Hello Enrico,
if it's something you really need then you can ask for sponsored
development and we can take care of this.
Or you can open an issue on github and explain what you would like to
have and when we will have time we can check it.
Regards
Fabrice
Le 19-02-28 à 03 h 20, Enrico Becchetti a écrit :
Hello Fabrice,
it's important because the endpoints do not always connect to the
servers that belong to other networks.
Sometimes notebook, and desktop, must reach other endpoint for some
reasons.
So to do that is extremly useful have a name like
"macbook.wired.local" that can be resolve
from PFDNS. This issue is quite easy and this feature can improve your
product so I invite PF team
to think it over.
Thanks again.
Enrico
Il 28/02/2019 00:51, Durand fabrice ha scritto:
Hello Enrico,
maybe a stupid question but why is it important to be able to resolve
the macbook.wired.local ?
Technically it could be possible to have this zone managed by pfdns
but it needs some code to do that.
This is something not really complicate to code because we know the
ip, it can be a sort of db lookup.
Regards
Fabrice
Le 19-02-26 à 11 h 40, Enrico Becchetti a écrit :
Il 25/02/2019 21:52, Durand fabrice ha scritto:
Le 19-02-25 à 15 h 16, Enrico a écrit :
Hello Fabrice,
at last I understood that it can be the dhcp to determine the
frequency of endpoint scan.
Anyway even now I still have an unknown problem because I wanted
to assign ip address for
very long shots of time (6 months and more) in order to create a
sort of static ip.
Keep in mind that at the moment the endpoint is constantly being
scanned, at each
network access, event if the lease time hasn’t been outreached yet.
You can raise the scan violation with a grace period of x weeks.
I also have problems with resolution of local names when using PFDNS.
From what I can see in logs the local host names aren’t even
considered and all the requests
are forwarded to the officially dns servers of my network. These
dns servers fail to resolve
because they don’t know anything about PF managed local zones.
Can you explain more, i am not sure to understand the issue.
Hi Fabrice, please... if you have other "minutes" for this case ...
let me know. Thanks !!!
*pfsrv *is the Packetfence server, Inline mode.
[root@pfsrv logs]# more /etc/NetworkManager/conf.d/99-no-dns.conf
[main]
dns=none
[root@pfsrv logs]# more /etc/resolv.conf
# Generated by NetworkManager
nameserver 193.205.222.2
nameserver 193.205.222.100
profile.conf
...
[PF-CABLED]
locale=
device_registration=default
filter=vlan:25
dot1x_recompute_role_from_portal=0
description=PF-CABLED
scans=OpenVAS
sources=RADIUS-AAI
autoregister=enabled
.....
networks.conf:
[10.25.0.0]
dns=193.205.222.2
split_network=disabled
dhcp_start=10.25.0.10
gateway=10.25.0.1
domain-name=wired.local
nat_enabled=enabled
named=enabled
dhcp_max_lease_time=31536000
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.25.255.246
type=inlinel2
netmask=255.255.0.0
dhcp_default_lease_time=31536000
....
two nodes are connected with dhcp client mode so both of them have
PFSRV (10.25.0.1) as gateway and dns but nslookup, or ping , from
one to another
failed. The same behaviour from pfserver:
[root@pfsrv logs]# ping macbook.wired.local
ping: macbook.wired.local: Name or service not known
PFDNS.LOG:
... pfsrv pfdns: 10.25.198.96 - [26/Feb/2019:16:01:57 +0100] "A IN
macbook.wired.local. udp 37 false 512" NXDOMAIN qr,rd,ra 113 9.846755ms
as you can see hostname resolutnio from PFSRV reach my official dns
server and it fail because the private zone
"wired.local" is managed only from Packetfence.
LOG of Official DNS:
16:19:09.352341 IP pfsrv.pg.infn.it.36289 > dns1.pg.infn.it.domain:
52285+ A? macbook.wired.local. (37)
others information from web:
Status<https://pfsrv.management:1443/node/search/1?direction=desc&by=status> Online/Offline
<https://pfsrv.management:1443/node/search/1?direction=asc&by=online> MAC Address <https://pfsrv.management:1443/node/search/1?direction=asc&by=mac>
Computer Name <https://pfsrv.management:1443/node/search/1?direction=asc&by=computername> Owner
<https://pfsrv.management:1443/node/search/1?direction=asc&by=pid> IP Address
<https://pfsrv.management:1443/node/search/1?direction=asc&by=last_ip> Tenant
<https://pfsrv.management:1443/node/search/1?direction=asc&by=tenant_name> Device Class
<https://pfsrv.management:1443/node/search/1?direction=asc&by=device_class> Role
<https://pfsrv.management:1443/node/search/1?direction=asc&by=category>
registered unknown ac:87:a3:12:81:47
<https://pfsrv.management:1443/node/ac:87:a3:12:81:47/read?tenant_id=1>
becchetti-nb becchett
<https://pfsrv.management:1443/user/becchett/read> 10.25.198.96
default Operating System default
registered unknown 00:16:cb:86:4f:d1
<https://pfsrv.management:1443/node/00:16:cb:86:4f:d1/read?tenant_id=1>
macbook [email protected]
<https://pfsrv.management:1443/user/[email protected]/read>
10.25.223.133 default Mac OS X or macOS default
[root@pfsrv conf]# more pfdns.conf
.:54 {
logger {
level INFO
processname pfdns
}
[% domain %]
proxy . /etc/resolv.conf
}
# all other domains are subject to interception
:53 {
logger {
level INFO
processname pfdns
}
pfdns {
}
# Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]
# Default to system resolv.conf file
proxy . /etc/resolv.conf
log stdout
errors
}
pf.conf:
[interface eth0.25]
enforcement=inlinel2
ip=10.25.0.1
type=internal
mask=255.255.0.0
Regards
Fabrice
To sum it up I think I’ll have to rethink all the project, by
adding the enforcement vlan mode
instead of inline one and maybe apply it to this mailing list to
check if it is realizable.
Thanks a lot again.
Best Regards
Enrico
Il 25/02/19 18:57, Durand fabrice via PacketFence-users ha scritto:
Hello Enrico,
after registration needs to be trigger by something and in your
case it can be a dhcp packet.
So let's say your lease time is 1 week then the scan will be
trigger each week.
Or you can add the violation by script:
pfcmd violation add 00:11:22:33:44:55 1100007
Regards
Fabrice
Le 19-02-25 à 09 h 16, Enrico Becchetti via PacketFence-users a
écrit :
Dear All,
I make some tests using openvas and now I would like to ask if
it is possible to configure
the frequency with which to check the endpoints.
From web gui I can choose only when make scan: pre registration,
during or after registration.
Do I choose how often make this scan on the same client ?
Thanks a lot.
Best regards
Enrico
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
