[Astlinux-users] Wierd firewall / DHCP interaction

David Kerr Sun, 15 Sep 2013 10:05:21 -0700

Last night I ran into a problem where one of my MacBook's could not obtain
a IP address from DHCP server... it would use a self assigned IP address.
 After some investigation I stumbled upon the reason which prompts me to
write here.


The laptop in question must at some time have attempted to login to the
astlinux admin console with the wrong password a number of times, and
adaptive-ban triggered.  I deliberately reproduced this today...

Sep 15 12:34:03 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password
doesn't match for /admin/status.php username: admin, IP: 192.168.17.171
Sep 15 12:34:07 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password
doesn't match for /admin/status.php username: admin, IP: 192.168.17.171
Sep 15 12:34:25 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password
doesn't match for /admin/status.php username: admin, IP: 192.168.17.171
Sep 15 12:34:27 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password
doesn't match for /admin/status.php username: admin, IP: 192.168.17.171
Sep 15 12:34:30 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password
doesn't match for /admin/status.php username: admin, IP: 192.168.17.171
Sep 15 12:34:31 pbx user.info firewall: adaptive-ban: Banned IPv4 Host:
192.168.17.171  Filter Type: lighttpd



Then in the status page I see the following.  Note the whitelist as well as
the banned host.

Banned Hosts:
==============================
192.168.17.171
------------------------------
Whitelisted Hosts:
==============================
192.168.17.0/24
------------------------------



Now if the MacBook has already got a IP address and just "renews" the IP,
then everything is fine...
Sep 15 12:35:10 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 12:35:10 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
Sep 15 12:35:56 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 12:35:56 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
192.168.17.171 70:56:81:ba:5f:37 MacBookAir13



However, if the MacBook has not already got a IP address (it thinks it is
on a new network, whatever) then rather than requesting renewal of the
current IP, it seeks a new one with a DHCPDISCOVER... and it fails.

Sep 15 09:39:52 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1
SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=62695 SEQ=0
Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:39:59 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:39:59 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:40:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:40:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:40:16 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:40:16 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:40:27 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:40:27 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:40:33 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:40:33 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:40:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:40:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:40:50 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:40:50 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:41:58 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1
SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=28247 SEQ=0
Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:02 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:02 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:15 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:15 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:24 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:24 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:30 pbx user.info firewall: ** Restarting Arno's Iptables
Firewall v2.0.1d **
Sep 15 09:42:32 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1
SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=28189 SEQ=0
Sep 15 09:42:35 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:35 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37



However, if I configure the MacBook to use a manual IP address but with
DHCP to discover the gateway, dns, etc. Then it works...
Sep 14 23:09:21 pbx daemon.info dnsmasq-dhcp[8578]: DHCPINFORM(br1)
192.168.17.30 70:56:81:ba:5f:37
Sep 14 23:09:21 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
192.168.17.30 70:56:81:ba:5f:37
Sep 14 23:09:45 pbx daemon.info dnsmasq-dhcp[8578]: DHCPINFORM(br1)
192.168.17.30 70:56:81:ba:5f:37
Sep 14 23:09:45 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
192.168.17.30 70:56:81:ba:5f:37



If I remove the 192.168.17.171 from banned hosts list and restart the
firewall then it works.
Sep 15 09:42:41 pbx user.info firewall: ** All firewall rules applied **
Sep 15 09:42:41 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
70:56:81:ba:5f:37
Sep 15 09:42:41 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1)
192.168.17.171 70:56:81:ba:5f:37
Sep 15 09:42:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
192.168.17.171 70:56:81:ba:5f:37 MacBookAir13


Any suggestions what is going on and why the whitelist is not working?

Thanks
David

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk

_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
[email protected].

[Astlinux-users] Wierd firewall / DHCP interaction

Reply via email to