modify the firewall to allow any (new) DNS servers through on ifup

3 files changed, 40 insertions, 9 deletions

diff --git a/sysconfig.txt b/sysconfig.txt
index d77206c8..ca46ad02 100644
--- a/sysconfig.txt
+++ b/sysconfig.txt
@@ -363,6 +363,8 @@ Files in /etc/sysconfig/network-scripts/
     DNS{1,2}=<ipaddress>
       provide DNS addresses that are dropped into the resolv.conf
       file if PEERDNS is not set to "no".
+    FIREWALL_MODS=yes|no
+      modify firewall to attempt to allow DNS through. Defaults to 'yes'.
 
   If BOOTPROTO is not "none", then the only other item that
   must be set is the DEVICE item; all the rest will be determined
diff --git a/sysconfig/network-scripts/ifup b/sysconfig/network-scripts/ifup
index e64ba822..b661f5bf 100755
--- a/sysconfig/network-scripts/ifup
+++ b/sysconfig/network-scripts/ifup
@@ -93,6 +93,13 @@ if [ -n "${MACADDR}" ]; then
    ifconfig ${DEVICE} hw ether ${MACADDR}
 fi
 
+# Is there a firewall running, and does it look like one we configured?
+FWACTIVE=
+if [ -f /etc/sysconfig/ipchains -a "ipchains -L input -n 2>&1 | awk 'END { print NR }'" -gt 1 ]; then
+	FWACTIVE=1
+	export FWACTIVE
+fi
+			     
 if [ -n "${DYNCONFIG}" ]; then
     PUMPARGS=
     DHCPCDARGS=
@@ -110,14 +117,24 @@ if [ -n "${DYNCONFIG}" ]; then
     fi
     echo -n $"Determining IP information for ${DEVICE}..."
     
+    # DHCP clients need DNS to be available, and we don't know
+    # what DNS server they're using until they are done.
+    FWHACK=
+    if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then
+        ipchains -I input -s 0/0 53 -p udp -j ACCEPT
+	FWHACK=1
+    fi
+    
     if [ -x /sbin/pump ] && /sbin/pump ${PUMPARGS} -i ${DEVICE} ; then
 	echo $" done."
     elif [ -x /sbin/dhcpcd ] && /sbin/dhcpcd ${DHCPCDARGS} ${DEVICE} ; then
 	echo $" done."
     else
 	echo $" failed."
+	[ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT
 	exit 1
     fi
+    [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT
 else 
     if [ -z "${IPADDR}" ]; then
          # enable device without IP, useful for e.g. PPPoE
diff --git a/sysconfig/network-scripts/ifup-post b/sysconfig/network-scripts/ifup-post
index d99b2111..9ea7ffbe 100755
--- a/sysconfig/network-scripts/ifup-post
+++ b/sysconfig/network-scripts/ifup-post
@@ -21,15 +21,6 @@ fi
 
 /etc/sysconfig/network-scripts/ifup-routes ${DEVICE}
 
-# don't set hostname on ppp/slip connections
-if [ "$2" = "boot" -a -n "$NEEDHOSTNAME" -a "${DEVICE}" != lo -a "${DEVICETYPE}" != "ppp" -a "${DEVICETYPE}" != "slip" ]; then
-    IPADDR=`LANG= LC_ALL= ifconfig ${DEVICE} | grep 'inet addr' | 
-	    awk -F: '{ print $2 } ' | awk '{ print $1 }'`
-    eval `/bin/ipcalc --silent --hostname ${IPADDR}`
-    if [ "$?" = "0" ]; then
-    	set_hostname $HOSTNAME
-    fi
-fi
 
 if [ "$PEERDNS" != "no" -o -n "$RESOLV_MODS" -a "$RESOLV_MODS" != "no" ]; then
   [ -n "$MS_DNS1" ] && DNS1=$MS_DNS1
@@ -89,6 +80,27 @@ if [ "$PEERDNS" != "no" -o -n "$RESOLV_MODS" -a "$RESOLV_MODS" != "no" ]; then
   fi
 fi
 
+if [ "$FIREWALL_MODS" != "no" -a -n "$FWACTIVE" ]; then
+	ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf`
+	if [ -n "$ns" ]; then
+		for nameserver in $ns ; do
+			if ! ipchains -L input -n | grep -q $nameserver ; then
+				ipchains -I input -s $nameserver/32 53 -p udp -j ACCEPT
+			fi
+		done
+	fi
+fi
+
+# don't set hostname on ppp/slip connections
+if [ "$2" = "boot" -a -n "$NEEDHOSTNAME" -a "${DEVICE}" != lo -a "${DEVICETYPE}" != "ppp" -a "${DEVICETYPE}" != "slip" ]; then
+    IPADDR=`LANG= LC_ALL= ifconfig ${DEVICE} | grep 'inet addr' | 
+	    awk -F: '{ print $2 } ' | awk '{ print $1 }'`
+    eval `/bin/ipcalc --silent --hostname ${IPADDR}`
+    if [ "$?" = "0" ]; then
+    	set_hostname $HOSTNAME
+    fi
+fi
+
 # Notify programs that have requested notification
 do_netreport