cgi-bin/optionsfw.cgi >>> +++ b/html/cgi-bin/optionsfw.cgi >>> @@ -2,7 +2,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> $errormessage .= $Lang::tr{'new optionsfw later'}; >>> &General::writehash($filename, \%settings); # Save good settings >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> }else{ >>> if ($settings{'POLICY'} ne ''){ >>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>> system("/usr/local/bin/firewallctrl"); >>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>> } >>> &General::readhash($filename, \%settings); # Load good settings >>> } >>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >>> >>> &Header::openbox('100%', 'center',); >>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >>> @@ -189,13 +203,44 @@ END >>> END >>> } >>> >>> - print <<END >>> +print <<END; >>> + <table width='95%' cellspacing='0'> >>> + <tr bgcolor='$color{'color20'}'></tr> >>> + <tr> </tr> >>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >>> + </tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <<END; >>> + <table width='95%' cellspacing='0'> >>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>> + <tr> </tr> >>> + <tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> + </td> >>> + </tr> >>> +END >>> + } >>> + >>> + print <<END; >>> </table> >>> >>> - <br> >>> + <br /> >>> >>> -<table width='95%' cellspacing='0'> >>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >>> + <table width='95%' cellspacing='0'> >>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >>> @@ -206,21 +251,30 @@ END >>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>> +END >>> + >>> + if (&Header::blue_used()) { >>> + print <<END; >>> + </table> >>> + >>> + <br /> >>> + >>> + <table width='95%' cellspacing='0'> >>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >>> + <tr> >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -</table> >>> -<br/> >>> + </tr> >>> +END >>> + } >>> + >>> + print <<END; >>> + </table> >>> + >>> + <br /> >>> >>> -<table width='95%' cellspacing='0'> >>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>> -</table> >>> -<br> >>> <table width='95%' cellspacing='0'> >>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >>> @@ -252,7 +306,7 @@ END >>> >>> <br /> >>> <table width='100%' cellspacing='0'> >>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >>> </form></td></tr> >>> </table> >>> @@ -278,7 +332,7 @@ print <<END; >>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >>> END >>> print "</tr></table></form>"; >>> - print"<br><br>"; >>> + print"<br /><br />"; >>> print <<END; >>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >>> <table width='100%' border='0'> >>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> index 6a8133807..d6bb234fa 100644 >>> --- a/langs/de/cgi-bin/de.pl >>> +++ b/langs/de/cgi-bin/de.pl >>> @@ -836,6 +836,8 @@ >>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>> @@ -1102,9 +1104,12 @@ >>> 'from email server' => 'Von E-Mail-Server', >>> 'from email user' => 'Von E-Mail-Benutzer', >>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >>> 'fw default drop' => 'Firewallrichtlinie', >>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >>> 'fw logging' => 'Firewallprotokollierung', >>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >>> 'fw settings' => 'Firewalleinstellungen', >>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >>> @@ -1644,9 +1649,9 @@ >>> 'map to guest' => 'Map to Guest', >>> 'march' => 'März', >>> 'marked' => 'Markiert', >>> -'masquerade blue' => 'NAT auf BLAU', >>> -'masquerade green' => 'NAT auf GRÜN', >>> -'masquerade orange' => 'NAT auf ORANGE', >>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >>> 'masquerading' => 'Masquerading/NAT', >>> 'masquerading disabled' => 'NAT ausgeschaltet', >>> 'masquerading enabled' => 'NAT eingeschaltet', >>> @@ -1814,6 +1819,8 @@ >>> 'november' => 'November', >>> 'ntp common settings' => 'Allgemeine Einstellungen', >>> 'ntp configuration' => 'Zeitserverkonfiguration', >>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >>> 'ntp server' => 'NTP-Server', >>> 'ntp sync' => 'Synchronisation', >>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> index 8f7e0c2cf..474612025 100644 >>> --- a/langs/en/cgi-bin/en.pl >>> +++ b/langs/en/cgi-bin/en.pl >>> @@ -859,6 +859,8 @@ >>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >>> @@ -1128,9 +1130,12 @@ >>> 'from email server' => 'From Email server', >>> 'from email user' => 'From e-mail user', >>> 'from warn email bad' => 'From e-mail address is not valid', >>> -'fw blue' => 'Firewall options for BLUE interface', >>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >>> 'fw default drop' => 'Firewall policy', >>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >>> 'fw logging' => 'Firewall logging', >>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >>> 'fw settings' => 'Firewall settings', >>> 'fw settings color' => 'Show colors in ruletable', >>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >>> @@ -1672,9 +1677,9 @@ >>> 'map to guest' => 'Map to Guest', >>> 'march' => 'March', >>> 'marked' => 'Marked', >>> -'masquerade blue' => 'Masquerade BLUE', >>> -'masquerade green' => 'Masquerade GREEN', >>> -'masquerade orange' => 'Masquerade ORANGE', >>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >>> 'masquerading' => 'Masquerading', >>> 'masquerading disabled' => 'Masquerading disabled', >>> 'masquerading enabled' => 'Masquerading enabled', >>> @@ -1844,6 +1849,8 @@ >>> 'november' => 'November', >>> 'ntp common settings' => 'Common settings', >>> 'ntp configuration' => 'NTP Configuration', >>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >>> 'ntp server' => 'NTP Server', >>> 'ntp sync' => 'Synchronization', >>> diff --git a/lfs/configroot b/lfs/configroot >>> index a3e474d70..622793b35 100644 >>> --- a/lfs/configroot >>> +++ b/lfs/configroot >>> @@ -129,6 +129,10 @@ $(TARGET) : >>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>> new file mode 100644 >>> index 000000000..2eafa9d20 >>> --- /dev/null >>> +++ b/src/initscripts/system/dnsntp >>> @@ -0,0 +1,36 @@ >>> +#!/bin/sh >>> +######################################################################## >>> +# Begin $rc_base/init.d/dnsntp >>> +# >>> +# Description : dnsntp init script for DNS/NTP rules only >>> +# >>> +######################################################################## >>> + >>> +# flush chain >>> +iptables -t nat -F DNS_NTP_REDIRECT >>> + >>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>> + >>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >>> +fi >>> + >>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >>> +fi >>> + >>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >>> +fi >>> + >>> +# End $rc_base/init.d/dnsntp >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>> index 65f1c979b..43ae74113 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -169,6 +169,10 @@ iptables_init() { >>> # Fix for braindead ISPs >>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>> >>> + # DNS / NTP REDIRECT >>> + iptables -t nat -N DNS_NTP_REDIRECT >>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>> + >>> # CUSTOM chains, can be used by the users themselves >>> iptables -N CUSTOMINPUT >>> iptables -A INPUT -j CUSTOMINPUT >>> @@ -281,7 +285,7 @@ iptables_init() { >>> iptables -A INPUT -j LOCATIONBLOCK >>> iptables -A FORWARD -j LOCATIONBLOCK >>> >>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>> iptables -N IPSECINPUT >>> iptables -N IPSECFORWARD >>> iptables -N IPSECOUTPUT >>> @@ -389,6 +393,9 @@ iptables_init() { >>> # run captivectrl >>> /usr/local/bin/captivectrl >>> >>> + # run dnsntpctrl >>> + /usr/local/bin/dnsntpctrl >>> + >>> # POLICY CHAIN >>> iptables -N POLICYIN >>> iptables -A INPUT -j POLICYIN >>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>> index 7c3ef7529..6f2733ef0 100644 >>> --- a/src/misc-progs/Makefile >>> +++ b/src/misc-progs/Makefile >>> @@ -26,7 +26,7 @@ PROGS = iowrap >>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>> rebuildhosts backupctrl collectdctrl \ >>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>> wirelessctrl getipstat qosctrl \ >>> redctrl syslogdctrl extrahdctrl sambactrl \ >>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>> new file mode 100644 >>> index 000000000..f2a3b89e3 >>> --- /dev/null >>> +++ b/src/misc-progs/dnsntpctrl.c >>> @@ -0,0 +1,19 @@ >>> +/* This file is part of the IPFire Firewall. >>> + * >>> + * This program is distributed under the terms of the GNU General Public >>> + * Licence. See the file COPYING for details. >>> + * >>> + */ >>> + >>> +#include <stdlib.h> >>> +#include "setuid.h" >>> + >>> +int main(void) >>> +{ >>> + if (!(initsetuid())) >>> + exit(1); >>> + >>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>> + >>> + return 0; >>> +} >>> -- >>> 2.18.0 >>> >> >
Hi, Am 30.05.2021 um 17:51 schrieb Matthias Fischer: > Hi, > > On 01.04.2021 12:22, Michael Tremer wrote: >> Hello, >> >> I did not have a look at this because I got last in the last conversation about this. >> >> I still do not understand why this would be necessary functionality and why we did not go with adding support for REDIRECT rules to the existing UI which could then be used for all sorts of protocols and won’t be hardcoded to just those two. > I think rules for REDIRECT in the WUI would be nice. But just the DNS ( and NTP ) functionality are worth a special treatment. The concept of IPFire imposes that DNS should be under control of the application. Therefore no device should be able to do his "own" name resolution. This can be blocked be denying all request other than to IPFire gateway. Unfortunately more and more wireless devices are 'not able to learn this lesson' and so can't be used with IPFire as internet access device. This can be observed, if one looks at the logs for the rules. The special REDIRECT / RETURN rules allow usage of these devices without breaking the rule 'IPFire's unbound does the name resolution in the local network'. Regards Bernhard > Any new opinions on this? > > Because: > My programming skills were enough for these DNS and NTP and adding the > functionalitiy you mention above is perhaps wanted (is it!?). But adding > rules for REDIRECTing or RETURNing all sort of protocols seems a bit too > much for me, sorry. I'm a little too cautious to experiment to this > extent with such a complicated interface as the firewall UI and the > underlying rules. > > I have my current solution - with a few minor changes - now running for > over 60 days with no seen problems. In MY configuration, of course. > Would it make sense to push this so that "someone" else can > test/tune/discuss this version or should I wait? > > Best, > Matthias > >> >> -Michael >> >>> On 29 Mar 2021, at 22:34, Jon Murphy <jcmurphy26@gmail.com> wrote: >>> >>> Hello! Hope everyone is healthy! >>> >>> I am just curious if this was approved by the Developers? >>> >>> Jon >>> >>>> On Mar 5, 2021, at 1:40 PM, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>> >>>> Originally triggered by: >>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>>> >>>> Current discussion: >>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 >>>> >>>> Summary and functionality: >>>> These patches are controlled through "Firewall Options". They add new >>>> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. >>>> They activate/deactivate appropriate REDIRECT rules through a new ctrl file >>>> ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). >>>> >>>> Default of all new rules is OFF (set in 'lfs/configroot'). >>>> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP >>>> servers specified in IPFire. GUI links to DNS and NTP options were added to make >>>> this more transparent. >>>> >>>> Flaw/ToDo: >>>> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual >>>> init file, 'dnsntp'. This is actually an unnecessary detour. >>>> In fact I wanted to merge these two files in *one* C file, but this was beyond my >>>> capabilities, perhaps "someone" else knows how to program this. >>>> >>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: >>>> The corresponding interface options - including 'Masquerade ...' - are only visible if >>>> the respective interface actually exists. >>>> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' >>>> or logging options for BLUE available (e.g.). >>>> Added text colors for better readability and links to DNS and NTP GUI. >>>> Separated logging options per interface. >>>> >>>> No reboot required: >>>> Rules can be switched ON/OFF without rebooting IPFire. >>>> Changes immedediatly take effect after clicking 'Save'. >>>> >>>> Changes to '/etc/rc.d/init.d/firewall': >>>> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING >>>> chain: DNS_NTP_REDIRECT. >>>> This chain is flushed by the init file before before the desired settings are applied. >>>> Corrected a 'trafic' typo. >>>> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>> --- >>>> config/rootfiles/common/aarch64/initscripts | 1 + >>>> config/rootfiles/common/armv5tel/initscripts | 1 + >>>> config/rootfiles/common/i586/initscripts | 1 + >>>> config/rootfiles/common/misc-progs | 1 + >>>> config/rootfiles/common/x86_64/initscripts | 1 + >>>> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- >>>> langs/de/cgi-bin/de.pl | 15 +++- >>>> langs/en/cgi-bin/en.pl | 15 +++- >>>> lfs/configroot | 4 + >>>> src/initscripts/system/dnsntp | 36 ++++++++ >>>> src/initscripts/system/firewall | 9 +- >>>> src/misc-progs/Makefile | 2 +- >>>> src/misc-progs/dnsntpctrl.c | 19 ++++ >>>> 13 files changed, 168 insertions(+), 29 deletions(-) >>>> create mode 100644 src/initscripts/system/dnsntp >>>> create mode 100644 src/misc-progs/dnsntpctrl.c >>>> >>>> diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts >>>> index 800005966..f38a3a294 100644 >>>> --- a/config/rootfiles/common/aarch64/initscripts >>>> +++ b/config/rootfiles/common/aarch64/initscripts >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>> etc/rc.d/init.d/console >>>> etc/rc.d/init.d/dhcp >>>> etc/rc.d/init.d/dhcrelay >>>> +etc/rc.d/init.d/dnsntp >>>> etc/rc.d/init.d/fcron >>>> etc/rc.d/init.d/fireinfo >>>> etc/rc.d/init.d/firewall >>>> diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts >>>> index 800005966..f38a3a294 100644 >>>> --- a/config/rootfiles/common/armv5tel/initscripts >>>> +++ b/config/rootfiles/common/armv5tel/initscripts >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>> etc/rc.d/init.d/console >>>> etc/rc.d/init.d/dhcp >>>> etc/rc.d/init.d/dhcrelay >>>> +etc/rc.d/init.d/dnsntp >>>> etc/rc.d/init.d/fcron >>>> etc/rc.d/init.d/fireinfo >>>> etc/rc.d/init.d/firewall >>>> diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts >>>> index 18c5a897a..a3a2b47f7 100644 >>>> --- a/config/rootfiles/common/i586/initscripts >>>> +++ b/config/rootfiles/common/i586/initscripts >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>> etc/rc.d/init.d/console >>>> etc/rc.d/init.d/dhcp >>>> etc/rc.d/init.d/dhcrelay >>>> +etc/rc.d/init.d/dnsntp >>>> etc/rc.d/init.d/fcron >>>> etc/rc.d/init.d/fireinfo >>>> etc/rc.d/init.d/firewall >>>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs >>>> index d6594b3f8..4bcb94812 100644 >>>> --- a/config/rootfiles/common/misc-progs >>>> +++ b/config/rootfiles/common/misc-progs >>>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl >>>> usr/local/bin/collectdctrl >>>> usr/local/bin/ddnsctrl >>>> usr/local/bin/dhcpctrl >>>> +usr/local/bin/dnsntpctrl >>>> usr/local/bin/extrahdctrl >>>> usr/local/bin/fireinfoctrl >>>> usr/local/bin/firewallctrl >>>> diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts >>>> index 18c5a897a..a3a2b47f7 100644 >>>> --- a/config/rootfiles/common/x86_64/initscripts >>>> +++ b/config/rootfiles/common/x86_64/initscripts >>>> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd >>>> etc/rc.d/init.d/console >>>> etc/rc.d/init.d/dhcp >>>> etc/rc.d/init.d/dhcrelay >>>> +etc/rc.d/init.d/dnsntp >>>> etc/rc.d/init.d/fcron >>>> etc/rc.d/init.d/fireinfo >>>> etc/rc.d/init.d/firewall >>>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >>>> index 321642e82..3fc707e8b 100644 >>>> --- a/html/cgi-bin/optionsfw.cgi >>>> +++ b/html/cgi-bin/optionsfw.cgi >>>> @@ -2,7 +2,7 @@ >>>> ############################################################################### >>>> # # >>>> # IPFire.org - A linux based firewall # >>>> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # >>>> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # >>>> # # >>>> # This program is free software: you can redistribute it and/or modify # >>>> # it under the terms of the GNU General Public License as published by # >>>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>>> $errormessage .= $Lang::tr{'new optionsfw later'}; >>>> &General::writehash($filename, \%settings); # Save good settings >>>> system("/usr/local/bin/firewallctrl"); >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>>> }else{ >>>> if ($settings{'POLICY'} ne ''){ >>>> $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; >>>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { >>>> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>>> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); >>>> system("/usr/local/bin/firewallctrl"); >>>> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); >>>> } >>>> &General::readhash($filename, \%settings); # Load good settings >>>> } >>>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele >>>> $selected{'MASQUERADE_BLUE'}{'off'} = ''; >>>> $selected{'MASQUERADE_BLUE'}{'on'} = ''; >>>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; >>>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; >>>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; >>>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; >>>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; >>>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; >>>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; >>>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; >>>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; >>>> >>>> &Header::openbox('100%', 'center',); >>>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; >>>> @@ -189,13 +203,44 @@ END >>>> END >>>> } >>>> >>>> - print <<END >>>> +print <<END; >>>> + <table width='95%' cellspacing='0'> >>>> + <tr bgcolor='$color{'color20'}'></tr> >>>> + <tr> </tr> >>>> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> >>>> + </tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ >>>> + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ >>>> + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> +END >>>> + >>>> + if (&Header::blue_used()) { >>>> + print <<END; >>>> + <table width='95%' cellspacing='0'> >>>> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>>> + <tr> </tr> >>>> + <tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ >>>> + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ >>>> + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>>> + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>>> + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> + </td> >>>> + </tr> >>>> +END >>>> + } >>>> + >>>> + print <<END; >>>> </table> >>>> >>>> - <br> >>>> + <br /> >>>> >>>> -<table width='95%' cellspacing='0'> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> >>>> + <table width='95%' cellspacing='0'> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ >>>> <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ >>>> @@ -206,21 +251,30 @@ END >>>> <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ >>>> <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>>> +END >>>> + >>>> + if (&Header::blue_used()) { >>>> + print <<END; >>>> + </table> >>>> + >>>> + <br /> >>>> + >>>> + <table width='95%' cellspacing='0'> >>>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> >>>> + <tr> >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ >>>> <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>>> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ >>>> <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> -</table> >>>> -<br/> >>>> + </tr> >>>> +END >>>> + } >>>> + >>>> + print <<END; >>>> + </table> >>>> + >>>> + <br /> >>>> >>>> -<table width='95%' cellspacing='0'> >>>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ >>>> - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ >>>> - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> >>>> -</table> >>>> -<br> >>>> <table width='95%' cellspacing='0'> >>>> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> >>>> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ >>>> @@ -252,7 +306,7 @@ END >>>> >>>> <br /> >>>> <table width='100%' cellspacing='0'> >>>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> >>>> </form></td></tr> >>>> </table> >>>> @@ -278,7 +332,7 @@ print <<END; >>>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> >>>> END >>>> print "</tr></table></form>"; >>>> - print"<br><br>"; >>>> + print"<br /><br />"; >>>> print <<END; >>>> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >>>> <table width='100%' border='0'> >>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>>> index 6a8133807..d6bb234fa 100644 >>>> --- a/langs/de/cgi-bin/de.pl >>>> +++ b/langs/de/cgi-bin/de.pl >>>> @@ -836,6 +836,8 @@ >>>> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', >>>> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', >>>> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', >>>> +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', >>>> +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', >>>> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', >>>> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', >>>> @@ -1102,9 +1104,12 @@ >>>> 'from email server' => 'Von E-Mail-Server', >>>> 'from email user' => 'Von E-Mail-Benutzer', >>>> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', >>>> -'fw blue' => 'Firewalloptionen für das Blaue Interface', >>>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', >>>> 'fw default drop' => 'Firewallrichtlinie', >>>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', >>>> 'fw logging' => 'Firewallprotokollierung', >>>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', >>>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', >>>> 'fw settings' => 'Firewalleinstellungen', >>>> 'fw settings color' => 'Farben in Regeltabelle anzeigen', >>>> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', >>>> @@ -1644,9 +1649,9 @@ >>>> 'map to guest' => 'Map to Guest', >>>> 'march' => 'März', >>>> 'marked' => 'Markiert', >>>> -'masquerade blue' => 'NAT auf BLAU', >>>> -'masquerade green' => 'NAT auf GRÜN', >>>> -'masquerade orange' => 'NAT auf ORANGE', >>>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', >>>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', >>>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', >>>> 'masquerading' => 'Masquerading/NAT', >>>> 'masquerading disabled' => 'NAT ausgeschaltet', >>>> 'masquerading enabled' => 'NAT eingeschaltet', >>>> @@ -1814,6 +1819,8 @@ >>>> 'november' => 'November', >>>> 'ntp common settings' => 'Allgemeine Einstellungen', >>>> 'ntp configuration' => 'Zeitserverkonfiguration', >>>> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', >>>> +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', >>>> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', >>>> 'ntp server' => 'NTP-Server', >>>> 'ntp sync' => 'Synchronisation', >>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>>> index 8f7e0c2cf..474612025 100644 >>>> --- a/langs/en/cgi-bin/en.pl >>>> +++ b/langs/en/cgi-bin/en.pl >>>> @@ -859,6 +859,8 @@ >>>> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', >>>> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', >>>> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', >>>> +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', >>>> +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', >>>> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', >>>> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', >>>> 'dns header' => 'Assign DNS server addresses only for DHCP on red0', >>>> @@ -1128,9 +1130,12 @@ >>>> 'from email server' => 'From Email server', >>>> 'from email user' => 'From e-mail user', >>>> 'from warn email bad' => 'From e-mail address is not valid', >>>> -'fw blue' => 'Firewall options for BLUE interface', >>>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', >>>> 'fw default drop' => 'Firewall policy', >>>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', >>>> 'fw logging' => 'Firewall logging', >>>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', >>>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', >>>> 'fw settings' => 'Firewall settings', >>>> 'fw settings color' => 'Show colors in ruletable', >>>> 'fw settings dropdown' => 'Show all networks on rulecreation site', >>>> @@ -1672,9 +1677,9 @@ >>>> 'map to guest' => 'Map to Guest', >>>> 'march' => 'March', >>>> 'marked' => 'Marked', >>>> -'masquerade blue' => 'Masquerade BLUE', >>>> -'masquerade green' => 'Masquerade GREEN', >>>> -'masquerade orange' => 'Masquerade ORANGE', >>>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', >>>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', >>>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', >>>> 'masquerading' => 'Masquerading', >>>> 'masquerading disabled' => 'Masquerading disabled', >>>> 'masquerading enabled' => 'Masquerading enabled', >>>> @@ -1844,6 +1849,8 @@ >>>> 'november' => 'November', >>>> 'ntp common settings' => 'Common settings', >>>> 'ntp configuration' => 'NTP Configuration', >>>> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', >>>> +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', >>>> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', >>>> 'ntp server' => 'NTP Server', >>>> 'ntp sync' => 'Synchronization', >>>> diff --git a/lfs/configroot b/lfs/configroot >>>> index a3e474d70..622793b35 100644 >>>> --- a/lfs/configroot >>>> +++ b/lfs/configroot >>>> @@ -129,6 +129,10 @@ $(TARGET) : >>>> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings >>>> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings >>>> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings >>>> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>>> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings >>>> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings >>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp >>>> new file mode 100644 >>>> index 000000000..2eafa9d20 >>>> --- /dev/null >>>> +++ b/src/initscripts/system/dnsntp >>>> @@ -0,0 +1,36 @@ >>>> +#!/bin/sh >>>> +######################################################################## >>>> +# Begin $rc_base/init.d/dnsntp >>>> +# >>>> +# Description : dnsntp init script for DNS/NTP rules only >>>> +# >>>> +######################################################################## >>>> + >>>> +# flush chain >>>> +iptables -t nat -F DNS_NTP_REDIRECT >>>> + >>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >>>> + >>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) >>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >>>> +fi >>>> + >>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) >>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >>>> +fi >>>> + >>>> +# Force NTP REDIRECTs on GREEN (udp, 123) >>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT >>>> +fi >>>> + >>>> +# Force DNS REDIRECTs on BLUE (udp, 123) >>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then >>>> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT >>>> +fi >>>> + >>>> +# End $rc_base/init.d/dnsntp >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>>> index 65f1c979b..43ae74113 100644 >>>> --- a/src/initscripts/system/firewall >>>> +++ b/src/initscripts/system/firewall >>>> @@ -169,6 +169,10 @@ iptables_init() { >>>> # Fix for braindead ISPs >>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>>> >>>> + # DNS / NTP REDIRECT >>>> + iptables -t nat -N DNS_NTP_REDIRECT >>>> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT >>>> + >>>> # CUSTOM chains, can be used by the users themselves >>>> iptables -N CUSTOMINPUT >>>> iptables -A INPUT -j CUSTOMINPUT >>>> @@ -281,7 +285,7 @@ iptables_init() { >>>> iptables -A INPUT -j LOCATIONBLOCK >>>> iptables -A FORWARD -j LOCATIONBLOCK >>>> >>>> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>>> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything >>>> iptables -N IPSECINPUT >>>> iptables -N IPSECFORWARD >>>> iptables -N IPSECOUTPUT >>>> @@ -389,6 +393,9 @@ iptables_init() { >>>> # run captivectrl >>>> /usr/local/bin/captivectrl >>>> >>>> + # run dnsntpctrl >>>> + /usr/local/bin/dnsntpctrl >>>> + >>>> # POLICY CHAIN >>>> iptables -N POLICYIN >>>> iptables -A INPUT -j POLICYIN >>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile >>>> index 7c3ef7529..6f2733ef0 100644 >>>> --- a/src/misc-progs/Makefile >>>> +++ b/src/misc-progs/Makefile >>>> @@ -26,7 +26,7 @@ PROGS = iowrap >>>> SUID_PROGS = squidctrl sshctrl ipfirereboot \ >>>> ipsecctrl timectrl dhcpctrl suricatactrl \ >>>> rebuildhosts backupctrl collectdctrl \ >>>> - logwatch wioscan wiohelper openvpnctrl firewallctrl \ >>>> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ >>>> wirelessctrl getipstat qosctrl \ >>>> redctrl syslogdctrl extrahdctrl sambactrl \ >>>> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ >>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c >>>> new file mode 100644 >>>> index 000000000..f2a3b89e3 >>>> --- /dev/null >>>> +++ b/src/misc-progs/dnsntpctrl.c >>>> @@ -0,0 +1,19 @@ >>>> +/* This file is part of the IPFire Firewall. >>>> + * >>>> + * This program is distributed under the terms of the GNU General Public >>>> + * Licence. See the file COPYING for details. >>>> + * >>>> + */ >>>> + >>>> +#include <stdlib.h> >>>> +#include "setuid.h" >>>> + >>>> +int main(void) >>>> +{ >>>> + if (!(initsetuid())) >>>> + exit(1); >>>> + >>>> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); >>>> + >>>> + return 0; >>>> +} >>>> -- >>>> 2.18.0 >>>> >>> >> >
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 800005966..f38a3a294 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 800005966..f38a3a294 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 18c5a897a..a3a2b47f7 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index d6594b3f8..4bcb94812 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -5,6 +5,7 @@ usr/local/bin/captivectrl usr/local/bin/collectdctrl usr/local/bin/ddnsctrl usr/local/bin/dhcpctrl +usr/local/bin/dnsntpctrl usr/local/bin/extrahdctrl usr/local/bin/fireinfoctrl usr/local/bin/firewallctrl diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 18c5a897a..a3a2b47f7 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 321642e82..3fc707e8b 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> # +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { $errormessage .= $Lang::tr{'new optionsfw later'}; &General::writehash($filename, \%settings); # Save good settings system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); }else{ if ($settings{'POLICY'} ne ''){ $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); } &General::readhash($filename, \%settings); # Load good settings } @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = ''; $selected{'MASQUERADE_BLUE'}{'on'} = ''; $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; &Header::openbox('100%', 'center',); print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; @@ -189,13 +203,44 @@ END END } - print <<END +print <<END; + <table width='95%' cellspacing='0'> + <tr bgcolor='$color{'color20'}'></tr> + <tr> </tr> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td> + </tr> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ + <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ + <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> +END + + if (&Header::blue_used()) { + print <<END; + <table width='95%' cellspacing='0'> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> + <tr> </tr> + <tr> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ + <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ + <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> + </td> + </tr> +END + } + + print <<END; </table> - <br> + <br /> -<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> + <table width='95%' cellspacing='0'> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ @@ -206,21 +251,30 @@ END <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ +END + + if (&Header::blue_used()) { + print <<END; + </table> + + <br /> + + <table width='95%' cellspacing='0'> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr> + <tr> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> -</table> -<br/> + </tr> +END + } + + print <<END; + </table> + + <br /> -<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> -</table> -<br> <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ @@ -252,7 +306,7 @@ END <br /> <table width='100%' cellspacing='0'> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> </form></td></tr> </table> @@ -278,7 +332,7 @@ print <<END; <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> END print "</tr></table></form>"; - print"<br><br>"; + print"<br /><br />"; print <<END; <form method='post' action='$ENV{'SCRIPT_NAME'}'> <table width='100%' border='0'> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6a8133807..d6bb234fa 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -836,6 +836,8 @@ 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', +'dns force on blue' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', +'dns force on green' => 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', @@ -1102,9 +1104,12 @@ 'from email server' => 'Von E-Mail-Server', 'from email user' => 'Von E-Mail-Benutzer', 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', -'fw blue' => 'Firewalloptionen für das Blaue Interface', +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface', 'fw default drop' => 'Firewallrichtlinie', +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface', 'fw logging' => 'Firewallprotokollierung', +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)', +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)', 'fw settings' => 'Firewalleinstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', @@ -1644,9 +1649,9 @@ 'map to guest' => 'Map to Guest', 'march' => 'März', 'marked' => 'Markiert', -'masquerade blue' => 'NAT auf BLAU', -'masquerade green' => 'NAT auf GRÜN', -'masquerade orange' => 'NAT auf ORANGE', +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>', +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>', +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>', 'masquerading' => 'Masquerading/NAT', 'masquerading disabled' => 'NAT ausgeschaltet', 'masquerading enabled' => 'NAT eingeschaltet', @@ -1814,6 +1819,8 @@ 'november' => 'November', 'ntp common settings' => 'Allgemeine Einstellungen', 'ntp configuration' => 'Zeitserverkonfiguration', +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf BLAU', +'ntp force on green' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', 'ntp server' => 'NTP-Server', 'ntp sync' => 'Synchronisation', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8f7e0c2cf..474612025 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -859,6 +859,8 @@ 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', +'dns force on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on BLUE', +'dns force on green' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', @@ -1128,9 +1130,12 @@ 'from email server' => 'From Email server', 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', -'fw blue' => 'Firewall options for BLUE interface', +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface', 'fw default drop' => 'Firewall policy', +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface', 'fw logging' => 'Firewall logging', +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)', +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)', 'fw settings' => 'Firewall settings', 'fw settings color' => 'Show colors in ruletable', 'fw settings dropdown' => 'Show all networks on rulecreation site', @@ -1672,9 +1677,9 @@ 'map to guest' => 'Map to Guest', 'march' => 'March', 'marked' => 'Marked', -'masquerade blue' => 'Masquerade BLUE', -'masquerade green' => 'Masquerade GREEN', -'masquerade orange' => 'Masquerade ORANGE', +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>', +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>', +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>', 'masquerading' => 'Masquerading', 'masquerading disabled' => 'Masquerading disabled', 'masquerading enabled' => 'Masquerading enabled', @@ -1844,6 +1849,8 @@ 'november' => 'November', 'ntp common settings' => 'Common settings', 'ntp configuration' => 'NTP Configuration', +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on BLUE', +'ntp force on green' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', 'ntp server' => 'NTP Server', 'ntp sync' => 'Synchronization', diff --git a/lfs/configroot b/lfs/configroot index a3e474d70..622793b35 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -129,6 +129,10 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp new file mode 100644 index 000000000..2eafa9d20 --- /dev/null +++ b/src/initscripts/system/dnsntp @@ -0,0 +1,36 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/dnsntp +# +# Description : dnsntp init script for DNS/NTP rules only +# +######################################################################## + +# flush chain +iptables -t nat -F DNS_NTP_REDIRECT + +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT +fi + +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT +fi + +# Force NTP REDIRECTs on GREEN (udp, 123) +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT +fi + +# Force DNS REDIRECTs on BLUE (udp, 123) +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT +fi + +# End $rc_base/init.d/dnsntp diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 65f1c979b..43ae74113 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -169,6 +169,10 @@ iptables_init() { # Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + # DNS / NTP REDIRECT + iptables -t nat -N DNS_NTP_REDIRECT + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT + # CUSTOM chains, can be used by the users themselves iptables -N CUSTOMINPUT iptables -A INPUT -j CUSTOMINPUT @@ -281,7 +285,7 @@ iptables_init() { iptables -A INPUT -j LOCATIONBLOCK iptables -A FORWARD -j LOCATIONBLOCK - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything iptables -N IPSECINPUT iptables -N IPSECFORWARD iptables -N IPSECOUTPUT @@ -389,6 +393,9 @@ iptables_init() { # run captivectrl /usr/local/bin/captivectrl + # run dnsntpctrl + /usr/local/bin/dnsntpctrl + # POLICY CHAIN iptables -N POLICYIN iptables -A INPUT -j POLICYIN diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 7c3ef7529..6f2733ef0 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -26,7 +26,7 @@ PROGS = iowrap SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl suricatactrl \ rebuildhosts backupctrl collectdctrl \ - logwatch wioscan wiohelper openvpnctrl firewallctrl \ + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ wirelessctrl getipstat qosctrl \ redctrl syslogdctrl extrahdctrl sambactrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c new file mode 100644 index 000000000..f2a3b89e3 --- /dev/null +++ b/src/misc-progs/dnsntpctrl.c @@ -0,0 +1,19 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include <stdlib.h> +#include "setuid.h" + +int main(void) +{ + if (!(initsetuid())) + exit(1); + + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); + + return 0; +}