From 32d629933257051980054822fc9a92cc5462cfc6 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Tue, 6 Feb 2001 22:27:25 +0000 Subject: modify the firewall to allow any (new) DNS servers through on ifup --- sysconfig.txt | 2 ++ sysconfig/network-scripts/ifup | 17 +++++++++++++++++ sysconfig/network-scripts/ifup-post | 30 +++++++++++++++++++++--------- 3 files changed, 40 insertions(+), 9 deletions(-) diff --git a/sysconfig.txt b/sysconfig.txt index d77206c8..ca46ad02 100644 --- a/sysconfig.txt +++ b/sysconfig.txt @@ -363,6 +363,8 @@ Files in /etc/sysconfig/network-scripts/ DNS{1,2}= provide DNS addresses that are dropped into the resolv.conf file if PEERDNS is not set to "no". + FIREWALL_MODS=yes|no + modify firewall to attempt to allow DNS through. Defaults to 'yes'. If BOOTPROTO is not "none", then the only other item that must be set is the DEVICE item; all the rest will be determined diff --git a/sysconfig/network-scripts/ifup b/sysconfig/network-scripts/ifup index e64ba822..b661f5bf 100755 --- a/sysconfig/network-scripts/ifup +++ b/sysconfig/network-scripts/ifup @@ -93,6 +93,13 @@ if [ -n "${MACADDR}" ]; then ifconfig ${DEVICE} hw ether ${MACADDR} fi +# Is there a firewall running, and does it look like one we configured? +FWACTIVE= +if [ -f /etc/sysconfig/ipchains -a "ipchains -L input -n 2>&1 | awk 'END { print NR }'" -gt 1 ]; then + FWACTIVE=1 + export FWACTIVE +fi + if [ -n "${DYNCONFIG}" ]; then PUMPARGS= DHCPCDARGS= @@ -110,14 +117,24 @@ if [ -n "${DYNCONFIG}" ]; then fi echo -n $"Determining IP information for ${DEVICE}..." + # DHCP clients need DNS to be available, and we don't know + # what DNS server they're using until they are done. + FWHACK= + if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then + ipchains -I input -s 0/0 53 -p udp -j ACCEPT + FWHACK=1 + fi + if [ -x /sbin/pump ] && /sbin/pump ${PUMPARGS} -i ${DEVICE} ; then echo $" done." elif [ -x /sbin/dhcpcd ] && /sbin/dhcpcd ${DHCPCDARGS} ${DEVICE} ; then echo $" done." else echo $" failed." + [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT exit 1 fi + [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT else if [ -z "${IPADDR}" ]; then # enable device without IP, useful for e.g. PPPoE diff --git a/sysconfig/network-scripts/ifup-post b/sysconfig/network-scripts/ifup-post index d99b2111..9ea7ffbe 100755 --- a/sysconfig/network-scripts/ifup-post +++ b/sysconfig/network-scripts/ifup-post @@ -21,15 +21,6 @@ fi /etc/sysconfig/network-scripts/ifup-routes ${DEVICE} -# don't set hostname on ppp/slip connections -if [ "$2" = "boot" -a -n "$NEEDHOSTNAME" -a "${DEVICE}" != lo -a "${DEVICETYPE}" != "ppp" -a "${DEVICETYPE}" != "slip" ]; then - IPADDR=`LANG= LC_ALL= ifconfig ${DEVICE} | grep 'inet addr' | - awk -F: '{ print $2 } ' | awk '{ print $1 }'` - eval `/bin/ipcalc --silent --hostname ${IPADDR}` - if [ "$?" = "0" ]; then - set_hostname $HOSTNAME - fi -fi if [ "$PEERDNS" != "no" -o -n "$RESOLV_MODS" -a "$RESOLV_MODS" != "no" ]; then [ -n "$MS_DNS1" ] && DNS1=$MS_DNS1 @@ -89,6 +80,27 @@ if [ "$PEERDNS" != "no" -o -n "$RESOLV_MODS" -a "$RESOLV_MODS" != "no" ]; then fi fi +if [ "$FIREWALL_MODS" != "no" -a -n "$FWACTIVE" ]; then + ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf` + if [ -n "$ns" ]; then + for nameserver in $ns ; do + if ! ipchains -L input -n | grep -q $nameserver ; then + ipchains -I input -s $nameserver/32 53 -p udp -j ACCEPT + fi + done + fi +fi + +# don't set hostname on ppp/slip connections +if [ "$2" = "boot" -a -n "$NEEDHOSTNAME" -a "${DEVICE}" != lo -a "${DEVICETYPE}" != "ppp" -a "${DEVICETYPE}" != "slip" ]; then + IPADDR=`LANG= LC_ALL= ifconfig ${DEVICE} | grep 'inet addr' | + awk -F: '{ print $2 } ' | awk '{ print $1 }'` + eval `/bin/ipcalc --silent --hostname ${IPADDR}` + if [ "$?" = "0" ]; then + set_hostname $HOSTNAME + fi +fi + # Notify programs that have requested notification do_netreport -- cgit v1.2.1