diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index b03a86ed7..94704cf6c 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -1,5 +1,8 @@ etc/system-release etc/issue +etc/unbound/unbound.conf +etc/rc.d/init.d/unbound +etc/rc.d/init.d/ntp srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi var/ipfire/langs diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh index b8987b05c..276dae526 100644 --- a/config/rootfiles/core/107/update.sh +++ b/config/rootfiles/core/107/update.sh @@ -138,6 +138,7 @@ esac tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / # Remove some old files +rm -f /etc/unbound/interfaces.conf # update linker config ldconfig @@ -177,6 +178,9 @@ if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then /etc/init.d/ipsec start fi +# Restart unbound to activate configuration changes +/etc/init.d/unbound restart + # Delete old QoS enabled indicator rm -f /var/ipfire/qos/enable diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 5193dd931..3f724d8f7 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -62,21 +62,15 @@ server: use-caps-for-id: no # Listen on all interfaces + interface-automatic: yes interface: 0.0.0.0 - # Deny access from everywhere - access-control: 0.0.0.0/0 refuse - - # Allow access from localhost - access-control: 127.0.0.0/8 allow + # Allow access from everywhere + access-control: 0.0.0.0/0 allow # Bootstrap root servers root-hints: "/etc/unbound/root.hints" - # IPFire interface configuration - include: "/etc/unbound/interfaces.conf" - interface-automatic: no - # Include DHCP leases include: "/etc/unbound/dhcp-leases.conf" diff --git a/lfs/guardian b/lfs/guardian index c016f0427..d3634195e 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 11 +PAK_VER = 13 DEPS = "perl-inotify2 perl-Net-IP" diff --git a/src/initscripts/init.d/ntp b/src/initscripts/init.d/ntp index d411ba18d..079392790 100644 --- a/src/initscripts/init.d/ntp +++ b/src/initscripts/init.d/ntp @@ -27,6 +27,14 @@ case "$1" in fi if [ -e /var/ipfire/red/active ]; then boot_mesg "" + + host ping.ipfire.org > /dev/null 2>&1 + if [ "${?}" != "0" ]; then + boot_mesg "DNS not work ... init with ntp.ipfire.org at 81.3.27.46 ..." + loadproc /usr/local/bin/settime 81.3.27.46 + boot_mesg "Setting time on boot..." + fi + loadproc /usr/local/bin/settime $(cat /var/ipfire/time/settime.conf) else boot_mesg " ERROR! Not online!" diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 4e424775e..01a560d40 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -12,6 +12,7 @@ TEST_DOMAIN="ipfire.org" # This domain will never validate TEST_DOMAIN_FAIL="dnssec-failed.org" +INSECURE_ZONES= USE_FORWARDERS=1 # Cache any local zones for 60 seconds @@ -147,37 +148,38 @@ update_hosts() { done < /var/ipfire/main/hosts } -write_interfaces_conf() { - ( - config_header - - # 1.1.1.1 is reserved for unused green - if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then - echo "# allow access from GREEN" - echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow" - fi - - if [ -n "${BLUE_ADDRESS}" ]; then - echo "# allow access from BLUE" - echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow" - fi - ) > /etc/unbound/interfaces.conf -} - write_forward_conf() { ( config_header + local insecure_zones="${INSECURE_ZONES}" + local enabled zone server remark while IFS="," read -r enabled zone server remark; do # Line must be enabled. [ "${enabled}" = "on" ] || continue + # Zones that end with .local are commonly used for internal + # zones and therefore not signed + case "${zone}" in + *.local) + insecure_zones="${insecure_zones} ${zone}" + ;; + esac + echo "forward-zone:" echo " name: ${zone}" echo " forward-addr: ${server}" echo done < /var/ipfire/dnsforward/config + + if [ -n "${insecure_zones}" ]; then + echo "server:" + + for zone in ${insecure_zones}; do + echo " domain-insecure: ${zone}" + done + fi ) > /etc/unbound/forward.conf } @@ -333,7 +335,6 @@ case "$1" in # Update configuration files write_tuning_conf - write_interfaces_conf write_forward_conf boot_mesg "Starting Unbound DNS Proxy..." diff --git a/src/paks/guardian/install.sh b/src/paks/guardian/install.sh new file mode 100644 index 000000000..88caf5387 --- /dev/null +++ b/src/paks/guardian/install.sh @@ -0,0 +1,28 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +extract_files +/usr/local/bin/update-lang-cache +restore_backup ${NAME} +start_service --background ${NAME} diff --git a/src/paks/guardian/uninstall.sh b/src/paks/guardian/uninstall.sh new file mode 100644 index 000000000..334a6f0bb --- /dev/null +++ b/src/paks/guardian/uninstall.sh @@ -0,0 +1,29 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +stop_service ${NAME} +make_backup ${NAME} +remove_files +/usr/local/bin/update-lang-cache +exit 0 diff --git a/src/paks/guardian/update.sh b/src/paks/guardian/update.sh new file mode 100644 index 000000000..4bec42b53 --- /dev/null +++ b/src/paks/guardian/update.sh @@ -0,0 +1,26 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +./uninstall.sh +./install.sh