From f8aa041f1a957f782c47c441c6b403e65707dd85 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 2 Nov 2016 15:42:40 +0000 Subject: [PATCH 1/9] unbound: Fix for DNS forwarding of .local zones These are traditionally used for Windows domains and should not be used for that. However if they are used like this, DNSSEC validation cannot be used. Signed-off-by: Michael Tremer --- config/rootfiles/core/107/filelists/files | 1 + src/initscripts/init.d/unbound | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index b03a86ed7..1dc0a350d 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi var/ipfire/langs diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 4e424775e..a7952fc1c 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -168,16 +168,34 @@ write_forward_conf() { ( config_header + local insecure_zones + local enabled zone server remark while IFS="," read -r enabled zone server remark; do # Line must be enabled. [ "${enabled}" = "on" ] || continue + # Zones that end with .local are commonly used for internal + # zones and therefore not signed + case "${zone}" in + *.local) + insecure_zones="${insecure_zones} ${zone}" + ;; + esac + echo "forward-zone:" echo " name: ${zone}" echo " forward-addr: ${server}" echo done < /var/ipfire/dnsforward/config + + if [ -n "${insecure_zones}" ]; then + echo "server:" + + for zone in ${insecure_zones}; do + echo " domain-insecure: ${zone}" + done + fi ) > /etc/unbound/forward.conf } From a6dcc5bb77760d887f1bee7271590b78437b85f4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 2 Nov 2016 15:42:40 +0000 Subject: [PATCH 2/9] unbound: Fix for DNS forwarding of .local zones These are traditionally used for Windows domains and should not be used for that. However if they are used like this, DNSSEC validation cannot be used. Signed-off-by: Michael Tremer --- config/rootfiles/core/107/filelists/files | 1 + src/initscripts/init.d/unbound | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index b03a86ed7..1dc0a350d 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi var/ipfire/langs diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 4e424775e..a7952fc1c 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -168,16 +168,34 @@ write_forward_conf() { ( config_header + local insecure_zones + local enabled zone server remark while IFS="," read -r enabled zone server remark; do # Line must be enabled. [ "${enabled}" = "on" ] || continue + # Zones that end with .local are commonly used for internal + # zones and therefore not signed + case "${zone}" in + *.local) + insecure_zones="${insecure_zones} ${zone}" + ;; + esac + echo "forward-zone:" echo " name: ${zone}" echo " forward-addr: ${server}" echo done < /var/ipfire/dnsforward/config + + if [ -n "${insecure_zones}" ]; then + echo "server:" + + for zone in ${insecure_zones}; do + echo " domain-insecure: ${zone}" + done + fi ) > /etc/unbound/forward.conf } From f8571e07beed5b753cf1485d4ace6f09d4ffe882 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Wed, 2 Nov 2016 20:26:58 +0100 Subject: [PATCH 3/9] guardian: add languange cache regeneration at (un)install Signed-off-by: Arne Fitzenreiter --- lfs/guardian | 2 +- src/paks/guardian/install.sh | 28 ++++++++++++++++++++++++++++ src/paks/guardian/uninstall.sh | 28 ++++++++++++++++++++++++++++ src/paks/guardian/update.sh | 26 ++++++++++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 src/paks/guardian/install.sh create mode 100644 src/paks/guardian/uninstall.sh create mode 100644 src/paks/guardian/update.sh diff --git a/lfs/guardian b/lfs/guardian index c016f0427..448e4c273 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 11 +PAK_VER = 12 DEPS = "perl-inotify2 perl-Net-IP" diff --git a/src/paks/guardian/install.sh b/src/paks/guardian/install.sh new file mode 100644 index 000000000..32c44ff71 --- /dev/null +++ b/src/paks/guardian/install.sh @@ -0,0 +1,28 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +extract_files +update-lang-cache +restore_backup ${NAME} +start_service --background ${NAME} diff --git a/src/paks/guardian/uninstall.sh b/src/paks/guardian/uninstall.sh new file mode 100644 index 000000000..02d4b9802 --- /dev/null +++ b/src/paks/guardian/uninstall.sh @@ -0,0 +1,28 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +stop_service ${NAME} +make_backup ${NAME} +remove_files +update-lang-cache diff --git a/src/paks/guardian/update.sh b/src/paks/guardian/update.sh new file mode 100644 index 000000000..4bec42b53 --- /dev/null +++ b/src/paks/guardian/update.sh @@ -0,0 +1,26 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +./uninstall.sh +./install.sh From 2872f345b07eeef2ab9897ac26f06add6f92101e Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Thu, 3 Nov 2016 06:51:49 +0100 Subject: [PATCH 4/9] guardian: add path to update-lang-cache Signed-off-by: Arne Fitzenreiter --- lfs/guardian | 2 +- src/paks/guardian/install.sh | 2 +- src/paks/guardian/uninstall.sh | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lfs/guardian b/lfs/guardian index 448e4c273..d3634195e 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 12 +PAK_VER = 13 DEPS = "perl-inotify2 perl-Net-IP" diff --git a/src/paks/guardian/install.sh b/src/paks/guardian/install.sh index 32c44ff71..88caf5387 100644 --- a/src/paks/guardian/install.sh +++ b/src/paks/guardian/install.sh @@ -23,6 +23,6 @@ # . /opt/pakfire/lib/functions.sh extract_files -update-lang-cache +/usr/local/bin/update-lang-cache restore_backup ${NAME} start_service --background ${NAME} diff --git a/src/paks/guardian/uninstall.sh b/src/paks/guardian/uninstall.sh index 02d4b9802..334a6f0bb 100644 --- a/src/paks/guardian/uninstall.sh +++ b/src/paks/guardian/uninstall.sh @@ -25,4 +25,5 @@ stop_service ${NAME} make_backup ${NAME} remove_files -update-lang-cache +/usr/local/bin/update-lang-cache +exit 0 From 3ddad158cd5fd4a311812bdcd52a46cbb9ca4866 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 4 Nov 2016 17:00:24 +0000 Subject: [PATCH 5/9] unbound: Allow recursion from everywhere Users use the IPFire DNS service from VPNs and other routed networks. Signed-off-by: Michael Tremer --- config/rootfiles/core/107/update.sh | 1 + config/unbound/unbound.conf | 12 +++--------- src/initscripts/init.d/unbound | 18 ------------------ 3 files changed, 4 insertions(+), 27 deletions(-) diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh index b8987b05c..dd6b33e2f 100644 --- a/config/rootfiles/core/107/update.sh +++ b/config/rootfiles/core/107/update.sh @@ -138,6 +138,7 @@ esac tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / # Remove some old files +rm -f /etc/unbound/interfaces.conf # update linker config ldconfig diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 5193dd931..a6cdc4d94 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -62,21 +62,15 @@ server: use-caps-for-id: no # Listen on all interfaces + interface-automatic: no interface: 0.0.0.0 - # Deny access from everywhere - access-control: 0.0.0.0/0 refuse - - # Allow access from localhost - access-control: 127.0.0.0/8 allow + # Allow access from everywhere + access-control: 0.0.0.0/0 allow # Bootstrap root servers root-hints: "/etc/unbound/root.hints" - # IPFire interface configuration - include: "/etc/unbound/interfaces.conf" - interface-automatic: no - # Include DHCP leases include: "/etc/unbound/dhcp-leases.conf" diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index a7952fc1c..68c15aa40 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -147,23 +147,6 @@ update_hosts() { done < /var/ipfire/main/hosts } -write_interfaces_conf() { - ( - config_header - - # 1.1.1.1 is reserved for unused green - if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then - echo "# allow access from GREEN" - echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow" - fi - - if [ -n "${BLUE_ADDRESS}" ]; then - echo "# allow access from BLUE" - echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow" - fi - ) > /etc/unbound/interfaces.conf -} - write_forward_conf() { ( config_header @@ -351,7 +334,6 @@ case "$1" in # Update configuration files write_tuning_conf - write_interfaces_conf write_forward_conf boot_mesg "Starting Unbound DNS Proxy..." From 7ebc0a16e23b438fb79e981be0fda612cf17fdcb Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 4 Nov 2016 17:43:05 +0000 Subject: [PATCH 6/9] unbound: Allow list of INSECURE_ZONES being set in sysconfig A list of DNS zones can be given for which DNSSEC validation will be disabled. Signed-off-by: Michael Tremer --- src/initscripts/init.d/unbound | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 68c15aa40..01a560d40 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -12,6 +12,7 @@ TEST_DOMAIN="ipfire.org" # This domain will never validate TEST_DOMAIN_FAIL="dnssec-failed.org" +INSECURE_ZONES= USE_FORWARDERS=1 # Cache any local zones for 60 seconds @@ -151,7 +152,7 @@ write_forward_conf() { ( config_header - local insecure_zones + local insecure_zones="${INSECURE_ZONES}" local enabled zone server remark while IFS="," read -r enabled zone server remark; do From 08fc1aa43b293dccf211b8f961a6d1b7606ed352 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 4 Nov 2016 17:46:24 +0000 Subject: [PATCH 7/9] core107: Restart unbound to activate configuration changes Signed-off-by: Michael Tremer --- config/rootfiles/core/107/filelists/files | 1 + config/rootfiles/core/107/update.sh | 3 +++ 2 files changed, 4 insertions(+) diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index 1dc0a350d..226f45b6d 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +etc/unbound/unbound.conf etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh index dd6b33e2f..276dae526 100644 --- a/config/rootfiles/core/107/update.sh +++ b/config/rootfiles/core/107/update.sh @@ -178,6 +178,9 @@ if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then /etc/init.d/ipsec start fi +# Restart unbound to activate configuration changes +/etc/init.d/unbound restart + # Delete old QoS enabled indicator rm -f /var/ipfire/qos/enable From d4af85f252c5e1573f548377ea97928adf07c4d0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 4 Nov 2016 18:23:25 +0000 Subject: [PATCH 8/9] unbound: Send out replies from where they came in Signed-off-by: Michael Tremer --- config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index a6cdc4d94..3f724d8f7 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -62,7 +62,7 @@ server: use-caps-for-id: no # Listen on all interfaces - interface-automatic: no + interface-automatic: yes interface: 0.0.0.0 # Allow access from everywhere From 2d646e983864558cbf50a0e2150b080a70976d8b Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 4 Nov 2016 19:31:07 +0100 Subject: [PATCH 9/9] ntp: init with hardcoded ip if dns not work DNSSec need the correct time to validate the zones so we need a workaround to init the time without dns. Signed-off-by: Arne Fitzenreiter --- config/rootfiles/core/107/filelists/files | 1 + src/initscripts/init.d/ntp | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index 226f45b6d..94704cf6c 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -2,6 +2,7 @@ etc/system-release etc/issue etc/unbound/unbound.conf etc/rc.d/init.d/unbound +etc/rc.d/init.d/ntp srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi var/ipfire/langs diff --git a/src/initscripts/init.d/ntp b/src/initscripts/init.d/ntp index d411ba18d..079392790 100644 --- a/src/initscripts/init.d/ntp +++ b/src/initscripts/init.d/ntp @@ -27,6 +27,14 @@ case "$1" in fi if [ -e /var/ipfire/red/active ]; then boot_mesg "" + + host ping.ipfire.org > /dev/null 2>&1 + if [ "${?}" != "0" ]; then + boot_mesg "DNS not work ... init with ntp.ipfire.org at 81.3.27.46 ..." + loadproc /usr/local/bin/settime 81.3.27.46 + boot_mesg "Setting time on boot..." + fi + loadproc /usr/local/bin/settime $(cat /var/ipfire/time/settime.conf) else boot_mesg " ERROR! Not online!"