[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: Re: [PATCH] (V3) Forcing DNS/NTP
From: Jon Murphy <jcmurphy26 () gmail ! com>
Date: 2021-03-29 21:34:26
Message-ID: 00500BDB-1B84-4DAE-B8D1-547700FDB395 () gmail ! com
[Download RAW message or body]
Hello! Hope everyone is healthy!
I am just curious if this was approved by the Developers?
Jon
> On Mar 5, 2021, at 1:40 PM, Matthias Fischer <matthias.fischer@ipfire.org> wrote:
>
> Originally triggered by:
> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>
> Current discussion:
> https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888
>
> Summary and functionality:
> These patches are controlled through "Firewall Options". They add new
> firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to \
> '/var/ipfire/optionsfw/settings'. They activate/deactivate appropriate REDIRECT \
> rules through a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file \
> ('/etc/rc.d/init.d/dnsntp').
> Default of all new rules is OFF (set in 'lfs/configroot').
> If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
> servers specified in IPFire. GUI links to DNS and NTP options were added to make
> this more transparent.
>
> Flaw/ToDo:
> To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the \
> actual init file, 'dnsntp'. This is actually an unnecessary detour.
> In fact I wanted to merge these two files in *one* C file, but this was beyond my
> capabilities, perhaps "someone" else knows how to program this.
>
> Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics:
> The corresponding interface options - including 'Masquerade ...' - are only visible \
> if the respective interface actually exists.
> If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE'
> or logging options for BLUE available (e.g.).
> Added text colors for better readability and links to DNS and NTP GUI.
> Separated logging options per interface.
>
> No reboot required:
> Rules can be switched ON/OFF without rebooting IPFire.
> Changes immedediatly take effect after clicking 'Save'.
>
> Changes to '/etc/rc.d/init.d/firewall':
> To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING
> chain: DNS_NTP_REDIRECT.
> This chain is flushed by the init file before before the desired settings are \
> applied. Corrected a 'trafic' typo.
>
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> config/rootfiles/common/aarch64/initscripts | 1 +
> config/rootfiles/common/armv5tel/initscripts | 1 +
> config/rootfiles/common/i586/initscripts | 1 +
> config/rootfiles/common/misc-progs | 1 +
> config/rootfiles/common/x86_64/initscripts | 1 +
> html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++----
> langs/de/cgi-bin/de.pl | 15 +++-
> langs/en/cgi-bin/en.pl | 15 +++-
> lfs/configroot | 4 +
> src/initscripts/system/dnsntp | 36 ++++++++
> src/initscripts/system/firewall | 9 +-
> src/misc-progs/Makefile | 2 +-
> src/misc-progs/dnsntpctrl.c | 19 ++++
> 13 files changed, 168 insertions(+), 29 deletions(-)
> create mode 100644 src/initscripts/system/dnsntp
> create mode 100644 src/misc-progs/dnsntpctrl.c
>
> diff --git a/config/rootfiles/common/aarch64/initscripts \
> b/config/rootfiles/common/aarch64/initscripts index 800005966..f38a3a294 100644
> --- a/config/rootfiles/common/aarch64/initscripts
> +++ b/config/rootfiles/common/aarch64/initscripts
> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> etc/rc.d/init.d/console
> etc/rc.d/init.d/dhcp
> etc/rc.d/init.d/dhcrelay
> +etc/rc.d/init.d/dnsntp
> etc/rc.d/init.d/fcron
> etc/rc.d/init.d/fireinfo
> etc/rc.d/init.d/firewall
> diff --git a/config/rootfiles/common/armv5tel/initscripts \
> b/config/rootfiles/common/armv5tel/initscripts index 800005966..f38a3a294 100644
> --- a/config/rootfiles/common/armv5tel/initscripts
> +++ b/config/rootfiles/common/armv5tel/initscripts
> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> etc/rc.d/init.d/console
> etc/rc.d/init.d/dhcp
> etc/rc.d/init.d/dhcrelay
> +etc/rc.d/init.d/dnsntp
> etc/rc.d/init.d/fcron
> etc/rc.d/init.d/fireinfo
> etc/rc.d/init.d/firewall
> diff --git a/config/rootfiles/common/i586/initscripts \
> b/config/rootfiles/common/i586/initscripts index 18c5a897a..a3a2b47f7 100644
> --- a/config/rootfiles/common/i586/initscripts
> +++ b/config/rootfiles/common/i586/initscripts
> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> etc/rc.d/init.d/console
> etc/rc.d/init.d/dhcp
> etc/rc.d/init.d/dhcrelay
> +etc/rc.d/init.d/dnsntp
> etc/rc.d/init.d/fcron
> etc/rc.d/init.d/fireinfo
> etc/rc.d/init.d/firewall
> diff --git a/config/rootfiles/common/misc-progs \
> b/config/rootfiles/common/misc-progs index d6594b3f8..4bcb94812 100644
> --- a/config/rootfiles/common/misc-progs
> +++ b/config/rootfiles/common/misc-progs
> @@ -5,6 +5,7 @@ usr/local/bin/captivectrl
> usr/local/bin/collectdctrl
> usr/local/bin/ddnsctrl
> usr/local/bin/dhcpctrl
> +usr/local/bin/dnsntpctrl
> usr/local/bin/extrahdctrl
> usr/local/bin/fireinfoctrl
> usr/local/bin/firewallctrl
> diff --git a/config/rootfiles/common/x86_64/initscripts \
> b/config/rootfiles/common/x86_64/initscripts index 18c5a897a..a3a2b47f7 100644
> --- a/config/rootfiles/common/x86_64/initscripts
> +++ b/config/rootfiles/common/x86_64/initscripts
> @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd
> etc/rc.d/init.d/console
> etc/rc.d/init.d/dhcp
> etc/rc.d/init.d/dhcrelay
> +etc/rc.d/init.d/dnsntp
> etc/rc.d/init.d/fcron
> etc/rc.d/init.d/fireinfo
> etc/rc.d/init.d/firewall
> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> index 321642e82..3fc707e8b 100644
> --- a/html/cgi-bin/optionsfw.cgi
> +++ b/html/cgi-bin/optionsfw.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2014-2020 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> $errormessage .= $Lang::tr{'new optionsfw later'};
> &General::writehash($filename, \%settings); # Save good settings
> system("/usr/local/bin/firewallctrl");
> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> }else{
> if ($settings{'POLICY'} ne ''){
> $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
> @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
> &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
> system("/usr/local/bin/firewallctrl");
> + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1");
> }
> &General::readhash($filename, \%settings); # Load good settings
> }
> @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} \
> = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = '';
> $selected{'MASQUERADE_BLUE'}{'on'} = '';
> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
> +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
> +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
> +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = \
> "checked='checked'"; +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
> +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
> +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = \
> "checked='checked'"; +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
> +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
> +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = \
> "checked='checked'"; +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
> +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
> +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = \
> "checked='checked'";
> &Header::openbox('100%', 'center',);
> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
> @@ -189,13 +203,44 @@ END
> END
> }
>
> - print <<END
> +print <<END;
> + <table width='95%' cellspacing='0'>
> + <tr bgcolor='$color{'color20'}'></tr>
> + <tr> </tr>
> + <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
> + </tr>
> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' \
> value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/ + <input \
> type='radio' name='DNS_FORCE_ON_GREEN' value='off' \
> $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td \
> align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' \
> value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/ + <input \
> type='radio' name='NTP_FORCE_ON_GREEN' value='off' \
> $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr> +END
> +
> + if (&Header::blue_used()) {
> + print <<END;
> + <table width='95%' cellspacing='0'>
> + <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw \
> blue'}</b></td></tr> + <tr> </tr>
> + <tr>
> + <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' \
> value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/ + <input \
> type='radio' name='DNS_FORCE_ON_BLUE' value='off' \
> $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td \
> align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' \
> value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/ + <input \
> type='radio' name='NTP_FORCE_ON_BLUE' value='off' \
> $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr><td \
> align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' \
> $checked{'DROPPROXY'}{'on'} />/ + <input type='radio' \
> name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> \
> $Lang::tr{'off'}</td></tr> + <tr><td align='left' width='60%'>$Lang::tr{'drop \
> samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' \
> value='on' $checked{'DROPSAMBA'}{'on'} />/ + <input \
> type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> \
> $Lang::tr{'off'}</td></tr> + </td>
> + </tr>
> +END
> + }
> +
> + print <<END;
> </table>
>
> - <br>
> + <br />
>
> -<table width='95%' cellspacing='0'>
> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw \
> logging'}</b></td></tr> + <table width='95%' cellspacing='0'>
> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw \
> logging red'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop \
> newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' \
> name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
> <input type='radio' name='DROPNEWNOTSYN' value='off' \
> $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> <tr><td align='left' \
> width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input \
> type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ @@ -206,21 \
> +251,30 @@ END
> <input type='radio' name='DROPOUTGOING' value='off' \
> $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> <tr><td align='left' \
> width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input \
> type='radio' name='DROPPORTSCAN' value='on' \
> $checked{'DROPPORTSCAN'}{'on'} />/
> <input type='radio' name='DROPPORTSCAN' value='off' \
> $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' \
> value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ +END
> +
> + if (&Header::blue_used()) {
> + print <<END;
> + </table>
> +
> + <br />
> +
> + <table width='95%' cellspacing='0'>
> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw \
> logging blue'}</b></td></tr> + <tr>
> + <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' \
> value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
> <input type='radio' name='DROPWIRELESSINPUT' value='off' \
> $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' \
> value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ + <tr><td align='left' \
> width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} \
> <input type='radio' name='DROPWIRELESSFORWARD' value='on' \
> $checked{'DROPWIRELESSFORWARD'}{'on'} />/
> <input type='radio' name='DROPWIRELESSFORWARD' value='off' \
> $checked{'DROPWIRELESSFORWARD'}{'off'} /> \
> $Lang::tr{'off'}</td></tr>
> -</table>
> -<br/>
> + </tr>
> +END
> + }
> +
> + print <<END;
> + </table>
> +
> + <br />
>
> -<table width='95%' cellspacing='0'>
> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw \
> blue'}</b></td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' \
> $checked{'DROPPROXY'}{'on'} />/
> - <input type='radio' name='DROPPROXY' value='off' \
> $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td \
> align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' \
> $checked{'DROPSAMBA'}{'on'} />/
> - <input type='radio' name='DROPSAMBA' value='off' \
> $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
> -</table>
> -<br>
> <table width='95%' cellspacing='0'>
> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw \
> settings'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'fw settings \
> color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' \
> value='on' $checked{'SHOWCOLORS'}{'on'} />/ @@ -252,7 +306,7 @@ END
>
> <br />
> <table width='100%' cellspacing='0'>
> -<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> +<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
> </form></td></tr>
> </table>
> @@ -278,7 +332,7 @@ print <<END;
> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input \
> type='hidden' name='defpol' value='1'></td> END
> print "</tr></table></form>";
> - print"<br><br>";
> + print"<br /><br />";
> print <<END;
> <form method='post' action='$ENV{'SCRIPT_NAME'}'>
> <table width='100%' border='0'>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 6a8133807..d6bb234fa 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -836,6 +836,8 @@
> 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist \
> nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene \
> <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', 'dns \
> error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch \
> des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen \
> Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom \
> <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie \
> Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist \
> jedoch gültig.', +'dns force on blue' => 'Erzwinge <a \
> href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf BLAU', +'dns force on green' => \
> 'Erzwinge <a href=\'/cgi-bin/dns.cgi\'>lokale DNS-Server</a> auf GRÜN', 'dns \
> forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', 'dns forwarding \
> dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server \
> Adressen zuweisen nur mit DHCP an red0', @@ -1102,9 +1104,12 @@
> 'from email server' => 'Von E-Mail-Server',
> 'from email user' => 'Von E-Mail-Benutzer',
> 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
> -'fw blue' => 'Firewalloptionen für das Blaue Interface',
> +'fw blue' => 'Firewalloptionen für das <font color=\'#0000FF\'>BLAUE</font> \
> Interface', 'fw default drop' => 'Firewallrichtlinie',
> +'fw green' => 'Firewalloptionen für das <font color=\'#339933\'>GRÜNE</font> \
> Interface', 'fw logging' => 'Firewallprotokollierung',
> +'fw logging blue' => 'Firewallprotokollierung (<font \
> color=\'#0000FF\'>BLAU</font>)', +'fw logging red' => 'Firewallprotokollierung \
> (<font color=\'#993333\'>ROT</font>)', 'fw settings' => 'Firewalleinstellungen',
> 'fw settings color' => 'Farben in Regeltabelle anzeigen',
> 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
> @@ -1644,9 +1649,9 @@
> 'map to guest' => 'Map to Guest',
> 'march' => 'März',
> 'marked' => 'Markiert',
> -'masquerade blue' => 'NAT auf BLAU',
> -'masquerade green' => 'NAT auf GRÜN',
> -'masquerade orange' => 'NAT auf ORANGE',
> +'masquerade blue' => 'NAT auf <b><font color=\'#0000FF\'>BLAU</font></b>',
> +'masquerade green' => 'NAT auf <b><font color=\'#339933\'>GRÜN</font></b>',
> +'masquerade orange' => 'NAT auf <b><font color =\'#FF9933\'>ORANGE</font></b>',
> 'masquerading' => 'Masquerading/NAT',
> 'masquerading disabled' => 'NAT ausgeschaltet',
> 'masquerading enabled' => 'NAT eingeschaltet',
> @@ -1814,6 +1819,8 @@
> 'november' => 'November',
> 'ntp common settings' => 'Allgemeine Einstellungen',
> 'ntp configuration' => 'Zeitserverkonfiguration',
> +'ntp force on blue' => 'Erzwinge <a href=\'/cgi-bin/time.cgi\'>lokale \
> NTP-Server</a> auf BLAU', +'ntp force on green' => 'Erzwinge <a \
> href=\'/cgi-bin/time.cgi\'>lokale NTP-Server</a> auf GRÜN', 'ntp must be enabled \
> to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert \
> sein.', 'ntp server' => 'NTP-Server',
> 'ntp sync' => 'Synchronisation',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 8f7e0c2cf..474612025 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -859,6 +859,8 @@
> 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not \
> valid, please check your entries!<br />The entered <strong>secondary</strong> DNS \
> server address is valid.', 'dns error 01' => 'The entered IP address of the \
> <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, \
> please check your entries!', 'dns error 1' => 'The IP address of the \
> <strong>secondary</strong> DNS server is not valid, please check your entries!<br \
> />The entered <strong>primary</strong> DNS server address is valid.', +'dns force \
> on blue' => 'Force DNS to use <a href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on \
> BLUE', +'dns force on green' => 'Force DNS to use <a \
> href=\'/cgi-bin/dns.cgi\'>local DNS servers</a> on GREEN', 'dns forward disable \
> dnssec' => 'Disable DNSSEC (dangerous)', 'dns forwarding dnssec disabled notice' => \
> '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on \
> red0', @@ -1128,9 +1130,12 @@
> 'from email server' => 'From Email server',
> 'from email user' => 'From e-mail user',
> 'from warn email bad' => 'From e-mail address is not valid',
> -'fw blue' => 'Firewall options for BLUE interface',
> +'fw blue' => 'Firewall options for <font color=\'#0000FF\'>BLUE</font> Interface',
> 'fw default drop' => 'Firewall policy',
> +'fw green' => 'Firewall options for <font color=\'#339933\'>GREEN</font> \
> Interface', 'fw logging' => 'Firewall logging',
> +'fw logging blue' => 'Firewall logging (<font color=\'#0000FF\'>BLUE</font>)',
> +'fw logging red' => 'Firewall logging (<font color=\'#993333\'>RED</font>)',
> 'fw settings' => 'Firewall settings',
> 'fw settings color' => 'Show colors in ruletable',
> 'fw settings dropdown' => 'Show all networks on rulecreation site',
> @@ -1672,9 +1677,9 @@
> 'map to guest' => 'Map to Guest',
> 'march' => 'March',
> 'marked' => 'Marked',
> -'masquerade blue' => 'Masquerade BLUE',
> -'masquerade green' => 'Masquerade GREEN',
> -'masquerade orange' => 'Masquerade ORANGE',
> +'masquerade blue' => 'Masquerade <b><font color=\'#0000FF\'>BLUE</font></b>',
> +'masquerade green' => 'Masquerade <b><font color=\'#339933\'>GREEN</font></b>',
> +'masquerade orange' => 'Masquerade <b><font color=\'#FF9933\'>ORANGE</font></b>',
> 'masquerading' => 'Masquerading',
> 'masquerading disabled' => 'Masquerading disabled',
> 'masquerading enabled' => 'Masquerading enabled',
> @@ -1844,6 +1849,8 @@
> 'november' => 'November',
> 'ntp common settings' => 'Common settings',
> 'ntp configuration' => 'NTP Configuration',
> +'ntp force on blue' => 'Force NTP to use <a href=\'/cgi-bin/time.cgi\'>local NTP \
> servers</a> on BLUE', +'ntp force on green' => 'Force NTP to use <a \
> href=\'/cgi-bin/time.cgi\'>local NTP servers</a> on GREEN', 'ntp must be enabled to \
> have clients' => 'NTP must be enabled to have clients.', 'ntp server' => 'NTP \
> Server', 'ntp sync' => 'Synchronization',
> diff --git a/lfs/configroot b/lfs/configroot
> index a3e474d70..622793b35 100644
> --- a/lfs/configroot
> +++ b/lfs/configroot
> @@ -129,6 +129,10 @@ $(TARGET) :
> echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
> echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
> + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
> + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
> + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
> echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
> echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
> echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
> diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp
> new file mode 100644
> index 000000000..2eafa9d20
> --- /dev/null
> +++ b/src/initscripts/system/dnsntp
> @@ -0,0 +1,36 @@
> +#!/bin/sh
> +########################################################################
> +# Begin $rc_base/init.d/dnsntp
> +#
> +# Description : dnsntp init script for DNS/NTP rules only
> +#
> +########################################################################
> +
> +# flush chain
> +iptables -t nat -F DNS_NTP_REDIRECT
> +
> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> +
> +# Force DNS REDIRECTs on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j \
> REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 \
> -j REDIRECT +fi
> +
> +# Force DNS REDIRECTs on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT
> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
> +fi
> +
> +# Force NTP REDIRECTs on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j \
> REDIRECT +fi
> +
> +# Force DNS REDIRECTs on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j \
> REDIRECT +fi
> +
> +# End $rc_base/init.d/dnsntp
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 65f1c979b..43ae74113 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -169,6 +169,10 @@ iptables_init() {
> # Fix for braindead ISPs
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>
> + # DNS / NTP REDIRECT
> + iptables -t nat -N DNS_NTP_REDIRECT
> + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT
> +
> # CUSTOM chains, can be used by the users themselves
> iptables -N CUSTOMINPUT
> iptables -A INPUT -j CUSTOMINPUT
> @@ -281,7 +285,7 @@ iptables_init() {
> iptables -A INPUT -j LOCATIONBLOCK
> iptables -A FORWARD -j LOCATIONBLOCK
>
> - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
> iptables -N IPSECINPUT
> iptables -N IPSECFORWARD
> iptables -N IPSECOUTPUT
> @@ -389,6 +393,9 @@ iptables_init() {
> # run captivectrl
> /usr/local/bin/captivectrl
>
> + # run dnsntpctrl
> + /usr/local/bin/dnsntpctrl
> +
> # POLICY CHAIN
> iptables -N POLICYIN
> iptables -A INPUT -j POLICYIN
> diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
> index 7c3ef7529..6f2733ef0 100644
> --- a/src/misc-progs/Makefile
> +++ b/src/misc-progs/Makefile
> @@ -26,7 +26,7 @@ PROGS = iowrap
> SUID_PROGS = squidctrl sshctrl ipfirereboot \
> ipsecctrl timectrl dhcpctrl suricatactrl \
> rebuildhosts backupctrl collectdctrl \
> - logwatch wioscan wiohelper openvpnctrl firewallctrl \
> + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \
> wirelessctrl getipstat qosctrl \
> redctrl syslogdctrl extrahdctrl sambactrl \
> smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
> diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c
> new file mode 100644
> index 000000000..f2a3b89e3
> --- /dev/null
> +++ b/src/misc-progs/dnsntpctrl.c
> @@ -0,0 +1,19 @@
> +/* This file is part of the IPFire Firewall.
> + *
> + * This program is distributed under the terms of the GNU General Public
> + * Licence. See the file COPYING for details.
> + *
> + */
> +
> +#include <stdlib.h>
> +#include "setuid.h"
> +
> +int main(void)
> +{
> + if (!(initsetuid()))
> + exit(1);
> +
> + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1");
> +
> + return 0;
> +}
> --
> 2.18.0
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic