(V4) Forcing DNS/NTP

  There was not much feedback on the list, so I send this now. This is V4 - open for
discussion, opinions or (perhaps ;-) ) changes:

Originally triggered by:
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512

Discussion:
https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888

Could fix(?):
https://bugzilla.ipfire.org/show_bug.cgi?id=11168

Changelog since V3:

- Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
  values are read from '/var/ipfire/ethernet/settings', thanks
  to "someone" for the hint (sorry, I didn't find the author)! ;-)

- Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).

- As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
  handled through RETURN rules, others through REDIRECT.

Background (cited from BB, 06.03.2021):
"Concerning performance, we want to minimize the rule set to the amount
really necessary. On the other hand, it may be quicker to do just
a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
to IPFire) should be nearly 100%. DNS and NTP servers are published
by DHCP or should be configured in the static case."

I made it that way. Statistics during the last 62 days show that this
worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
everyone could take a look.

- Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.

- Moved creation of the iptable rules in '/etc/init.d/firewall' behind
'# WIRELESS chains'

Summary and functionality:
  These patches are controlled through "Firewall Options". They add new
  firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
  They activate/deactivate appropriate RETURN and REDIRECT rules through
  a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
  ('/etc/rc.d/init.d/dnsntp').

  Default of all new rules is OFF (set in 'lfs/configroot').
  If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
  servers specified in IPFire.

  Flaw/ToDo:
  To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
  init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
  In fact I wanted to merge these two files in *one* C file, but this was beyond my
  capabilities, perhaps "someone" else knows how to program this.

Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
  The corresponding interface options - including 'Masquerade ...' - are only visible if
  the respective interface actually exists.
  E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
  for 'DNS/NTP on BLUE' or logging options for BLUE available.
  Added text colors for better readability.
  Separated logging options per interface.

No reboot required:
  Rules can be switched ON/OFF without rebooting IPFire.
  Changes immedediately take effect after clicking 'Save'.

Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
  Fixed a 'trafic' typo.
  To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
  chain: 'DNS_NTP_REDIRECT'.
  This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/misc-progs |  1 +
 html/cgi-bin/optionsfw.cgi         | 90 ++++++++++++++++++++++++------
 langs/de/cgi-bin/de.pl             | 15 +++--
 langs/en/cgi-bin/en.pl             | 15 +++--
 lfs/configroot                     |  6 +-
 src/initscripts/system/dnsntp      | 43 ++++++++++++++
 src/initscripts/system/firewall    |  9 ++-
 src/misc-progs/Makefile            |  2 +-
 src/misc-progs/dnsntpctrl.c        | 19 +++++++
 9 files changed, 171 insertions(+), 29 deletions(-)
 create mode 100644 src/initscripts/system/dnsntp
 create mode 100644 src/misc-progs/dnsntpctrl.c
  

Hi,

thanks for implementing this idea.

Am 04.06.2021 um 14:17 schrieb Matthias Fischer:
> There was not much feedback on the list, so I send this now. This is V4 - open for
> discussion, opinions or (perhaps ;-) ) changes:
> 
> Originally triggered by:
> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
> 
> Discussion:
> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
> 
> Could fix(?):
> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
> 
> Changelog since V3:
> 
> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>    values are read from '/var/ipfire/ethernet/settings', thanks
>    to "someone" for the hint (sorry, I didn't find the author)! ;-)
> 
> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
> 
> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>    handled through RETURN rules, others through REDIRECT.
> 
> Background (cited from BB, 06.03.2021):
> "Concerning performance, we want to minimize the rule set to the amount
> really necessary. On the other hand, it may be quicker to do just
> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
> to IPFire) should be nearly 100%. DNS and NTP servers are published
> by DHCP or should be configured in the static case."
> 

Sorry, I did not realize that this 'well-behaving' must be defined more 
exactly. See beyond.

> I made it that way. Statistics during the last 62 days show that this
> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
> everyone could take a look.
> 

That's my experience with the rules located in firewall.local, too.

> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
> 
> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
> '# WIRELESS chains'
> 
> Summary and functionality:
>    These patches are controlled through "Firewall Options". They add new
>    firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>    They activate/deactivate appropriate RETURN and REDIRECT rules through
>    a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>    ('/etc/rc.d/init.d/dnsntp').
> 
>    Default of all new rules is OFF (set in 'lfs/configroot').
>    If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>    servers specified in IPFire.
> 
>    Flaw/ToDo:
>    To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>    init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>    In fact I wanted to merge these two files in *one* C file, but this was beyond my
>    capabilities, perhaps "someone" else knows how to program this.
> 
> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>    The corresponding interface options - including 'Masquerade ...' - are only visible if
>    the respective interface actually exists.
>    E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>    for 'DNS/NTP on BLUE' or logging options for BLUE available.
>    Added text colors for better readability.
>    Separated logging options per interface.
> 
> No reboot required:
>    Rules can be switched ON/OFF without rebooting IPFire.
>    Changes immedediately take effect after clicking 'Save'.
> 
> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>    Fixed a 'trafic' typo.
>    To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>    chain: 'DNS_NTP_REDIRECT'.
>    This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
>   config/rootfiles/common/misc-progs |  1 +
>   html/cgi-bin/optionsfw.cgi         | 90 ++++++++++++++++++++++++------
>   langs/de/cgi-bin/de.pl             | 15 +++--
>   langs/en/cgi-bin/en.pl             | 15 +++--
>   lfs/configroot                     |  6 +-
>   src/initscripts/system/dnsntp      | 43 ++++++++++++++
>   src/initscripts/system/firewall    |  9 ++-
>   src/misc-progs/Makefile            |  2 +-
>   src/misc-progs/dnsntpctrl.c        | 19 +++++++
>   9 files changed, 171 insertions(+), 29 deletions(-)
>   create mode 100644 src/initscripts/system/dnsntp
>   create mode 100644 src/misc-progs/dnsntpctrl.c
> 
> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
> index d6594b3f8..4bcb94812 100644
> --- a/config/rootfiles/common/misc-progs
> +++ b/config/rootfiles/common/misc-progs
> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>   usr/local/bin/collectdctrl
>   usr/local/bin/ddnsctrl
>   usr/local/bin/dhcpctrl
> +usr/local/bin/dnsntpctrl
>   usr/local/bin/extrahdctrl
>   usr/local/bin/fireinfoctrl
>   usr/local/bin/firewallctrl
> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> index 321642e82..2059a03b3 100644
> --- a/html/cgi-bin/optionsfw.cgi
> +++ b/html/cgi-bin/optionsfw.cgi
> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>   		$errormessage .= $Lang::tr{'new optionsfw later'};
>   		&General::writehash($filename, \%settings);             # Save good settings
>   		system("/usr/local/bin/firewallctrl");
> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>   	}else{
>   		if ($settings{'POLICY'} ne ''){
>   			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>   		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>   		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>   		system("/usr/local/bin/firewallctrl");
> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>   	}
>   	&General::readhash($filename, \%settings);             # Load good settings
>   }
> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>   $selected{'MASQUERADE_BLUE'}{'off'} = '';
>   $selected{'MASQUERADE_BLUE'}{'on'} = '';
>   $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>   
>   &Header::openbox('100%', 'center',);
>   print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
> @@ -189,13 +203,44 @@ END
>   END
>   	}
>   
> -	print <<END
> +print <<END;
> +	<table width='95%' cellspacing='0'>
> +		<tr bgcolor='$color{'color20'}'></tr>
> +		<tr>&nbsp;</tr>
> +			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
> +		</tr>
> +		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
> +																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
> +																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +END
> +
> +	if (&Header::blue_used()) {
> +		print <<END;
> +		<table width='95%' cellspacing='0'>
> +		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> +		<tr>&nbsp;</tr>
> +			<tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
> +																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
> +																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> +																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> +																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			</td>
> +			</tr>
> +END
> +	}
> +
> +	print <<END;
>   	</table>
>   
> -	<br>
> +	<br />
>   
> -<table width='95%' cellspacing='0'>
> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
> +		<table width='95%' cellspacing='0'>
> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>   <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>   																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>   <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
> @@ -206,21 +251,30 @@ END
>   																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>   <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>   																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> +END
> +
> +	if (&Header::blue_used()) {
> +		print <<END;
> +	</table>
> +
> +	<br />
> +
> +		<table width='95%' cellspacing='0'>
> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
> +			<tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>   																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>   																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -</table>
> -<br/>
> +			</tr>
> +END
> +	}
> +
> +	print <<END;
> +	</table>
> +
> +	<br />
>   
> -<table width='95%' cellspacing='0'>
> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> -																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> -																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -</table>
> -<br>
>   <table width='95%' cellspacing='0'>
>   <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>   <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
> @@ -252,7 +306,7 @@ END
>   
>   <br />
>   <table width='100%' cellspacing='0'>
> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>   <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>   </form></td></tr>
>   </table>
> @@ -278,7 +332,7 @@ print <<END;
>   	    <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>   END
>   	print "</tr></table></form>";
> -	print"<br><br>";
> +	print"<br /><br />";
>   	print <<END;
>   	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
>   	<table width='100%' border='0'>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 0bc579cd2..51e65b903 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -835,6 +835,8 @@
>   'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>   'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>   'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
> +'dns force on blue' => 'Erzwinge lokale DNS-Server',
> +'dns force on green' => 'Erzwinge lokale DNS-Server',
>   'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>   'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>   'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
> @@ -1101,9 +1103,12 @@
>   'from email server' => 'Von E-Mail-Server',
>   'from email user' => 'Von E-Mail-Benutzer',
>   'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
>   'fw default drop' => 'Firewallrichtlinie',
> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
>   'fw logging' => 'Firewallprotokollierung',
> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
>   'fw settings' => 'Firewalleinstellungen',
>   'fw settings color' => 'Farben in Regeltabelle anzeigen',
>   'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
> @@ -1643,9 +1648,9 @@
>   'map to guest' => 'Map to Guest',
>   'march' => 'März',
>   'marked' => 'Markiert',
> -'masquerade blue' => 'NAT auf BLAU',
> -'masquerade green' => 'NAT auf GRÜN',
> -'masquerade orange' => 'NAT auf ORANGE',
> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
>   'masquerading' => 'Masquerading/NAT',
>   'masquerading disabled' => 'NAT ausgeschaltet',
>   'masquerading enabled' => 'NAT eingeschaltet',
> @@ -1813,6 +1818,8 @@
>   'november' => 'November',
>   'ntp common settings' => 'Allgemeine Einstellungen',
>   'ntp configuration' => 'Zeitserverkonfiguration',
> +'ntp force on blue' => 'Erzwinge lokale NTP-Server',
> +'ntp force on green' => 'Erzwinge lokale NTP-Server',
>   'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>   'ntp server' => 'NTP-Server',
>   'ntp sync' => 'Synchronisation',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 1c69b3798..390b2d026 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -858,6 +858,8 @@
>   'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>   'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>   'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
> +'dns force on blue' => 'Force DNS to use local DNS servers',
> +'dns force on green' => 'Force DNS to use local DNS servers',
>   'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>   'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>   'dns header' => 'Assign DNS server addresses only for DHCP on red0',
> @@ -1128,9 +1130,12 @@
>   'from email server' => 'From Email server',
>   'from email user' => 'From e-mail user',
>   'from warn email bad' => 'From e-mail address is not valid',
> -'fw blue' => 'Firewall options for BLUE interface',
> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>   'fw default drop' => 'Firewall policy',
> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>   'fw logging' => 'Firewall logging',
> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>   'fw settings' => 'Firewall settings',
>   'fw settings color' => 'Show colors in ruletable',
>   'fw settings dropdown' => 'Show all networks on rulecreation site',
> @@ -1675,9 +1680,9 @@
>   'map to guest' => 'Map to Guest',
>   'march' => 'March',
>   'marked' => 'Marked',
> -'masquerade blue' => 'Masquerade BLUE',
> -'masquerade green' => 'Masquerade GREEN',
> -'masquerade orange' => 'Masquerade ORANGE',
> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>   'masquerading' => 'Masquerading',
>   'masquerading disabled' => 'Masquerading disabled',
>   'masquerading enabled' => 'Masquerading enabled',
> @@ -1847,6 +1852,8 @@
>   'november' => 'November',
>   'ntp common settings' => 'Common settings',
>   'ntp configuration' => 'NTP Configuration',
> +'ntp force on blue' => 'Force NTP to use local NTP servers',
> +'ntp force on green' => 'Force NTP to use local NTP servers',
>   'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>   'ntp server' => 'NTP Server',
>   'ntp sync' => 'Synchronization',
> diff --git a/lfs/configroot b/lfs/configroot
> index c528bd6d9..6cc376ff0 100644
> --- a/lfs/configroot
> +++ b/lfs/configroot
> @@ -1,7 +1,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -129,6 +129,10 @@ $(TARGET) :
>   	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>   	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>   	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "DNS_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "DNS_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "NTP_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "NTP_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>   	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>   	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>   	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
> new file mode 100644
> index 000000000..54fdfc685
> --- /dev/null
> +++ b/src/initscripts/system/dnsntp
> @@ -0,0 +1,43 @@
> +#!/bin/sh
> +########################################################################
> +# Begin $rc_base/init.d/dnsntp
> +#
> +# Description : dnsntp init script for DNS/NTP rules only
> +#
> +########################################################################
> +
> +# flush chain
> +iptables -t nat -F DNS_NTP_REDIRECT
> +
> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> +

The 'well-behaving' request destinations should be DNS1_GREEN, 
DNS2_GREEN, DNS1_BLUE, DNS2_BLUE ( stored in /var/ipfire/dhcp/settings 
and set in the dhcp.cgi ).
If they are defined and distrubited by DHCP or set by other mechanism.
Is GREEN_ADDRESS / BLUE_ADDRESS the desired destination otherwise?

> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
> +fi
> +
> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
> +fi
> +

See above.

Regards,
Bernhard

> +# Force NTP REDIRECTs on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
> +fi
> +
> +# Force DNS REDIRECTs on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
> +fi
> +
> +# End $rc_base/init.d/dnsntp
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 1e558ee86..047946a86 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -218,7 +218,7 @@ iptables_init() {
>   	iptables -A INPUT -j LOCATIONBLOCK
>   	iptables -A FORWARD -j LOCATIONBLOCK
>   
> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>   	iptables -N IPSECINPUT
>   	iptables -N IPSECFORWARD
>   	iptables -N IPSECOUTPUT
> @@ -242,6 +242,10 @@ iptables_init() {
>   	iptables -N WIRELESSFORWARD
>   	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>   
> +	# Redirecting DNS and NTP requests
> +	iptables -t nat -N DNS_NTP_REDIRECT
> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
> +
>   	# OpenVPN
>   	iptables -N OVPNINPUT
>   	iptables -A INPUT -j OVPNINPUT
> @@ -320,6 +324,9 @@ iptables_init() {
>   	# run captivectrl
>   	/usr/local/bin/captivectrl
>   
> +	# run dnsntpctrl
> +	/usr/local/bin/dnsntpctrl
> +
>   	# POLICY CHAIN
>   	iptables -N POLICYIN
>   	iptables -A INPUT -j POLICYIN
> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
> index 7c3ef7529..229d122d6 100644
> --- a/src/misc-progs/Makefile
> +++ b/src/misc-progs/Makefile
> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>   	wirelessctrl getipstat qosctrl \
>   	redctrl syslogdctrl extrahdctrl sambactrl \
>   	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>   	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>   	captivectrl
>   
> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
> new file mode 100644
> index 000000000..f2a3b89e3
> --- /dev/null
> +++ b/src/misc-progs/dnsntpctrl.c
> @@ -0,0 +1,19 @@
> +/* This file is part of the IPFire Firewall.
> + *
> + * This program is distributed under the terms of the GNU General Public
> + * Licence.  See the file COPYING for details.
> + *
> + */
> +
> +#include <stdlib.h>
> +#include "setuid.h"
> +
> +int main(void)
> +{
> +	if (!(initsetuid()))
> +		exit(1);
> +
> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
> +
> +	return 0;
> +}
>
  

Hi,

On 06.06.2021 10:59, Bernhard Bitsch wrote:
> Hi,
> 
> thanks for implementing this idea.

I tried my best, but when reading further I realized that I've missed
something... See below.

[Sorry for the noise, but I thought it would be the best to keep this
unshortened.]

> Am 04.06.2021 um 14:17 schrieb Matthias Fischer:
>> There was not much feedback on the list, so I send this now. This is V4 - open for
>> discussion, opinions or (perhaps ;-) ) changes:
>> 
>> Originally triggered by:
>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>> 
>> Discussion:
>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>> 
>> Could fix(?):
>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>> 
>> Changelog since V3:
>> 
>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>>    values are read from '/var/ipfire/ethernet/settings', thanks
>>    to "someone" for the hint (sorry, I didn't find the author)! ;-)
>> 
>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>> 
>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>>    handled through RETURN rules, others through REDIRECT.
>> 
>> Background (cited from BB, 06.03.2021):
>> "Concerning performance, we want to minimize the rule set to the amount
>> really necessary. On the other hand, it may be quicker to do just
>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>> by DHCP or should be configured in the static case."
>> 
> 
> Sorry, I did not realize that this 'well-behaving' must be defined more 
> exactly. See beyond.

Yep. No problem. Now I know what you meant.
And again, "see beyond"... ;-)

>> I made it that way. Statistics during the last 62 days show that this
>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>> everyone could take a look.
>> 
> 
> That's my experience with the rules located in firewall.local, too.
> 
>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>> 
>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>> '# WIRELESS chains'
>> 
>> Summary and functionality:
>>    These patches are controlled through "Firewall Options". They add new
>>    firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>    They activate/deactivate appropriate RETURN and REDIRECT rules through
>>    a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>>    ('/etc/rc.d/init.d/dnsntp').
>> 
>>    Default of all new rules is OFF (set in 'lfs/configroot').
>>    If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>    servers specified in IPFire.
>> 
>>    Flaw/ToDo:
>>    To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>    init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>>    In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>    capabilities, perhaps "someone" else knows how to program this.
>> 
>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>    The corresponding interface options - including 'Masquerade ...' - are only visible if
>>    the respective interface actually exists.
>>    E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>>    for 'DNS/NTP on BLUE' or logging options for BLUE available.
>>    Added text colors for better readability.
>>    Separated logging options per interface.
>> 
>> No reboot required:
>>    Rules can be switched ON/OFF without rebooting IPFire.
>>    Changes immedediately take effect after clicking 'Save'.
>> 
>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>>    Fixed a 'trafic' typo.
>>    To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>>    chain: 'DNS_NTP_REDIRECT'.
>>    This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>> 
>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
>> ---
>>   config/rootfiles/common/misc-progs |  1 +
>>   html/cgi-bin/optionsfw.cgi         | 90 ++++++++++++++++++++++++------
>>   langs/de/cgi-bin/de.pl             | 15 +++--
>>   langs/en/cgi-bin/en.pl             | 15 +++--
>>   lfs/configroot                     |  6 +-
>>   src/initscripts/system/dnsntp      | 43 ++++++++++++++
>>   src/initscripts/system/firewall    |  9 ++-
>>   src/misc-progs/Makefile            |  2 +-
>>   src/misc-progs/dnsntpctrl.c        | 19 +++++++
>>   9 files changed, 171 insertions(+), 29 deletions(-)
>>   create mode 100644 src/initscripts/system/dnsntp
>>   create mode 100644 src/misc-progs/dnsntpctrl.c
>> 
>> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
>> index d6594b3f8..4bcb94812 100644
>> --- a/config/rootfiles/common/misc-progs
>> +++ b/config/rootfiles/common/misc-progs
>> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
>>   usr/local/bin/collectdctrl
>>   usr/local/bin/ddnsctrl
>>   usr/local/bin/dhcpctrl
>> +usr/local/bin/dnsntpctrl
>>   usr/local/bin/extrahdctrl
>>   usr/local/bin/fireinfoctrl
>>   usr/local/bin/firewallctrl
>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>> index 321642e82..2059a03b3 100644
>> --- a/html/cgi-bin/optionsfw.cgi
>> +++ b/html/cgi-bin/optionsfw.cgi
>> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>   		$errormessage .= $Lang::tr{'new optionsfw later'};
>>   		&General::writehash($filename, \%settings);             # Save good settings
>>   		system("/usr/local/bin/firewallctrl");
>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>   	}else{
>>   		if ($settings{'POLICY'} ne ''){
>>   			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
>> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
>>   		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>   		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
>>   		system("/usr/local/bin/firewallctrl");
>> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
>>   	}
>>   	&General::readhash($filename, \%settings);             # Load good settings
>>   }
>> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>>   $selected{'MASQUERADE_BLUE'}{'off'} = '';
>>   $selected{'MASQUERADE_BLUE'}{'on'} = '';
>>   $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
>> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
>> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
>>   
>>   &Header::openbox('100%', 'center',);
>>   print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>> @@ -189,13 +203,44 @@ END
>>   END
>>   	}
>>   
>> -	print <<END
>> +print <<END;
>> +	<table width='95%' cellspacing='0'>
>> +		<tr bgcolor='$color{'color20'}'></tr>
>> +		<tr>&nbsp;</tr>
>> +			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
>> +		</tr>
>> +		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
>> +																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
>> +																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +END
>> +
>> +	if (&Header::blue_used()) {
>> +		print <<END;
>> +		<table width='95%' cellspacing='0'>
>> +		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> +		<tr>&nbsp;</tr>
>> +			<tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
>> +																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
>> +																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> +																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> +																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> +			</td>
>> +			</tr>
>> +END
>> +	}
>> +
>> +	print <<END;
>>   	</table>
>>   
>> -	<br>
>> +	<br />
>>   
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
>> +		<table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
>>   <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
>>   																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>   <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
>> @@ -206,21 +251,30 @@ END
>>   																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
>>   <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
>>   																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>> +END
>> +
>> +	if (&Header::blue_used()) {
>> +		print <<END;
>> +	</table>
>> +
>> +	<br />
>> +
>> +		<table width='95%' cellspacing='0'>
>> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
>> +			<tr>
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
>>   																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
>>   																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br/>
>> +			</tr>
>> +END
>> +	}
>> +
>> +	print <<END;
>> +	</table>
>> +
>> +	<br />
>>   
>> -<table width='95%' cellspacing='0'>
>> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
>> -																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
>> -																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
>> -</table>
>> -<br>
>>   <table width='95%' cellspacing='0'>
>>   <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
>>   <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
>> @@ -252,7 +306,7 @@ END
>>   
>>   <br />
>>   <table width='100%' cellspacing='0'>
>> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>   <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>>   </form></td></tr>
>>   </table>
>> @@ -278,7 +332,7 @@ print <<END;
>>   	    <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
>>   END
>>   	print "</tr></table></form>";
>> -	print"<br><br>";
>> +	print"<br /><br />";
>>   	print <<END;
>>   	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
>>   	<table width='100%' border='0'>
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 0bc579cd2..51e65b903 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -835,6 +835,8 @@
>>   'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
>>   'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
>>   'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
>> +'dns force on blue' => 'Erzwinge lokale DNS-Server',
>> +'dns force on green' => 'Erzwinge lokale DNS-Server',
>>   'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
>>   'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
>>   'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
>> @@ -1101,9 +1103,12 @@
>>   'from email server' => 'Von E-Mail-Server',
>>   'from email user' => 'Von E-Mail-Benutzer',
>>   'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
>> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
>> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
>>   'fw default drop' => 'Firewallrichtlinie',
>> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
>>   'fw logging' => 'Firewallprotokollierung',
>> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
>> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
>>   'fw settings' => 'Firewalleinstellungen',
>>   'fw settings color' => 'Farben in Regeltabelle anzeigen',
>>   'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
>> @@ -1643,9 +1648,9 @@
>>   'map to guest' => 'Map to Guest',
>>   'march' => 'März',
>>   'marked' => 'Markiert',
>> -'masquerade blue' => 'NAT auf BLAU',
>> -'masquerade green' => 'NAT auf GRÜN',
>> -'masquerade orange' => 'NAT auf ORANGE',
>> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
>> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
>> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
>>   'masquerading' => 'Masquerading/NAT',
>>   'masquerading disabled' => 'NAT ausgeschaltet',
>>   'masquerading enabled' => 'NAT eingeschaltet',
>> @@ -1813,6 +1818,8 @@
>>   'november' => 'November',
>>   'ntp common settings' => 'Allgemeine Einstellungen',
>>   'ntp configuration' => 'Zeitserverkonfiguration',
>> +'ntp force on blue' => 'Erzwinge lokale NTP-Server',
>> +'ntp force on green' => 'Erzwinge lokale NTP-Server',
>>   'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
>>   'ntp server' => 'NTP-Server',
>>   'ntp sync' => 'Synchronisation',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index 1c69b3798..390b2d026 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -858,6 +858,8 @@
>>   'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
>>   'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
>>   'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
>> +'dns force on blue' => 'Force DNS to use local DNS servers',
>> +'dns force on green' => 'Force DNS to use local DNS servers',
>>   'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
>>   'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
>>   'dns header' => 'Assign DNS server addresses only for DHCP on red0',
>> @@ -1128,9 +1130,12 @@
>>   'from email server' => 'From Email server',
>>   'from email user' => 'From e-mail user',
>>   'from warn email bad' => 'From e-mail address is not valid',
>> -'fw blue' => 'Firewall options for BLUE interface',
>> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
>>   'fw default drop' => 'Firewall policy',
>> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
>>   'fw logging' => 'Firewall logging',
>> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
>> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
>>   'fw settings' => 'Firewall settings',
>>   'fw settings color' => 'Show colors in ruletable',
>>   'fw settings dropdown' => 'Show all networks on rulecreation site',
>> @@ -1675,9 +1680,9 @@
>>   'map to guest' => 'Map to Guest',
>>   'march' => 'March',
>>   'marked' => 'Marked',
>> -'masquerade blue' => 'Masquerade BLUE',
>> -'masquerade green' => 'Masquerade GREEN',
>> -'masquerade orange' => 'Masquerade ORANGE',
>> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
>> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
>> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
>>   'masquerading' => 'Masquerading',
>>   'masquerading disabled' => 'Masquerading disabled',
>>   'masquerading enabled' => 'Masquerading enabled',
>> @@ -1847,6 +1852,8 @@
>>   'november' => 'November',
>>   'ntp common settings' => 'Common settings',
>>   'ntp configuration' => 'NTP Configuration',
>> +'ntp force on blue' => 'Force NTP to use local NTP servers',
>> +'ntp force on green' => 'Force NTP to use local NTP servers',
>>   'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
>>   'ntp server' => 'NTP Server',
>>   'ntp sync' => 'Synchronization',
>> diff --git a/lfs/configroot b/lfs/configroot
>> index c528bd6d9..6cc376ff0 100644
>> --- a/lfs/configroot
>> +++ b/lfs/configroot
>> @@ -1,7 +1,7 @@
>>   ###############################################################################
>>   #                                                                             #
>>   # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
>>   #                                                                             #
>>   # This program is free software: you can redistribute it and/or modify        #
>>   # it under the terms of the GNU General Public License as published by        #
>> @@ -129,6 +129,10 @@ $(TARGET) :
>>   	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>   	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>>   	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "DNS_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "DNS_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "NTP_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>> +	echo  "NTP_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
>>   	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>>   	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
>>   	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>> new file mode 100644
>> index 000000000..54fdfc685
>> --- /dev/null
>> +++ b/src/initscripts/system/dnsntp
>> @@ -0,0 +1,43 @@
>> +#!/bin/sh
>> +########################################################################
>> +# Begin $rc_base/init.d/dnsntp
>> +#
>> +# Description : dnsntp init script for DNS/NTP rules only
>> +#
>> +########################################################################
>> +
>> +# flush chain
>> +iptables -t nat -F DNS_NTP_REDIRECT
>> +
>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>> +
> 
> The 'well-behaving' request destinations should be DNS1_GREEN, 
> DNS2_GREEN, DNS1_BLUE, DNS2_BLUE ( stored in /var/ipfire/dhcp/settings 
> and set in the dhcp.cgi ).
> If they are defined and distrubited by DHCP or set by other mechanism.

Ok, here we are.
Ups!
"DNS1_..." and "DNS2_..." entries. What/where are these? You've got me!

But now I'm a bit puzzled. Perhaps I need some hints again.

Because until now I completely ignored DNS1_GREEN, DNS2_... etc. from
DHCP. They existed in my installation(s) - but DHCP didn't play a role
in my considerations. Never. I always used the local IPFire addresses
(GREEN/BLUE). Nothing else. The addresses for "GREEN_ADDRESS" (Ethernet
settings), "DNS1_GREEN" and "NTP1_GREEN" (dhcp settings) were always the
same. Of course, this also applied to BLUE.

BTW, what would be the sense of distributing different DNS1/DNS2 entries
through DHCP vs. the DOT entries under "domain name system" (e.g.)?

What I don't understand - call it "I'm thick at the moment...":
Through the current GUIs it would be possible to choose and distribute
(e.g.) 8.8.8.8 as "DNS1" or "DNS2" through DHCP, while the "Domain Name
System" page contains totally different (or ISP servers). Are there any
circumstances where this would be useful or needed? And which could
these be?

> Is GREEN_ADDRESS / BLUE_ADDRESS the desired destination otherwise?

Yes. That was my only intention in the first place.
I wanted to keep it simple.
I wanted to make sure that my clients only use the specific *local* DNS
servers running on GREEN / BLUE. And I didn't realize the possibility to
enter completely different servers (through DHCP).
That's why I ignored DHCP and chose the GREEN and BLUE interface
(ethernet) addresses. I never thought of writing other addresses than
the local IPFire GREEN/BLUE addresses in the first required DHCP fields
for GREEN / BLUE. My fault(?). Hm.

Regarding 'forcing dns':
You can of course always turn these OFF if they don't correspond with
your wanted installation and use other DNS1 / DNS2 entries. ;-)

Last question(s):
If I got you right it would make more sense or be better to change the
RETURN rules to use the DHCP values from "$DNS1/2_GREEN/BLUE"!?

And what would be the best way to integrate *both* possible DNS entries
in the initscript? Regarding DoT, are these two really needed anymore?
At the moment, I'm using nine through DoT...

First needed change in 'dnsntpctrl' => evaluate DHCP settings. Add:
...
eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
...

New:
iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${DNS1_GREEN} -p
udp -m udp --dport domain -j RETURN

And then?

I must think this over...its been a long week... ;-)

Regards,
Matthias

>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>> +fi
>> +
> 
> See above.
> 
> Regards,
> Bernhard
> 
>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>> +fi
>> +
>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>> +fi
>> +
>> +# End $rc_base/init.d/dnsntp
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 1e558ee86..047946a86 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -218,7 +218,7 @@ iptables_init() {
>>   	iptables -A INPUT -j LOCATIONBLOCK
>>   	iptables -A FORWARD -j LOCATIONBLOCK
>>   
>> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>   	iptables -N IPSECINPUT
>>   	iptables -N IPSECFORWARD
>>   	iptables -N IPSECOUTPUT
>> @@ -242,6 +242,10 @@ iptables_init() {
>>   	iptables -N WIRELESSFORWARD
>>   	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>>   
>> +	# Redirecting DNS and NTP requests
>> +	iptables -t nat -N DNS_NTP_REDIRECT
>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>> +
>>   	# OpenVPN
>>   	iptables -N OVPNINPUT
>>   	iptables -A INPUT -j OVPNINPUT
>> @@ -320,6 +324,9 @@ iptables_init() {
>>   	# run captivectrl
>>   	/usr/local/bin/captivectrl
>>   
>> +	# run dnsntpctrl
>> +	/usr/local/bin/dnsntpctrl
>> +
>>   	# POLICY CHAIN
>>   	iptables -N POLICYIN
>>   	iptables -A INPUT -j POLICYIN
>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>> index 7c3ef7529..229d122d6 100644
>> --- a/src/misc-progs/Makefile
>> +++ b/src/misc-progs/Makefile
>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>   	wirelessctrl getipstat qosctrl \
>>   	redctrl syslogdctrl extrahdctrl sambactrl \
>>   	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>>   	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>>   	captivectrl
>>   
>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>> new file mode 100644
>> index 000000000..f2a3b89e3
>> --- /dev/null
>> +++ b/src/misc-progs/dnsntpctrl.c
>> @@ -0,0 +1,19 @@
>> +/* This file is part of the IPFire Firewall.
>> + *
>> + * This program is distributed under the terms of the GNU General Public
>> + * Licence.  See the file COPYING for details.
>> + *
>> + */
>> +
>> +#include <stdlib.h>
>> +#include "setuid.h"
>> +
>> +int main(void)
>> +{
>> +	if (!(initsetuid()))
>> +		exit(1);
>> +
>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>> +
>> +	return 0;
>> +}
>> 
>
  

Hi,

sorry if I made you going crazy. ;)

My comment aimed to discuss the selection of the correct redirect 
address. See my further comments below(;)).
I fear forcing requests to the right address is a bit more complex than 
it looked at the first approach.

Am 06.06.2021 um 19:35 schrieb Matthias Fischer:
> Hi,
> 
> On 06.06.2021 10:59, Bernhard Bitsch wrote:
>> Hi,
>>
>> thanks for implementing this idea.
> 
> I tried my best, but when reading further I realized that I've missed
> something... See below.
> 
> [Sorry for the noise, but I thought it would be the best to keep this
> unshortened.]
>  >> Am 04.06.2021 um 14:17 schrieb Matthias Fischer:
>>> There was not much feedback on the list, so I send this now. This is V4 - open for
>>> discussion, opinions or (perhaps ;-) ) changes:
>>>
>>> Originally triggered by:
>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>>
>>> Discussion:
>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>>
>>> Could fix(?):
>>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>>>
>>> Changelog since V3:
>>>
>>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>>>     values are read from '/var/ipfire/ethernet/settings', thanks
>>>     to "someone" for the hint (sorry, I didn't find the author)! ;-)
>>>
>>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>>>
>>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>>>     handled through RETURN rules, others through REDIRECT.
>>>
>>> Background (cited from BB, 06.03.2021):
>>> "Concerning performance, we want to minimize the rule set to the amount
>>> really necessary. On the other hand, it may be quicker to do just
>>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>>> by DHCP or should be configured in the static case."
>>>
>>
>> Sorry, I did not realize that this 'well-behaving' must be defined more
>> exactly. See beyond.
> 
> Yep. No problem. Now I know what you meant.
> And again, "see beyond"... ;-)
Further comments follow below ;-)
> 
>>> I made it that way. Statistics during the last 62 days show that this
>>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>>> everyone could take a look.
>>>
>>
>> That's my experience with the rules located in firewall.local, too.
>>
>>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>>>
>>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>>> '# WIRELESS chains'
>>>
>>> Summary and functionality:
>>>     These patches are controlled through "Firewall Options". They add new
>>>     firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>>     They activate/deactivate appropriate RETURN and REDIRECT rules through
>>>     a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>>>     ('/etc/rc.d/init.d/dnsntp').
>>>
>>>     Default of all new rules is OFF (set in 'lfs/configroot').
>>>     If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>>     servers specified in IPFire.
>>>
>>>     Flaw/ToDo:
>>>     To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>>     init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>>>     In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>>     capabilities, perhaps "someone" else knows how to program this.
>>>
>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>>     The corresponding interface options - including 'Masquerade ...' - are only visible if
>>>     the respective interface actually exists.
>>>     E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>>>     for 'DNS/NTP on BLUE' or logging options for BLUE available.
>>>     Added text colors for better readability.
>>>     Separated logging options per interface.
>>>
>>> No reboot required:
>>>     Rules can be switched ON/OFF without rebooting IPFire.
>>>     Changes immedediately take effect after clicking 'Save'.
>>>
>>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>>>     Fixed a 'trafic' typo.
>>>     To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>>>     chain: 'DNS_NTP_REDIRECT'.
>>>     This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>>>
[cutting off parts of the main patch for discussion]
>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>>> new file mode 100644
>>> index 000000000..54fdfc685
>>> --- /dev/null
>>> +++ b/src/initscripts/system/dnsntp
>>> @@ -0,0 +1,43 @@
>>> +#!/bin/sh
>>> +########################################################################
>>> +# Begin $rc_base/init.d/dnsntp
>>> +#
>>> +# Description : dnsntp init script for DNS/NTP rules only
>>> +#
>>> +########################################################################
>>> +
>>> +# flush chain
>>> +iptables -t nat -F DNS_NTP_REDIRECT
>>> +
>>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>> +
>>
>> The 'well-behaving' request destinations should be DNS1_GREEN,
>> DNS2_GREEN, DNS1_BLUE, DNS2_BLUE ( stored in /var/ipfire/dhcp/settings
>> and set in the dhcp.cgi ).
>> If they are defined and distrubited by DHCP or set by other mechanism.
> 
> Ok, here we are.
> Ups!
> "DNS1_..." and "DNS2_..." entries. What/where are these? You've got me!
> 

I think we have two kinds of DNS/NTP servers to be forced.
- IPFire includes these servers, which should be used.
- The DHCP server can ( should? ) distribute these addresses. The WUI 
allows on the other hand the specification of some other addresses, 
which should be located in the local networks. That is my interpretation 
of these fields.

> But now I'm a bit puzzled. Perhaps I need some hints again.
> 
> Because until now I completely ignored DNS1_GREEN, DNS2_... etc. from
> DHCP. They existed in my installation(s) - but DHCP didn't play a role
> in my considerations. Never. I always used the local IPFire addresses
> (GREEN/BLUE). Nothing else. The addresses for "GREEN_ADDRESS" (Ethernet
> settings), "DNS1_GREEN" and "NTP1_GREEN" (dhcp settings) were always the
> same. Of course, this also applied to BLUE.
> 

That's also my config. Therefore I didn't think about this before. ;)

> BTW, what would be the sense of distributing different DNS1/DNS2 entries
> through DHCP vs. the DOT entries under "domain name system" (e.g.)?
> 

DOT under 'domain name system' is a definition for the sources of name 
information of unbound.

> What I don't understand - call it "I'm thick at the moment...":
> Through the current GUIs it would be possible to choose and distribute
> (e.g.) 8.8.8.8 as "DNS1" or "DNS2" through DHCP, while the "Domain Name
> System" page contains totally different (or ISP servers). Are there any
> circumstances where this would be useful or needed? And which could
> these be?
> 

I don't think it is useful/legal to define DNS servers outside the local 
networks. Defining DNS servers in DHCP other than IPFire makes only 
sense when these use IPFire.

>> Is GREEN_ADDRESS / BLUE_ADDRESS the desired destination otherwise?
> 
> Yes. That was my only intention in the first place.
> I wanted to keep it simple.
> I wanted to make sure that my clients only use the specific *local* DNS
> servers running on GREEN / BLUE. And I didn't realize the possibility to
> enter completely different servers (through DHCP).
> That's why I ignored DHCP and chose the GREEN and BLUE interface
> (ethernet) addresses. I never thought of writing other addresses than
> the local IPFire GREEN/BLUE addresses in the first required DHCP fields
> for GREEN / BLUE. My fault(?). Hm.
> 

This was my first thought also.

> Regarding 'forcing dns':
> You can of course always turn these OFF if they don't correspond with
> your wanted installation and use other DNS1 / DNS2 entries. ;-)
> 
> Last question(s):
> If I got you right it would make more sense or be better to change the
> RETURN rules to use the DHCP values from "$DNS1/2_GREEN/BLUE"!?
> 
> And what would be the best way to integrate *both* possible DNS entries
> in the initscript? Regarding DoT, are these two really needed anymore?
> At the moment, I'm using nine through DoT...
> 
> First needed change in 'dnsntpctrl' => evaluate DHCP settings. Add:
> ...
> eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
> ...
> 
> New:
> iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${DNS1_GREEN} -p
> udp -m udp --dport domain -j RETURN
> 
> And then?
> 
> I must think this over...its been a long week... ;-)
> 
> Regards,
> Matthias
> 

I must think this over, also.
Especially about DNS traffic.
If I define a configuration with a dedicated DNS server A in my GREEN 
net, which itself questions the IPFire DNS server, and informing all 
'normal' clients in GREEN to use A via DHCP, are these DNS request 
received by IPFire? If this isn't possible by design, our first simple 
implementation of 'forcing' ( redirecting to GREEN_ADDRESS/BLUE_ADDESS ) 
is right.

Could someone other look at this?

Regard,
Bernhard

[ rest of patch ]
>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>> +fi
>>> +
>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>> +fi
>>> +
>>
>> See above.
>>
>> Regards,
>> Bernhard
>>
>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>> +fi
>>> +
>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>> +fi
>>> +
>>> +# End $rc_base/init.d/dnsntp
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> index 1e558ee86..047946a86 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -218,7 +218,7 @@ iptables_init() {
>>>    	iptables -A INPUT -j LOCATIONBLOCK
>>>    	iptables -A FORWARD -j LOCATIONBLOCK
>>>    
>>> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>    	iptables -N IPSECINPUT
>>>    	iptables -N IPSECFORWARD
>>>    	iptables -N IPSECOUTPUT
>>> @@ -242,6 +242,10 @@ iptables_init() {
>>>    	iptables -N WIRELESSFORWARD
>>>    	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>>>    
>>> +	# Redirecting DNS and NTP requests
>>> +	iptables -t nat -N DNS_NTP_REDIRECT
>>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>>> +
>>>    	# OpenVPN
>>>    	iptables -N OVPNINPUT
>>>    	iptables -A INPUT -j OVPNINPUT
>>> @@ -320,6 +324,9 @@ iptables_init() {
>>>    	# run captivectrl
>>>    	/usr/local/bin/captivectrl
>>>    
>>> +	# run dnsntpctrl
>>> +	/usr/local/bin/dnsntpctrl
>>> +
>>>    	# POLICY CHAIN
>>>    	iptables -N POLICYIN
>>>    	iptables -A INPUT -j POLICYIN
>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>>> index 7c3ef7529..229d122d6 100644
>>> --- a/src/misc-progs/Makefile
>>> +++ b/src/misc-progs/Makefile
>>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>>    	wirelessctrl getipstat qosctrl \
>>>    	redctrl syslogdctrl extrahdctrl sambactrl \
>>>    	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>>> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>>> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>>>    	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>>>    	captivectrl
>>>    
>>> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>>> new file mode 100644
>>> index 000000000..f2a3b89e3
>>> --- /dev/null
>>> +++ b/src/misc-progs/dnsntpctrl.c
>>> @@ -0,0 +1,19 @@
>>> +/* This file is part of the IPFire Firewall.
>>> + *
>>> + * This program is distributed under the terms of the GNU General Public
>>> + * Licence.  See the file COPYING for details.
>>> + *
>>> + */
>>> +
>>> +#include <stdlib.h>
>>> +#include "setuid.h"
>>> +
>>> +int main(void)
>>> +{
>>> +	if (!(initsetuid()))
>>> +		exit(1);
>>> +
>>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>>> +
>>> +	return 0;
>>> +}
>>>
>>
>
  

Hello,

> On 4 Jun 2021, at 13:17, Matthias Fischer <matthias.fischer@ipfire.org> wrote:
> 
> There was not much feedback on the list, so I send this now. This is V4 - open for
> discussion, opinions or (perhaps ;-) ) changes:
> 
> Originally triggered by:
> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
> 
> Discussion:
> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
> 
> Could fix(?):
> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
> 
> Changelog since V3:
> 
> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>  values are read from '/var/ipfire/ethernet/settings', thanks
>  to "someone" for the hint (sorry, I didn't find the author)! ;-)
> 
> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
> 
> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>  handled through RETURN rules, others through REDIRECT.
> 
> Background (cited from BB, 06.03.2021):
> "Concerning performance, we want to minimize the rule set to the amount
> really necessary. On the other hand, it may be quicker to do just
> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
> to IPFire) should be nearly 100%. DNS and NTP servers are published
> by DHCP or should be configured in the static case."
> 
> I made it that way. Statistics during the last 62 days show that this
> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
> everyone could take a look.
> 
> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
> 
> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
> '# WIRELESS chains'
> 
> Summary and functionality:
>  These patches are controlled through "Firewall Options". They add new
>  firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>  They activate/deactivate appropriate RETURN and REDIRECT rules through
>  a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>  ('/etc/rc.d/init.d/dnsntp').
> 
>  Default of all new rules is OFF (set in 'lfs/configroot').
>  If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>  servers specified in IPFire.
> 
>  Flaw/ToDo:
>  To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>  init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>  In fact I wanted to merge these two files in *one* C file, but this was beyond my
>  capabilities, perhaps "someone" else knows how to program this.
> 
> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>  The corresponding interface options - including 'Masquerade ...' - are only visible if
>  the respective interface actually exists.
>  E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>  for 'DNS/NTP on BLUE' or logging options for BLUE available.
>  Added text colors for better readability.
>  Separated logging options per interface.
> 
> No reboot required:
>  Rules can be switched ON/OFF without rebooting IPFire.
>  Changes immedediately take effect after clicking 'Save'.
> 
> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>  Fixed a 'trafic' typo.
>  To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>  chain: 'DNS_NTP_REDIRECT'.
>  This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> config/rootfiles/common/misc-progs |  1 +
> html/cgi-bin/optionsfw.cgi         | 90 ++++++++++++++++++++++++------
> langs/de/cgi-bin/de.pl             | 15 +++--
> langs/en/cgi-bin/en.pl             | 15 +++--
> lfs/configroot                     |  6 +-
> src/initscripts/system/dnsntp      | 43 ++++++++++++++
> src/initscripts/system/firewall    |  9 ++-
> src/misc-progs/Makefile            |  2 +-
> src/misc-progs/dnsntpctrl.c        | 19 +++++++
> 9 files changed, 171 insertions(+), 29 deletions(-)
> create mode 100644 src/initscripts/system/dnsntp
> create mode 100644 src/misc-progs/dnsntpctrl.c
> 
> diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
> index d6594b3f8..4bcb94812 100644
> --- a/config/rootfiles/common/misc-progs
> +++ b/config/rootfiles/common/misc-progs
> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
> usr/local/bin/collectdctrl
> usr/local/bin/ddnsctrl
> usr/local/bin/dhcpctrl
> +usr/local/bin/dnsntpctrl
> usr/local/bin/extrahdctrl
> usr/local/bin/fireinfoctrl
> usr/local/bin/firewallctrl
> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> index 321642e82..2059a03b3 100644
> --- a/html/cgi-bin/optionsfw.cgi
> +++ b/html/cgi-bin/optionsfw.cgi
> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> 		$errormessage .= $Lang::tr{'new optionsfw later'};
> 		&General::writehash($filename, \%settings);             # Save good settings
> 		system("/usr/local/bin/firewallctrl");
> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> 	}else{
> 		if ($settings{'POLICY'} ne ''){
> 			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> 		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> 		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> 		system("/usr/local/bin/firewallctrl");
> +		system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> 	}

Isn’t calling dnsntpctrl redundant here? It is already being called in the firewall initscript.

> 	&General::readhash($filename, \%settings);             # Load good settings
> }
> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
> $selected{'MASQUERADE_BLUE'}{'off'} = '';
> $selected{'MASQUERADE_BLUE'}{'on'} = '';
> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
> +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
> +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
> +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
> 
> &Header::openbox('100%', 'center',);
> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
> @@ -189,13 +203,44 @@ END
> END
> 	}
> 
> -	print <<END
> +print <<END;
> +	<table width='95%' cellspacing='0'>
> +		<tr bgcolor='$color{'color20'}'></tr>
> +		<tr>&nbsp;</tr>
> +			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
> +		</tr>
> +		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
> +																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
> +																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +END
> +
> +	if (&Header::blue_used()) {
> +		print <<END;
> +		<table width='95%' cellspacing='0'>
> +		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> +		<tr>&nbsp;</tr>
> +			<tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
> +																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
> +																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> +																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> +																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> +			</td>
> +			</tr>
> +END
> +	}
> +
> +	print <<END;
> 	</table>
> 
> -	<br>
> +	<br />
> 
> -<table width='95%' cellspacing='0'>
> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
> +		<table width='95%' cellspacing='0'>
> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging red'}</b></td></tr>
> <tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
> 																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
> @@ -206,21 +251,30 @@ END
> 																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
> 																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> +END
> +
> +	if (&Header::blue_used()) {
> +		print <<END;
> +	</table>
> +
> +	<br />
> +
> +		<table width='95%' cellspacing='0'>
> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging blue'}</b></td></tr>
> +			<tr>
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> 																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> +			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> 																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -</table>
> -<br/>
> +			</tr>
> +END
> +	}
> +
> +	print <<END;
> +	</table>
> +
> +	<br />
> 
> -<table width='95%' cellspacing='0'>
> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
> -																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
> -																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -</table>
> -<br>
> <table width='95%' cellspacing='0'>
> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
> @@ -252,7 +306,7 @@ END
> 
> <br />
> <table width='100%' cellspacing='0'>
> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
> </form></td></tr>
> </table>
> @@ -278,7 +332,7 @@ print <<END;
> 	    <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
> END
> 	print "</tr></table></form>";
> -	print"<br><br>";
> +	print"<br /><br />";
> 	print <<END;
> 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
> 	<table width='100%' border='0'>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 0bc579cd2..51e65b903 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -835,6 +835,8 @@
> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
> 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
> 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
> +'dns force on blue' => 'Erzwinge lokale DNS-Server',
> +'dns force on green' => 'Erzwinge lokale DNS-Server',
> 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
> 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
> 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
> @@ -1101,9 +1103,12 @@
> 'from email server' => 'Von E-Mail-Server',
> 'from email user' => 'Von E-Mail-Benutzer',
> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> Interface',
> 'fw default drop' => 'Firewallrichtlinie',
> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> Interface',
> 'fw logging' => 'Firewallprotokollierung',
> +'fw logging blue' => 'Firewallprotokollierung (<font color=\'#0000FF\'>BLAU</font>)',
> +'fw logging red' => 'Firewallprotokollierung (<font color=\'#993333\'>ROT</font>)',
> 'fw settings' => 'Firewalleinstellungen',
> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
> @@ -1643,9 +1648,9 @@
> 'map to guest' => 'Map to Guest',
> 'march' => 'März',
> 'marked' => 'Markiert',
> -'masquerade blue' => 'NAT auf BLAU',
> -'masquerade green' => 'NAT auf GRÜN',
> -'masquerade orange' => 'NAT auf ORANGE',
> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
> 'masquerading' => 'Masquerading/NAT',
> 'masquerading disabled' => 'NAT ausgeschaltet',
> 'masquerading enabled' => 'NAT eingeschaltet',
> @@ -1813,6 +1818,8 @@
> 'november' => 'November',
> 'ntp common settings' => 'Allgemeine Einstellungen',
> 'ntp configuration' => 'Zeitserverkonfiguration',
> +'ntp force on blue' => 'Erzwinge lokale NTP-Server',
> +'ntp force on green' => 'Erzwinge lokale NTP-Server',
> 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
> 'ntp server' => 'NTP-Server',
> 'ntp sync' => 'Synchronisation',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 1c69b3798..390b2d026 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -858,6 +858,8 @@
> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
> 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
> 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
> +'dns force on blue' => 'Force DNS to use local DNS servers',
> +'dns force on green' => 'Force DNS to use local DNS servers',
> 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
> 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
> 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
> @@ -1128,9 +1130,12 @@
> 'from email server' => 'From Email server',
> 'from email user' => 'From e-mail user',
> 'from warn email bad' => 'From e-mail address is not valid',
> -'fw blue' => 'Firewall options for BLUE interface',
> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
> 'fw default drop' => 'Firewall policy',
> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> Interface',
> 'fw logging' => 'Firewall logging',
> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
> 'fw settings' => 'Firewall settings',
> 'fw settings color' => 'Show colors in ruletable',
> 'fw settings dropdown' => 'Show all networks on rulecreation site',
> @@ -1675,9 +1680,9 @@
> 'map to guest' => 'Map to Guest',
> 'march' => 'March',
> 'marked' => 'Marked',
> -'masquerade blue' => 'Masquerade BLUE',
> -'masquerade green' => 'Masquerade GREEN',
> -'masquerade orange' => 'Masquerade ORANGE',
> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
> 'masquerading' => 'Masquerading',
> 'masquerading disabled' => 'Masquerading disabled',
> 'masquerading enabled' => 'Masquerading enabled',
> @@ -1847,6 +1852,8 @@
> 'november' => 'November',
> 'ntp common settings' => 'Common settings',
> 'ntp configuration' => 'NTP Configuration',
> +'ntp force on blue' => 'Force NTP to use local NTP servers',
> +'ntp force on green' => 'Force NTP to use local NTP servers',
> 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
> 'ntp server' => 'NTP Server',
> 'ntp sync' => 'Synchronization',
> diff --git a/lfs/configroot b/lfs/configroot
> index c528bd6d9..6cc376ff0 100644
> --- a/lfs/configroot
> +++ b/lfs/configroot
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -129,6 +129,10 @@ $(TARGET) :
> 	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> 	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
> 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "DNS_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "DNS_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "NTP_FORCE_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> +	echo  "NTP_FORCE_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
> 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
> 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
> 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
> new file mode 100644
> index 000000000..54fdfc685
> --- /dev/null
> +++ b/src/initscripts/system/dnsntp
> @@ -0,0 +1,43 @@
> +#!/bin/sh
> +########################################################################
> +# Begin $rc_base/init.d/dnsntp
> +#
> +# Description : dnsntp init script for DNS/NTP rules only
> +#
> +########################################################################
> +
> +# flush chain
> +iptables -t nat -F DNS_NTP_REDIRECT
> +
> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> +
> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
> +fi
> +
> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
> +fi
> +
> +# Force NTP REDIRECTs on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
> +fi
> +
> +# Force DNS REDIRECTs on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
> +fi
> +
> +# End $rc_base/init.d/dnsntp
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 1e558ee86..047946a86 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -218,7 +218,7 @@ iptables_init() {
> 	iptables -A INPUT -j LOCATIONBLOCK
> 	iptables -A FORWARD -j LOCATIONBLOCK
> 
> -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> 	iptables -N IPSECINPUT
> 	iptables -N IPSECFORWARD
> 	iptables -N IPSECOUTPUT
> @@ -242,6 +242,10 @@ iptables_init() {
> 	iptables -N WIRELESSFORWARD
> 	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
> 
> +	# Redirecting DNS and NTP requests
> +	iptables -t nat -N DNS_NTP_REDIRECT
> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
> +
> 	# OpenVPN
> 	iptables -N OVPNINPUT
> 	iptables -A INPUT -j OVPNINPUT
> @@ -320,6 +324,9 @@ iptables_init() {
> 	# run captivectrl
> 	/usr/local/bin/captivectrl
> 
> +	# run dnsntpctrl
> +	/usr/local/bin/dnsntpctrl
> +
> 	# POLICY CHAIN
> 	iptables -N POLICYIN
> 	iptables -A INPUT -j POLICYIN
> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
> index 7c3ef7529..229d122d6 100644
> --- a/src/misc-progs/Makefile
> +++ b/src/misc-progs/Makefile
> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
> 	wirelessctrl getipstat qosctrl \
> 	redctrl syslogdctrl extrahdctrl sambactrl \
> 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
> 	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
> 	captivectrl
> 
> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
> new file mode 100644
> index 000000000..f2a3b89e3
> --- /dev/null
> +++ b/src/misc-progs/dnsntpctrl.c
> @@ -0,0 +1,19 @@
> +/* This file is part of the IPFire Firewall.
> + *
> + * This program is distributed under the terms of the GNU General Public
> + * Licence.  See the file COPYING for details.
> + *
> + */
> +
> +#include <stdlib.h>
> +#include "setuid.h"
> +
> +int main(void)
> +{
> +	if (!(initsetuid()))
> +		exit(1);
> +
> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
> +
> +	return 0;
> +}
> -- 
> 2.18.0
>
  

Hello,

I understand the thought, but I consider this a different problem.

There are two scenarios:

A) IPFire is the DNS server for the network. The new rules can then be enabled and will force any DNS query being responded to by IPFire.

B) The user is using different DNS servers in their DHCP configuration. In that case, we cannot redirect at all, because that only works for one destination and not multiple (at least not with iptables rules).

But in B), you can create simple firewall rules and block DNS with an exception of those DNS servers that you want to allow.

I suppose this is always the problem by having these “shortcuts” that make things easy for the user. They do, but only in a very specific scenario. If we would extend this now, it would get more and more complicated and then the whole simplicity of the feature would be thrown out of the window.

Also, please don’t use 8.8.8.8 :)

-Michael

> On 7 Jun 2021, at 16:31, Bernhard Bitsch <bbitsch@ipfire.org> wrote:
> 
> Hi,
> 
> sorry if I made you going crazy. ;)
> 
> My comment aimed to discuss the selection of the correct redirect address. See my further comments below(;)).
> I fear forcing requests to the right address is a bit more complex than it looked at the first approach.
> 
> Am 06.06.2021 um 19:35 schrieb Matthias Fischer:
>> Hi,
>> On 06.06.2021 10:59, Bernhard Bitsch wrote:
>>> Hi,
>>> 
>>> thanks for implementing this idea.
>> I tried my best, but when reading further I realized that I've missed
>> something... See below.
>> [Sorry for the noise, but I thought it would be the best to keep this
>> unshortened.]
>> >> Am 04.06.2021 um 14:17 schrieb Matthias Fischer:
>>>> There was not much feedback on the list, so I send this now. This is V4 - open for
>>>> discussion, opinions or (perhaps ;-) ) changes:
>>>> 
>>>> Originally triggered by:
>>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>>> 
>>>> Discussion:
>>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>>> 
>>>> Could fix(?):
>>>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>>>> 
>>>> Changelog since V3:
>>>> 
>>>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>>>>    values are read from '/var/ipfire/ethernet/settings', thanks
>>>>    to "someone" for the hint (sorry, I didn't find the author)! ;-)
>>>> 
>>>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>>>> 
>>>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>>>>    handled through RETURN rules, others through REDIRECT.
>>>> 
>>>> Background (cited from BB, 06.03.2021):
>>>> "Concerning performance, we want to minimize the rule set to the amount
>>>> really necessary. On the other hand, it may be quicker to do just
>>>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>>>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>>>> by DHCP or should be configured in the static case."
>>>> 
>>> 
>>> Sorry, I did not realize that this 'well-behaving' must be defined more
>>> exactly. See beyond.
>> Yep. No problem. Now I know what you meant.
>> And again, "see beyond"... ;-)
> Further comments follow below ;-)
>>>> I made it that way. Statistics during the last 62 days show that this
>>>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>>>> everyone could take a look.
>>>> 
>>> 
>>> That's my experience with the rules located in firewall.local, too.
>>> 
>>>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>>>> 
>>>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>>>> '# WIRELESS chains'
>>>> 
>>>> Summary and functionality:
>>>>    These patches are controlled through "Firewall Options". They add new
>>>>    firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>>>    They activate/deactivate appropriate RETURN and REDIRECT rules through
>>>>    a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>>>>    ('/etc/rc.d/init.d/dnsntp').
>>>> 
>>>>    Default of all new rules is OFF (set in 'lfs/configroot').
>>>>    If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>>>    servers specified in IPFire.
>>>> 
>>>>    Flaw/ToDo:
>>>>    To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>>>    init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>>>>    In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>>>    capabilities, perhaps "someone" else knows how to program this.
>>>> 
>>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>>>    The corresponding interface options - including 'Masquerade ...' - are only visible if
>>>>    the respective interface actually exists.
>>>>    E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>>>>    for 'DNS/NTP on BLUE' or logging options for BLUE available.
>>>>    Added text colors for better readability.
>>>>    Separated logging options per interface.
>>>> 
>>>> No reboot required:
>>>>    Rules can be switched ON/OFF without rebooting IPFire.
>>>>    Changes immedediately take effect after clicking 'Save'.
>>>> 
>>>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>>>>    Fixed a 'trafic' typo.
>>>>    To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>>>>    chain: 'DNS_NTP_REDIRECT'.
>>>>    This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>>>> 
> [cutting off parts of the main patch for discussion]
>>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>>>> new file mode 100644
>>>> index 000000000..54fdfc685
>>>> --- /dev/null
>>>> +++ b/src/initscripts/system/dnsntp
>>>> @@ -0,0 +1,43 @@
>>>> +#!/bin/sh
>>>> +########################################################################
>>>> +# Begin $rc_base/init.d/dnsntp
>>>> +#
>>>> +# Description : dnsntp init script for DNS/NTP rules only
>>>> +#
>>>> +########################################################################
>>>> +
>>>> +# flush chain
>>>> +iptables -t nat -F DNS_NTP_REDIRECT
>>>> +
>>>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>>> +
>>> 
>>> The 'well-behaving' request destinations should be DNS1_GREEN,
>>> DNS2_GREEN, DNS1_BLUE, DNS2_BLUE ( stored in /var/ipfire/dhcp/settings
>>> and set in the dhcp.cgi ).
>>> If they are defined and distrubited by DHCP or set by other mechanism.
>> Ok, here we are.
>> Ups!
>> "DNS1_..." and "DNS2_..." entries. What/where are these? You've got me!
> 
> I think we have two kinds of DNS/NTP servers to be forced.
> - IPFire includes these servers, which should be used.
> - The DHCP server can ( should? ) distribute these addresses. The WUI allows on the other hand the specification of some other addresses, which should be located in the local networks. That is my interpretation of these fields.
> 
>> But now I'm a bit puzzled. Perhaps I need some hints again.
>> Because until now I completely ignored DNS1_GREEN, DNS2_... etc. from
>> DHCP. They existed in my installation(s) - but DHCP didn't play a role
>> in my considerations. Never. I always used the local IPFire addresses
>> (GREEN/BLUE). Nothing else. The addresses for "GREEN_ADDRESS" (Ethernet
>> settings), "DNS1_GREEN" and "NTP1_GREEN" (dhcp settings) were always the
>> same. Of course, this also applied to BLUE.
> 
> That's also my config. Therefore I didn't think about this before. ;)
> 
>> BTW, what would be the sense of distributing different DNS1/DNS2 entries
>> through DHCP vs. the DOT entries under "domain name system" (e.g.)?
> 
> DOT under 'domain name system' is a definition for the sources of name information of unbound.
> 
>> What I don't understand - call it "I'm thick at the moment...":
>> Through the current GUIs it would be possible to choose and distribute
>> (e.g.) 8.8.8.8 as "DNS1" or "DNS2" through DHCP, while the "Domain Name
>> System" page contains totally different (or ISP servers). Are there any
>> circumstances where this would be useful or needed? And which could
>> these be?
> 
> I don't think it is useful/legal to define DNS servers outside the local networks. Defining DNS servers in DHCP other than IPFire makes only sense when these use IPFire.
> 
>>> Is GREEN_ADDRESS / BLUE_ADDRESS the desired destination otherwise?
>> Yes. That was my only intention in the first place.
>> I wanted to keep it simple.
>> I wanted to make sure that my clients only use the specific *local* DNS
>> servers running on GREEN / BLUE. And I didn't realize the possibility to
>> enter completely different servers (through DHCP).
>> That's why I ignored DHCP and chose the GREEN and BLUE interface
>> (ethernet) addresses. I never thought of writing other addresses than
>> the local IPFire GREEN/BLUE addresses in the first required DHCP fields
>> for GREEN / BLUE. My fault(?). Hm.
> 
> This was my first thought also.
> 
>> Regarding 'forcing dns':
>> You can of course always turn these OFF if they don't correspond with
>> your wanted installation and use other DNS1 / DNS2 entries. ;-)
>> Last question(s):
>> If I got you right it would make more sense or be better to change the
>> RETURN rules to use the DHCP values from "$DNS1/2_GREEN/BLUE"!?
>> And what would be the best way to integrate *both* possible DNS entries
>> in the initscript? Regarding DoT, are these two really needed anymore?
>> At the moment, I'm using nine through DoT...
>> First needed change in 'dnsntpctrl' => evaluate DHCP settings. Add:
>> ...
>> eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
>> ...
>> New:
>> iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${DNS1_GREEN} -p
>> udp -m udp --dport domain -j RETURN
>> And then?
>> I must think this over...its been a long week... ;-)
>> Regards,
>> Matthias
> 
> I must think this over, also.
> Especially about DNS traffic.
> If I define a configuration with a dedicated DNS server A in my GREEN net, which itself questions the IPFire DNS server, and informing all 'normal' clients in GREEN to use A via DHCP, are these DNS request received by IPFire? If this isn't possible by design, our first simple implementation of 'forcing' ( redirecting to GREEN_ADDRESS/BLUE_ADDESS ) is right.
> 
> Could someone other look at this?
> 
> Regard,
> Bernhard
> 
> [ rest of patch ]
>>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>>> +fi
>>>> +
>>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>>> +fi
>>>> +
>>> 
>>> See above.
>>> 
>>> Regards,
>>> Bernhard
>>> 
>>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>>> +fi
>>>> +
>>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>>> +fi
>>>> +
>>>> +# End $rc_base/init.d/dnsntp
>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>> index 1e558ee86..047946a86 100644
>>>> --- a/src/initscripts/system/firewall
>>>> +++ b/src/initscripts/system/firewall
>>>> @@ -218,7 +218,7 @@ iptables_init() {
>>>>   	iptables -A INPUT -j LOCATIONBLOCK
>>>>   	iptables -A FORWARD -j LOCATIONBLOCK
>>>>   -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>>   	iptables -N IPSECINPUT
>>>>   	iptables -N IPSECFORWARD
>>>>   	iptables -N IPSECOUTPUT
>>>> @@ -242,6 +242,10 @@ iptables_init() {
>>>>   	iptables -N WIRELESSFORWARD
>>>>   	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>>>>   +	# Redirecting DNS and NTP requests
>>>> +	iptables -t nat -N DNS_NTP_REDIRECT
>>>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>>>> +
>>>>   	# OpenVPN
>>>>   	iptables -N OVPNINPUT
>>>>   	iptables -A INPUT -j OVPNINPUT
>>>> @@ -320,6 +324,9 @@ iptables_init() {
>>>>   	# run captivectrl
>>>>   	/usr/local/bin/captivectrl
>>>>   +	# run dnsntpctrl
>>>> +	/usr/local/bin/dnsntpctrl
>>>> +
>>>>   	# POLICY CHAIN
>>>>   	iptables -N POLICYIN
>>>>   	iptables -A INPUT -j POLICYIN
>>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>>>> index 7c3ef7529..229d122d6 100644
>>>> --- a/src/misc-progs/Makefile
>>>> +++ b/src/misc-progs/Makefile
>>>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>>>   	wirelessctrl getipstat qosctrl \
>>>>   	redctrl syslogdctrl extrahdctrl sambactrl \
>>>>   	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>>>> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>>>> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>>>>   	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>>>>   	captivectrl
>>>>   diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>>>> new file mode 100644
>>>> index 000000000..f2a3b89e3
>>>> --- /dev/null
>>>> +++ b/src/misc-progs/dnsntpctrl.c
>>>> @@ -0,0 +1,19 @@
>>>> +/* This file is part of the IPFire Firewall.
>>>> + *
>>>> + * This program is distributed under the terms of the GNU General Public
>>>> + * Licence.  See the file COPYING for details.
>>>> + *
>>>> + */
>>>> +
>>>> +#include <stdlib.h>
>>>> +#include "setuid.h"
>>>> +
>>>> +int main(void)
>>>> +{
>>>> +	if (!(initsetuid()))
>>>> +		exit(1);
>>>> +
>>>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>>>> +
>>>> +	return 0;
>>>> +}
  

Hello,

agreed ;).
My thoughts were somehow to theoretical.

Am 10.06.2021 um 11:21 schrieb Michael Tremer:
> Hello,
> 
> I understand the thought, but I consider this a different problem.
> 
> There are two scenarios:
> 
> A) IPFire is the DNS server for the network. The new rules can then be enabled and will force any DNS query being responded to by IPFire.
> 
> B) The user is using different DNS servers in their DHCP configuration. In that case, we cannot redirect at all, because that only works for one destination and not multiple (at least not with iptables rules).
> 
> But in B), you can create simple firewall rules and block DNS with an exception of those DNS servers that you want to allow.
> 

Thanks for clarifying this.
I suppose to state this in the announcement of the first core update 
containing the forcing functionality:
The 'Forcing DNS/NTP' rules can only handle scenario A. ( Are the 
default entries in DHCP config the IPFire address? )
Scenario B must be handled by extra rules.
This should be found in wiki also, I'm willing to support this.

> I suppose this is always the problem by having these “shortcuts” that make things easy for the user. They do, but only in a very specific scenario. If we would extend this now, it would get more and more complicated and then the whole simplicity of the feature would be thrown out of the window.
> 

Wise words. ;)

-Bernhard

> Also, please don’t use 8.8.8.8 :)
> 
> -Michael
> 
>> On 7 Jun 2021, at 16:31, Bernhard Bitsch <bbitsch@ipfire.org> wrote:
>>
>> Hi,
>>
>> sorry if I made you going crazy. ;)
>>
>> My comment aimed to discuss the selection of the correct redirect address. See my further comments below(;)).
>> I fear forcing requests to the right address is a bit more complex than it looked at the first approach.
>>
>> Am 06.06.2021 um 19:35 schrieb Matthias Fischer:
>>> Hi,
>>> On 06.06.2021 10:59, Bernhard Bitsch wrote:
>>>> Hi,
>>>>
>>>> thanks for implementing this idea.
>>> I tried my best, but when reading further I realized that I've missed
>>> something... See below.
>>> [Sorry for the noise, but I thought it would be the best to keep this
>>> unshortened.]
>>>>> Am 04.06.2021 um 14:17 schrieb Matthias Fischer:
>>>>> There was not much feedback on the list, so I send this now. This is V4 - open for
>>>>> discussion, opinions or (perhaps ;-) ) changes:
>>>>>
>>>>> Originally triggered by:
>>>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>>>>
>>>>> Discussion:
>>>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>>>>
>>>>> Could fix(?):
>>>>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>>>>>
>>>>> Changelog since V3:
>>>>>
>>>>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>>>>>     values are read from '/var/ipfire/ethernet/settings', thanks
>>>>>     to "someone" for the hint (sorry, I didn't find the author)! ;-)
>>>>>
>>>>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>>>>>
>>>>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>>>>>     handled through RETURN rules, others through REDIRECT.
>>>>>
>>>>> Background (cited from BB, 06.03.2021):
>>>>> "Concerning performance, we want to minimize the rule set to the amount
>>>>> really necessary. On the other hand, it may be quicker to do just
>>>>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>>>>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>>>>> by DHCP or should be configured in the static case."
>>>>>
>>>>
>>>> Sorry, I did not realize that this 'well-behaving' must be defined more
>>>> exactly. See beyond.
>>> Yep. No problem. Now I know what you meant.
>>> And again, "see beyond"... ;-)
>> Further comments follow below ;-)
>>>>> I made it that way. Statistics during the last 62 days show that this
>>>>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>>>>> everyone could take a look.
>>>>>
>>>>
>>>> That's my experience with the rules located in firewall.local, too.
>>>>
>>>>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>>>>>
>>>>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>>>>> '# WIRELESS chains'
>>>>>
>>>>> Summary and functionality:
>>>>>     These patches are controlled through "Firewall Options". They add new
>>>>>     firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>>>>     They activate/deactivate appropriate RETURN and REDIRECT rules through
>>>>>     a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>>>>>     ('/etc/rc.d/init.d/dnsntp').
>>>>>
>>>>>     Default of all new rules is OFF (set in 'lfs/configroot').
>>>>>     If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>>>>     servers specified in IPFire.
>>>>>
>>>>>     Flaw/ToDo:
>>>>>     To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>>>>     init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>>>>>     In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>>>>     capabilities, perhaps "someone" else knows how to program this.
>>>>>
>>>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>>>>     The corresponding interface options - including 'Masquerade ...' - are only visible if
>>>>>     the respective interface actually exists.
>>>>>     E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>>>>>     for 'DNS/NTP on BLUE' or logging options for BLUE available.
>>>>>     Added text colors for better readability.
>>>>>     Separated logging options per interface.
>>>>>
>>>>> No reboot required:
>>>>>     Rules can be switched ON/OFF without rebooting IPFire.
>>>>>     Changes immedediately take effect after clicking 'Save'.
>>>>>
>>>>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>>>>>     Fixed a 'trafic' typo.
>>>>>     To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>>>>>     chain: 'DNS_NTP_REDIRECT'.
>>>>>     This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>>>>>
>> [cutting off parts of the main patch for discussion]
>>>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>>>>> new file mode 100644
>>>>> index 000000000..54fdfc685
>>>>> --- /dev/null
>>>>> +++ b/src/initscripts/system/dnsntp
>>>>> @@ -0,0 +1,43 @@
>>>>> +#!/bin/sh
>>>>> +########################################################################
>>>>> +# Begin $rc_base/init.d/dnsntp
>>>>> +#
>>>>> +# Description : dnsntp init script for DNS/NTP rules only
>>>>> +#
>>>>> +########################################################################
>>>>> +
>>>>> +# flush chain
>>>>> +iptables -t nat -F DNS_NTP_REDIRECT
>>>>> +
>>>>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>>>> +
>>>>
>>>> The 'well-behaving' request destinations should be DNS1_GREEN,
>>>> DNS2_GREEN, DNS1_BLUE, DNS2_BLUE ( stored in /var/ipfire/dhcp/settings
>>>> and set in the dhcp.cgi ).
>>>> If they are defined and distrubited by DHCP or set by other mechanism.
>>> Ok, here we are.
>>> Ups!
>>> "DNS1_..." and "DNS2_..." entries. What/where are these? You've got me!
>>
>> I think we have two kinds of DNS/NTP servers to be forced.
>> - IPFire includes these servers, which should be used.
>> - The DHCP server can ( should? ) distribute these addresses. The WUI allows on the other hand the specification of some other addresses, which should be located in the local networks. That is my interpretation of these fields.
>>
>>> But now I'm a bit puzzled. Perhaps I need some hints again.
>>> Because until now I completely ignored DNS1_GREEN, DNS2_... etc. from
>>> DHCP. They existed in my installation(s) - but DHCP didn't play a role
>>> in my considerations. Never. I always used the local IPFire addresses
>>> (GREEN/BLUE). Nothing else. The addresses for "GREEN_ADDRESS" (Ethernet
>>> settings), "DNS1_GREEN" and "NTP1_GREEN" (dhcp settings) were always the
>>> same. Of course, this also applied to BLUE.
>>
>> That's also my config. Therefore I didn't think about this before. ;)
>>
>>> BTW, what would be the sense of distributing different DNS1/DNS2 entries
>>> through DHCP vs. the DOT entries under "domain name system" (e.g.)?
>>
>> DOT under 'domain name system' is a definition for the sources of name information of unbound.
>>
>>> What I don't understand - call it "I'm thick at the moment...":
>>> Through the current GUIs it would be possible to choose and distribute
>>> (e.g.) 8.8.8.8 as "DNS1" or "DNS2" through DHCP, while the "Domain Name
>>> System" page contains totally different (or ISP servers). Are there any
>>> circumstances where this would be useful or needed? And which could
>>> these be?
>>
>> I don't think it is useful/legal to define DNS servers outside the local networks. Defining DNS servers in DHCP other than IPFire makes only sense when these use IPFire.
>>
>>>> Is GREEN_ADDRESS / BLUE_ADDRESS the desired destination otherwise?
>>> Yes. That was my only intention in the first place.
>>> I wanted to keep it simple.
>>> I wanted to make sure that my clients only use the specific *local* DNS
>>> servers running on GREEN / BLUE. And I didn't realize the possibility to
>>> enter completely different servers (through DHCP).
>>> That's why I ignored DHCP and chose the GREEN and BLUE interface
>>> (ethernet) addresses. I never thought of writing other addresses than
>>> the local IPFire GREEN/BLUE addresses in the first required DHCP fields
>>> for GREEN / BLUE. My fault(?). Hm.
>>
>> This was my first thought also.
>>
>>> Regarding 'forcing dns':
>>> You can of course always turn these OFF if they don't correspond with
>>> your wanted installation and use other DNS1 / DNS2 entries. ;-)
>>> Last question(s):
>>> If I got you right it would make more sense or be better to change the
>>> RETURN rules to use the DHCP values from "$DNS1/2_GREEN/BLUE"!?
>>> And what would be the best way to integrate *both* possible DNS entries
>>> in the initscript? Regarding DoT, are these two really needed anymore?
>>> At the moment, I'm using nine through DoT...
>>> First needed change in 'dnsntpctrl' => evaluate DHCP settings. Add:
>>> ...
>>> eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
>>> ...
>>> New:
>>> iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${DNS1_GREEN} -p
>>> udp -m udp --dport domain -j RETURN
>>> And then?
>>> I must think this over...its been a long week... ;-)
>>> Regards,
>>> Matthias
>>
>> I must think this over, also.
>> Especially about DNS traffic.
>> If I define a configuration with a dedicated DNS server A in my GREEN net, which itself questions the IPFire DNS server, and informing all 'normal' clients in GREEN to use A via DHCP, are these DNS request received by IPFire? If this isn't possible by design, our first simple implementation of 'forcing' ( redirecting to GREEN_ADDRESS/BLUE_ADDESS ) is right.
>>
>> Could someone other look at this?
>>
>> Regard,
>> Bernhard
>>
>> [ rest of patch ]
>>>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>>>> +fi
>>>>> +
>>>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>>>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>>>> +fi
>>>>> +
>>>>
>>>> See above.
>>>>
>>>> Regards,
>>>> Bernhard
>>>>
>>>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>>>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>>>> +fi
>>>>> +
>>>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>>>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>>>> +fi
>>>>> +
>>>>> +# End $rc_base/init.d/dnsntp
>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>>> index 1e558ee86..047946a86 100644
>>>>> --- a/src/initscripts/system/firewall
>>>>> +++ b/src/initscripts/system/firewall
>>>>> @@ -218,7 +218,7 @@ iptables_init() {
>>>>>    	iptables -A INPUT -j LOCATIONBLOCK
>>>>>    	iptables -A FORWARD -j LOCATIONBLOCK
>>>>>    -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>>>    	iptables -N IPSECINPUT
>>>>>    	iptables -N IPSECFORWARD
>>>>>    	iptables -N IPSECOUTPUT
>>>>> @@ -242,6 +242,10 @@ iptables_init() {
>>>>>    	iptables -N WIRELESSFORWARD
>>>>>    	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>>>>>    +	# Redirecting DNS and NTP requests
>>>>> +	iptables -t nat -N DNS_NTP_REDIRECT
>>>>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>>>>> +
>>>>>    	# OpenVPN
>>>>>    	iptables -N OVPNINPUT
>>>>>    	iptables -A INPUT -j OVPNINPUT
>>>>> @@ -320,6 +324,9 @@ iptables_init() {
>>>>>    	# run captivectrl
>>>>>    	/usr/local/bin/captivectrl
>>>>>    +	# run dnsntpctrl
>>>>> +	/usr/local/bin/dnsntpctrl
>>>>> +
>>>>>    	# POLICY CHAIN
>>>>>    	iptables -N POLICYIN
>>>>>    	iptables -A INPUT -j POLICYIN
>>>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>>>>> index 7c3ef7529..229d122d6 100644
>>>>> --- a/src/misc-progs/Makefile
>>>>> +++ b/src/misc-progs/Makefile
>>>>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>>>>    	wirelessctrl getipstat qosctrl \
>>>>>    	redctrl syslogdctrl extrahdctrl sambactrl \
>>>>>    	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>>>>> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>>>>> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>>>>>    	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>>>>>    	captivectrl
>>>>>    diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>>>>> new file mode 100644
>>>>> index 000000000..f2a3b89e3
>>>>> --- /dev/null
>>>>> +++ b/src/misc-progs/dnsntpctrl.c
>>>>> @@ -0,0 +1,19 @@
>>>>> +/* This file is part of the IPFire Firewall.
>>>>> + *
>>>>> + * This program is distributed under the terms of the GNU General Public
>>>>> + * Licence.  See the file COPYING for details.
>>>>> + *
>>>>> + */
>>>>> +
>>>>> +#include <stdlib.h>
>>>>> +#include "setuid.h"
>>>>> +
>>>>> +int main(void)
>>>>> +{
>>>>> +	if (!(initsetuid()))
>>>>> +		exit(1);
>>>>> +
>>>>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>>>>> +
>>>>> +	return 0;
>>>>> +}
>
  

Hello,

> On 10 Jun 2021, at 12:01, Bernhard Bitsch <bbitsch@ipfire.org> wrote:
> 
> Hello,
> 
> agreed ;).
> My thoughts were somehow to theoretical.
> 
> Am 10.06.2021 um 11:21 schrieb Michael Tremer:
>> Hello,
>> I understand the thought, but I consider this a different problem.
>> There are two scenarios:
>> A) IPFire is the DNS server for the network. The new rules can then be enabled and will force any DNS query being responded to by IPFire.
>> B) The user is using different DNS servers in their DHCP configuration. In that case, we cannot redirect at all, because that only works for one destination and not multiple (at least not with iptables rules).
>> But in B), you can create simple firewall rules and block DNS with an exception of those DNS servers that you want to allow.
> 
> Thanks for clarifying this.
> I suppose to state this in the announcement of the first core update containing the forcing functionality:
> The 'Forcing DNS/NTP' rules can only handle scenario A. ( Are the default entries in DHCP config the IPFire address? )
> Scenario B must be handled by extra rules.
> This should be found in wiki also, I'm willing to support this.
> 
>> I suppose this is always the problem by having these “shortcuts” that make things easy for the user. They do, but only in a very specific scenario. If we would extend this now, it would get more and more complicated and then the whole simplicity of the feature would be thrown out of the window.
> 
> Wise words. ;)

I try to say wise things every now and then :)

> 
> -Bernhard
> 
>> Also, please don’t use 8.8.8.8 :)
>> -Michael
>>> On 7 Jun 2021, at 16:31, Bernhard Bitsch <bbitsch@ipfire.org> wrote:
>>> 
>>> Hi,
>>> 
>>> sorry if I made you going crazy. ;)
>>> 
>>> My comment aimed to discuss the selection of the correct redirect address. See my further comments below(;)).
>>> I fear forcing requests to the right address is a bit more complex than it looked at the first approach.
>>> 
>>> Am 06.06.2021 um 19:35 schrieb Matthias Fischer:
>>>> Hi,
>>>> On 06.06.2021 10:59, Bernhard Bitsch wrote:
>>>>> Hi,
>>>>> 
>>>>> thanks for implementing this idea.
>>>> I tried my best, but when reading further I realized that I've missed
>>>> something... See below.
>>>> [Sorry for the noise, but I thought it would be the best to keep this
>>>> unshortened.]
>>>>>> Am 04.06.2021 um 14:17 schrieb Matthias Fischer:
>>>>>> There was not much feedback on the list, so I send this now. This is V4 - open for
>>>>>> discussion, opinions or (perhaps ;-) ) changes:
>>>>>> 
>>>>>> Originally triggered by:
>>>>>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>>>>>> 
>>>>>> Discussion:
>>>>>> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>>>>>> 
>>>>>> Could fix(?):
>>>>>> https://bugzilla.ipfire.org/show_bug.cgi?id=11168
>>>>>> 
>>>>>> Changelog since V3:
>>>>>> 
>>>>>> - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these
>>>>>>    values are read from '/var/ipfire/ethernet/settings', thanks
>>>>>>    to "someone" for the hint (sorry, I didn't find the author)! ;-)
>>>>>> 
>>>>>> - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.).
>>>>>> 
>>>>>> - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now
>>>>>>    handled through RETURN rules, others through REDIRECT.
>>>>>> 
>>>>>> Background (cited from BB, 06.03.2021):
>>>>>> "Concerning performance, we want to minimize the rule set to the amount
>>>>>> really necessary. On the other hand, it may be quicker to do just
>>>>>> a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct
>>>>>> to IPFire) should be nearly 100%. DNS and NTP servers are published
>>>>>> by DHCP or should be configured in the static case."
>>>>>> 
>>>>> 
>>>>> Sorry, I did not realize that this 'well-behaving' must be defined more
>>>>> exactly. See beyond.
>>>> Yep. No problem. Now I know what you meant.
>>>> And again, "see beyond"... ;-)
>>> Further comments follow below ;-)
>>>>>> I made it that way. Statistics during the last 62 days show that this
>>>>>> worked as intended. IMHO. I've sent a screenshot to the list (the other day) so
>>>>>> everyone could take a look.
>>>>>> 
>>>>> 
>>>>> That's my experience with the rules located in firewall.local, too.
>>>>> 
>>>>>> - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'.
>>>>>> 
>>>>>> - Moved creation of the iptable rules in '/etc/init.d/firewall' behind
>>>>>> '# WIRELESS chains'
>>>>>> 
>>>>>> Summary and functionality:
>>>>>>    These patches are controlled through "Firewall Options". They add new
>>>>>>    firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'.
>>>>>>    They activate/deactivate appropriate RETURN and REDIRECT rules through
>>>>>>    a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file
>>>>>>    ('/etc/rc.d/init.d/dnsntp').
>>>>>> 
>>>>>>    Default of all new rules is OFF (set in 'lfs/configroot').
>>>>>>    If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
>>>>>>    servers specified in IPFire.
>>>>>> 
>>>>>>    Flaw/ToDo:
>>>>>>    To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual
>>>>>>    init file, 'dnsntp'. As I see it, this is actually an unnecessary detour.
>>>>>>    In fact I wanted to merge these two files in *one* C file, but this was beyond my
>>>>>>    capabilities, perhaps "someone" else knows how to program this.
>>>>>> 
>>>>>> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
>>>>>>    The corresponding interface options - including 'Masquerade ...' - are only visible if
>>>>>>    the respective interface actually exists.
>>>>>>    E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches
>>>>>>    for 'DNS/NTP on BLUE' or logging options for BLUE available.
>>>>>>    Added text colors for better readability.
>>>>>>    Separated logging options per interface.
>>>>>> 
>>>>>> No reboot required:
>>>>>>    Rules can be switched ON/OFF without rebooting IPFire.
>>>>>>    Changes immedediately take effect after clicking 'Save'.
>>>>>> 
>>>>>> Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl':
>>>>>>    Fixed a 'trafic' typo.
>>>>>>    To avoid collisions with existing CUSTOM rules, I added a new PREROUTING
>>>>>>    chain: 'DNS_NTP_REDIRECT'.
>>>>>>    This chain is flushed by 'dnsntpctrl' prior applying the choosen settings.
>>>>>> 
>>> [cutting off parts of the main patch for discussion]
>>>>>> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
>>>>>> new file mode 100644
>>>>>> index 000000000..54fdfc685
>>>>>> --- /dev/null
>>>>>> +++ b/src/initscripts/system/dnsntp
>>>>>> @@ -0,0 +1,43 @@
>>>>>> +#!/bin/sh
>>>>>> +########################################################################
>>>>>> +# Begin $rc_base/init.d/dnsntp
>>>>>> +#
>>>>>> +# Description : dnsntp init script for DNS/NTP rules only
>>>>>> +#
>>>>>> +########################################################################
>>>>>> +
>>>>>> +# flush chain
>>>>>> +iptables -t nat -F DNS_NTP_REDIRECT
>>>>>> +
>>>>>> +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>>>>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>>>>> +
>>>>> 
>>>>> The 'well-behaving' request destinations should be DNS1_GREEN,
>>>>> DNS2_GREEN, DNS1_BLUE, DNS2_BLUE ( stored in /var/ipfire/dhcp/settings
>>>>> and set in the dhcp.cgi ).
>>>>> If they are defined and distrubited by DHCP or set by other mechanism.
>>>> Ok, here we are.
>>>> Ups!
>>>> "DNS1_..." and "DNS2_..." entries. What/where are these? You've got me!
>>> 
>>> I think we have two kinds of DNS/NTP servers to be forced.
>>> - IPFire includes these servers, which should be used.
>>> - The DHCP server can ( should? ) distribute these addresses. The WUI allows on the other hand the specification of some other addresses, which should be located in the local networks. That is my interpretation of these fields.
>>> 
>>>> But now I'm a bit puzzled. Perhaps I need some hints again.
>>>> Because until now I completely ignored DNS1_GREEN, DNS2_... etc. from
>>>> DHCP. They existed in my installation(s) - but DHCP didn't play a role
>>>> in my considerations. Never. I always used the local IPFire addresses
>>>> (GREEN/BLUE). Nothing else. The addresses for "GREEN_ADDRESS" (Ethernet
>>>> settings), "DNS1_GREEN" and "NTP1_GREEN" (dhcp settings) were always the
>>>> same. Of course, this also applied to BLUE.
>>> 
>>> That's also my config. Therefore I didn't think about this before. ;)
>>> 
>>>> BTW, what would be the sense of distributing different DNS1/DNS2 entries
>>>> through DHCP vs. the DOT entries under "domain name system" (e.g.)?
>>> 
>>> DOT under 'domain name system' is a definition for the sources of name information of unbound.
>>> 
>>>> What I don't understand - call it "I'm thick at the moment...":
>>>> Through the current GUIs it would be possible to choose and distribute
>>>> (e.g.) 8.8.8.8 as "DNS1" or "DNS2" through DHCP, while the "Domain Name
>>>> System" page contains totally different (or ISP servers). Are there any
>>>> circumstances where this would be useful or needed? And which could
>>>> these be?
>>> 
>>> I don't think it is useful/legal to define DNS servers outside the local networks. Defining DNS servers in DHCP other than IPFire makes only sense when these use IPFire.
>>> 
>>>>> Is GREEN_ADDRESS / BLUE_ADDRESS the desired destination otherwise?
>>>> Yes. That was my only intention in the first place.
>>>> I wanted to keep it simple.
>>>> I wanted to make sure that my clients only use the specific *local* DNS
>>>> servers running on GREEN / BLUE. And I didn't realize the possibility to
>>>> enter completely different servers (through DHCP).
>>>> That's why I ignored DHCP and chose the GREEN and BLUE interface
>>>> (ethernet) addresses. I never thought of writing other addresses than
>>>> the local IPFire GREEN/BLUE addresses in the first required DHCP fields
>>>> for GREEN / BLUE. My fault(?). Hm.
>>> 
>>> This was my first thought also.
>>> 
>>>> Regarding 'forcing dns':
>>>> You can of course always turn these OFF if they don't correspond with
>>>> your wanted installation and use other DNS1 / DNS2 entries. ;-)
>>>> Last question(s):
>>>> If I got you right it would make more sense or be better to change the
>>>> RETURN rules to use the DHCP values from "$DNS1/2_GREEN/BLUE"!?
>>>> And what would be the best way to integrate *both* possible DNS entries
>>>> in the initscript? Regarding DoT, are these two really needed anymore?
>>>> At the moment, I'm using nine through DoT...
>>>> First needed change in 'dnsntpctrl' => evaluate DHCP settings. Add:
>>>> ...
>>>> eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
>>>> ...
>>>> New:
>>>> iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${DNS1_GREEN} -p
>>>> udp -m udp --dport domain -j RETURN
>>>> And then?
>>>> I must think this over...its been a long week... ;-)
>>>> Regards,
>>>> Matthias
>>> 
>>> I must think this over, also.
>>> Especially about DNS traffic.
>>> If I define a configuration with a dedicated DNS server A in my GREEN net, which itself questions the IPFire DNS server, and informing all 'normal' clients in GREEN to use A via DHCP, are these DNS request received by IPFire? If this isn't possible by design, our first simple implementation of 'forcing' ( redirecting to GREEN_ADDRESS/BLUE_ADDESS ) is right.
>>> 
>>> Could someone other look at this?
>>> 
>>> Regard,
>>> Bernhard
>>> 
>>> [ rest of patch ]
>>>>>> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
>>>>>> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>>>>> +fi
>>>>>> +
>>>>>> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
>>>>>> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT
>>>>>> +fi
>>>>>> +
>>>>> 
>>>>> See above.
>>>>> 
>>>>> Regards,
>>>>> Bernhard
>>>>> 
>>>>>> +# Force NTP REDIRECTs on GREEN (udp, 123)
>>>>>> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>>>>> +fi
>>>>>> +
>>>>>> +# Force DNS REDIRECTs on BLUE (udp, 123)
>>>>>> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN
>>>>>> +	iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT
>>>>>> +fi
>>>>>> +
>>>>>> +# End $rc_base/init.d/dnsntp
>>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>>>> index 1e558ee86..047946a86 100644
>>>>>> --- a/src/initscripts/system/firewall
>>>>>> +++ b/src/initscripts/system/firewall
>>>>>> @@ -218,7 +218,7 @@ iptables_init() {
>>>>>>   	iptables -A INPUT -j LOCATIONBLOCK
>>>>>>   	iptables -A FORWARD -j LOCATIONBLOCK
>>>>>>   -	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>>>> +	# traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
>>>>>>   	iptables -N IPSECINPUT
>>>>>>   	iptables -N IPSECFORWARD
>>>>>>   	iptables -N IPSECOUTPUT
>>>>>> @@ -242,6 +242,10 @@ iptables_init() {
>>>>>>   	iptables -N WIRELESSFORWARD
>>>>>>   	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
>>>>>>   +	# Redirecting DNS and NTP requests
>>>>>> +	iptables -t nat -N DNS_NTP_REDIRECT
>>>>>> +	iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
>>>>>> +
>>>>>>   	# OpenVPN
>>>>>>   	iptables -N OVPNINPUT
>>>>>>   	iptables -A INPUT -j OVPNINPUT
>>>>>> @@ -320,6 +324,9 @@ iptables_init() {
>>>>>>   	# run captivectrl
>>>>>>   	/usr/local/bin/captivectrl
>>>>>>   +	# run dnsntpctrl
>>>>>> +	/usr/local/bin/dnsntpctrl
>>>>>> +
>>>>>>   	# POLICY CHAIN
>>>>>>   	iptables -N POLICYIN
>>>>>>   	iptables -A INPUT -j POLICYIN
>>>>>> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
>>>>>> index 7c3ef7529..229d122d6 100644
>>>>>> --- a/src/misc-progs/Makefile
>>>>>> +++ b/src/misc-progs/Makefile
>>>>>> @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
>>>>>>   	wirelessctrl getipstat qosctrl \
>>>>>>   	redctrl syslogdctrl extrahdctrl sambactrl \
>>>>>>   	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
>>>>>> -	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
>>>>>> +	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \
>>>>>>   	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
>>>>>>   	captivectrl
>>>>>>   diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
>>>>>> new file mode 100644
>>>>>> index 000000000..f2a3b89e3
>>>>>> --- /dev/null
>>>>>> +++ b/src/misc-progs/dnsntpctrl.c
>>>>>> @@ -0,0 +1,19 @@
>>>>>> +/* This file is part of the IPFire Firewall.
>>>>>> + *
>>>>>> + * This program is distributed under the terms of the GNU General Public
>>>>>> + * Licence.  See the file COPYING for details.
>>>>>> + *
>>>>>> + */
>>>>>> +
>>>>>> +#include <stdlib.h>
>>>>>> +#include "setuid.h"
>>>>>> +
>>>>>> +int main(void)
>>>>>> +{
>>>>>> +	if (!(initsetuid()))
>>>>>> +		exit(1);
>>>>>> +
>>>>>> +	safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
>>>>>> +
>>>>>> +	return 0;
>>>>>> +}