From patchwork Sun Dec 27 12:30:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 3764 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D3g4k6dL8z3wx8 for ; Sun, 27 Dec 2020 12:30:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4D3g4j2m25zmd; Sun, 27 Dec 2020 12:30:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D3g4j1Qzpz2xh3; Sun, 27 Dec 2020 12:30:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D3g4h1rymz2xfh for ; Sun, 27 Dec 2020 12:30:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4D3g4g3ltfzhw for ; Sun, 27 Dec 2020 12:30:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1609072227; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n6WZIhHSisqkYWv6fQZ4iR1oNCCTaw0bGlrljW6vHvQ=; b=yxrJMj1yJKC5/A0FmXjhlmYEdQIjVipSdIaqAzFOlFaoOl4mWKkk7QiTl01s1dTjZJUrnx VMWNvFSj+yIBNgDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1609072227; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n6WZIhHSisqkYWv6fQZ4iR1oNCCTaw0bGlrljW6vHvQ=; b=FHOA54OuYqJ82CjR7bMUlW5KW7FyRRksb1yd5gVFS0Pr04ANei3HdNG/9g86QHXwYhJzCR SpSK1ha/AbS+PsfwvLS/E1YwWixBzcGjdLcpaeZ0/F/hIqcDUoAz8fGWsZgCxJq+NvRj7e jWHGWhuKDGbITHsyCQOYnKI0kLPqH9vknico/rfX/+g6g8lZWw/r3oe++T20a7gQJFMH9a 8lQSdgOS86gJcekCOPEbHq8t5qjbZv/fw9gnb9yYoRZcPYPEqaK9V3cCr9zXCFQ7xCFVcf ZH4igFpvIjQrLZyR1iPAEE90jaQIZuE3TmF+CRk5mC5IgvmGjePDxHbHYe/13A== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 1/2] optionsfw.cgi: Forcing DNS and NTP requests to use only local servers on GREEN/BLUE Date: Sun, 27 Dec 2020 13:30:19 +0100 Message-Id: <20201227123020.4556-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Originally triggered by: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 Current discussion: https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 Screenshots: => https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888/38 Summary and functionality: These new firewall-options add [DNS/NTP]_FORCED_ON_[INTERFACE] options to '/var/ipfire/optionsfw/settings'. They activate/deactivate appropriate REDIRECT rules in '/etc/rc.d/init.d/firewall'. Default of the new rules is OFF. If set to ON, they try to REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP servers specified in IPFire. Changed visibility (GUI): The corresponding interface options are only visible if the respective interface does actually exist. If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' or BLUE logging options available. No reboot required: Rules can be switched ON/OFF without rebooting IPFire by choosing a new 'Save And Restart'-button. Restarting is done with the help of a new binary: 'optionsfwctrl', which can also be used in a console session to restart/reload all firewall rules. For 'optionsfwctrl.c', see other patch #2. I used 'unboundctrl.c' as template. Changes to '/etc/rc.d/init.d/firewall': I used REDIRECT rules and placed them just behind the CAPTIVE_PORTAL_CHAIN, as Michael mentioned on the list. All rules are tested for former existence to avoid setting multiple REDIRECTS. I used code like 'if ! iptables -t nat -C...' or 'if iptables -t nat -C...' ("Check for the existence of a rule") for these queries. Testing was ok - if just *one* rule is manually deleted, only the *missing* rule will be created through the next 'Save And Restart' - I found no duplicates. ON/OFF switches worked as expected. Testing with DNSSEC was also successful. Other changes: Language strings, 'lfs/configroot' and 'update.sh' for Core update were altered accordingly. Signed-off-by: Matthias Fischer --- config/rootfiles/core/154/update.sh | 10 +++ html/cgi-bin/optionsfw.cgi | 101 ++++++++++++++++++++++++---- langs/de/cgi-bin/de.pl | 6 ++ langs/en/cgi-bin/en.pl | 6 ++ lfs/configroot | 4 ++ src/initscripts/system/firewall | 71 +++++++++++++++++++ 6 files changed, 184 insertions(+), 14 deletions(-) diff --git a/config/rootfiles/core/154/update.sh b/config/rootfiles/core/154/update.sh index 37348e0df..62bee565c 100644 --- a/config/rootfiles/core/154/update.sh +++ b/config/rootfiles/core/154/update.sh @@ -31,6 +31,16 @@ for (( i=1; i<=$core; i++ )); do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire done +# Add default lines for new firewall options +optionsfw_file="/var/ipfire/optionsfw/settings" + + echo "FORCE_DNS_ON_GREEN=off" >> ${optionsfw_file} + echo "FORCE_DNS_ON_BLUE=off" >> ${optionsfw_file} + echo "FORCE_NTP_ON_GREEN=off" >> ${optionsfw_file} + echo "FORCE_NTP_ON_BLUE=off" >> ${optionsfw_file} + +unset optionsfw_file + # Remove files # Stop services diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 47aba59cb..8771a85ba 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -69,6 +69,31 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { &General::readhash($filename, \%settings); # Load good settings } +if ($settings{'ACTION'} eq $Lang::tr{'fw settings save and restart'}) { + if ($settings{'defpol'} ne '1'){ + &General::writehash($filename, \%settings); # Save good settings + system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1"); + }else{ + if ($settings{'POLICY'} ne ''){ + $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; + } + if ($settings{'POLICY1'} ne ''){ + $fwdfwsettings{'POLICY1'} = $settings{'POLICY1'}; + } + my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; + &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); + &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); + system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1"); + } + &General::readhash($filename, \%settings); # Load good settings +} + &Header::openpage($Lang::tr{'options fw'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); &General::readhash($filename, \%settings); @@ -158,6 +183,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = ''; $selected{'MASQUERADE_BLUE'}{'on'} = ''; $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; &Header::openbox('100%', 'center',); print "
"; @@ -207,7 +244,38 @@ END END } - print < + +   + $Lang::tr{'fw green'} + + $Lang::tr{'dns force on green'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'ntp force on green'}$Lang::tr{'on'} / + $Lang::tr{'off'} +END + + if (&Header::blue_used()) { + print < + $Lang::tr{'fw blue'} +   + + $Lang::tr{'dns force on blue'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'drop proxy'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'drop samba'}$Lang::tr{'on'} / + $Lang::tr{'off'} + + +END + } + + print <
@@ -224,21 +292,25 @@ END $Lang::tr{'off'} $Lang::tr{'drop portscan'}$Lang::tr{'on'} / $Lang::tr{'off'} -$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / +END + + if (&Header::blue_used()) { + print < + + $Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / $Lang::tr{'off'} -$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / + $Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / $Lang::tr{'off'} - -
+ +END + } + + print < + +
- - - - -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / - $Lang::tr{'off'}
-
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / @@ -323,7 +395,8 @@ END
- + +
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 87181c184..74f8d0f41 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -836,6 +836,8 @@ 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', 'dns error 01' => 'Die eingegebene IP Adresse des primären wie auch des sekundären DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom sekundären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene primäre DNS Server Adresse ist jedoch gültig.', +'dns force on blue' => 'Erzwinge lokale DNS-Server auf BLAU', +'dns force on green' => 'Erzwinge lokale DNS-Server auf GRÜN', 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', @@ -1104,12 +1106,14 @@ 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', 'fw blue' => 'Firewalloptionen für das Blaue Interface', 'fw default drop' => 'Firewallrichtlinie', +'fw green' => 'Firewalloptionen für das Grüne Interface', 'fw logging' => 'Firewallprotokollierung', 'fw settings' => 'Firewalleinstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', 'fw settings ruletable' => 'Leere Regeltabellen anzeigen', +'fw settings save and restart' => 'Speichern und Neustart', 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw MODE1' => 'Alle Pakete verwerfen', @@ -1814,6 +1818,8 @@ 'november' => 'November', 'ntp common settings' => 'Allgemeine Einstellungen', 'ntp configuration' => 'Zeitserverkonfiguration', +'ntp force on blue' => 'Erzwinge lokale NTP-Server auf BLAU', +'ntp force on green' => 'Erzwinge lokale NTP-Server auf GRÜN', 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', 'ntp server' => 'NTP-Server', 'ntp sync' => 'Synchronisation', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 625c6899f..252af7536 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -859,6 +859,8 @@ 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', 'dns error 01' => 'The entered IP address of the primary and secondary DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', +'dns force on green' => 'Force DNS to use local DNS servers on GREEN', +'dns force on blue' => 'Force DNS to use local DNS servers on BLUE', 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', @@ -1130,12 +1132,14 @@ 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', 'fw default drop' => 'Firewall policy', +'fw green' => 'Firewall options for GREEN interface', 'fw logging' => 'Firewall logging', 'fw settings' => 'Firewall settings', 'fw settings color' => 'Show colors in ruletable', 'fw settings dropdown' => 'Show all networks on rulecreation site', 'fw settings remark' => 'Show remarks in ruletable', 'fw settings ruletable' => 'Show empty ruletables', +'fw settings save and restart' => 'Save and Restart', 'fwdfw ACCEPT' => 'ACCEPT', 'fwdfw DROP' => 'DROP', 'fwdfw MODE1' => 'Drop all packets', @@ -1844,6 +1848,8 @@ 'november' => 'November', 'ntp common settings' => 'Common settings', 'ntp configuration' => 'NTP Configuration', +'ntp force on green' => 'Force NTP to use local NTP servers on GREEN', +'ntp force on blue' => 'Force NTP to use local NTP servers on BLUE', 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', 'ntp server' => 'NTP Server', 'ntp sync' => 'Synchronization', diff --git a/lfs/configroot b/lfs/configroot index a37c2c401..2d8a5de46 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -129,6 +129,10 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FORCE_DNS_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FORCE_DNS_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FORCE_NTP_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FORCE_NTP_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 65f1c979b..4e02bd3d9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -246,6 +246,77 @@ iptables_init() { iptables -A ${i} -j CAPTIVE_PORTAL done +# Force DNS REDIRECT on GREEN (udp, tcp, 53) +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT + fi + + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi + + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi +fi + +# Force DNS REDIRECT on BLUE (udp, tcp, 53) +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT + fi + + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi + + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi + +fi + +# Force NTP REDIRECT on GREEN (udp, 123) +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1 + fi + +fi + +# Force DNS REDIRECT on BLUE (udp, 123) +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1 + fi + +fi + # Accept everything connected for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j CONNTRACK From patchwork Sun Dec 27 12:30:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 3765 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D3g4l74d7z3wxc for ; Sun, 27 Dec 2020 12:30:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4D3g4j3yBkz2Z1; Sun, 27 Dec 2020 12:30:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D3g4j2CTxz2ydx; Sun, 27 Dec 2020 12:30:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D3g4h2JVRz2xgw for ; Sun, 27 Dec 2020 12:30:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4D3g4h127Wzmd for ; Sun, 27 Dec 2020 12:30:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1609072228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=XgA5eqXeVjjxwPiuzMBnGszsTDm5B4vgyhun8kECbwM=; b=khB9u4o6ELZtrFZYisLjgbaVNtgyMieHSRR/v0gJmjvh72mDW+l72GyK2bq4Icg7DVENpP LpBPqcBfkO5p9VAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1609072228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=XgA5eqXeVjjxwPiuzMBnGszsTDm5B4vgyhun8kECbwM=; b=QwdC+OMSQo9860MpYDOhmLiTo3gvEMEp5W/mDkMM6JXqN9e6NJ8yMLEqBwLDfOGwKwnNza ByK2e2zbf/1rouflPOswJW92NBZcGG34bvZeCdQ8ug83m5xQ6roo3JP/jX+KySg5vSvQJz sG0Byzz29vli8ev0uu9MGiZ29zI3pj609fxRT4wZW4azFikLiyRAw6NsPbZtnPciXDLQfM FbmtARW5i5SsjAKKSIMvaeu3MQxRheD22EuA/UD59+A0iiz3C/I3JGhPoMKQ4meki12Sfk TEqDCYxSLHJp3jlMEX5R2+h+NqsQGOFfJxjtVy1hBeG2j8VAigGI/BtrhAIWEg== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 2/2] New binary: optionsfwctrl - needed for new firewall DNS/NTP options Date: Sun, 27 Dec 2020 13:30:20 +0100 Message-Id: <20201227123020.4556-2-matthias.fischer@ipfire.org> In-Reply-To: <20201227123020.4556-1-matthias.fischer@ipfire.org> References: <20201227123020.4556-1-matthias.fischer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Matthias Fischer --- config/rootfiles/common/misc-progs | 1 + src/misc-progs/Makefile | 2 +- src/misc-progs/optionsfwctrl.c | 36 ++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 src/misc-progs/optionsfwctrl.c diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index c48a474b2..9d928ec72 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -18,6 +18,7 @@ usr/local/bin/launch-ether-wake usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl +usr/local/bin/optionsfwctrl usr/local/bin/pakfire usr/local/bin/qosctrl usr/local/bin/rebuildhosts diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index bea54e773..9d8afcb3f 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -26,7 +26,7 @@ PROGS = iowrap SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl suricatactrl \ applejuicectrl rebuildhosts backupctrl collectdctrl \ - logwatch wioscan wiohelper openvpnctrl firewallctrl \ + logwatch wioscan wiohelper openvpnctrl firewallctrl optionsfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ diff --git a/src/misc-progs/optionsfwctrl.c b/src/misc-progs/optionsfwctrl.c new file mode 100644 index 000000000..f66b10983 --- /dev/null +++ b/src/misc-progs/optionsfwctrl.c @@ -0,0 +1,36 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include +#include +#include +#include +#include +#include +#include "setuid.h" + +int main(int argc, char *argv[]) { + + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n\noptionsfwctrl restart|reload\n\n"); + exit(1); + } + + if (strcmp(argv[1], "restart") == 0) { + safe_system("/etc/rc.d/init.d/firewall restart"); + } else if (strcmp(argv[1], "reload") == 0) { + safe_system("/etc/rc.d/init.d/firewall reload"); + } else { + fprintf(stderr, "\nBad argument given.\n\noptionsfwctrl restart|reload\n\n"); + exit(1); + } + + return 0; +}