On Thu, 17 Sep 2009 09:40:56 -0600 Lonnie Olson <[email protected]> wrote:
> On Wed, Sep 16, 2009 at 4:21 PM, Charles Curley > <[email protected]> wrote: > > I use Ubuntu 9.04 and virt-manager-0.6.1-1ubuntu4--i386 to run > > virtual machines using kvm and ubuntu 9.10 alpha 5 and finix 93. I > > have both virtual machines running nicely, with one exception. If I > > have firestarter's firewall running, the VMs cannot get DHCP > > offers. I can run "dhclient eth0" manually, and see the dhcp > > discover packets logged to the console. If I then remove all the > > firewalling (ctl-p in the firestarter GUI), the VM immediately gets > > an offer. Internet connection sharing is enabled. I have tried > > adding a rule to admit packets on the two DHCP ports for network > > 255.255.255.0/24, but that has not worked. > > > > I use firestarter on other machines on my network, two of which are > > DHCP servers for the network. The main difference between those and > > the VMs is that they operate DHCP over eth0, and the VMs use a > > virtual network. The host sees that network on device virbr0. I should clarify: there is a firewall only on the dhcp server/host machine. The VMs are wide open: r...@test2kkalpha5:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination r...@test2kkalpha5:~# > > DHCP Offer packets come from the DHCP server, not from the broadcast > address. It is best to simply allow all traffic going out on port > udp/67, and all traffic coming in on port udp/68. Firestarter by default allows anything out unless you prohibit it, and I have left it that way. > > I'm not sure how firestarter works, but if you must specify a source > IP/network, it should be "any", "all", or 0.0.0.0/0. You could use > your local network for the overly conservative, or only the DHCP > server itself for the ultra paranoid that like to do unnecessary > maintenance and troubleshooting. :-) I changed it to allow ports 67 and 68 in from everywhere, and saw no change. I set up the following command line so I could run dhclient, see what it was doing and capture the results: # dhclient eth0 2>&1 | tee dhclient3.txt Here is a run where I had the firewall on, and shut it down after the second DHCPREQUEST, before the DHCPDISCOVER: r...@test2kkalpha5:~# cat dhclient3.txt There is already a pid file /var/run/dhclient.pid with pid 4083 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.2 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/54:52:00:15:66:01 Sending on LPF/eth0/54:52:00:15:66:01 Sending on Socket/fallback DHCPREQUEST of 192.168.122.230 on eth0 to 255.255.255.255 port 67 DHCPREQUEST of 192.168.122.230 on eth0 to 255.255.255.255 port 67 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 DHCPOFFER of 192.168.122.230 from 192.168.122.1 DHCPREQUEST of 192.168.122.230 on eth0 to 255.255.255.255 port 67 DHCPACK of 192.168.122.230 from 192.168.122.1 bound to 192.168.122.230 -- renewal in 1442 seconds. r...@test2kkalpha5:~# So I believe that in spite of allowing ports 67 and 68 from anywhere, the firewall ignored the first DHCPREQUEST. Checking the log shows that, yes, it is being dropped, e.g.: Sep 17 12:29:35 dzur kernel: [89162.641098] Unknown InputIN=virbr0 OUT= PHYSIN=vnet0 MAC=ff:ff:ff:ff:ff:ff:54:52:00:15:66:01:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Note that the MAC addresses agree. So, just for the halibut, and since I'm not an iptables guru, I've attached a dump from the host/dhcp server. Have I found a bug in firestarter? Or maybe in the bridge code? -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
r...@dzur:/var/log# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- chaffee.localdomain anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT udp -- chaffee.localdomain anywhere ACCEPT tcp -- dragon.localdomain anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT udp -- dragon.localdomain anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5 ACCEPT udp -- anywhere anywhere udp dpt:33434 LSI icmp -- anywhere anywhere DROP all -- anywhere 255.255.255.255 DROP all -- anywhere 192.168.1.255 DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 DROP all -- 255.255.255.255 anywhere DROP all -- anywhere 0.0.0.0 DROP all -- anywhere anywhere state INVALID LSI all -f anywhere anywhere limit: avg 10/min burst 5 INBOUND all -- anywhere anywhere INBOUND all -- anywhere 192.168.122.1 INBOUND all -- anywhere dzur.localdomain INBOUND all -- anywhere 192.168.122.255 LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Unknown Input' Chain FORWARD (policy DROP) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5 ACCEPT udp -- anywhere anywhere udp dpt:33434 LSI icmp -- anywhere anywhere TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU OUTBOUND all -- anywhere anywhere ACCEPT tcp -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT udp -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward' Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- dzur.localdomain chaffee.localdomain tcp dpt:domain ACCEPT udp -- dzur.localdomain chaffee.localdomain udp dpt:domain ACCEPT tcp -- dzur.localdomain dragon.localdomain tcp dpt:domain ACCEPT udp -- dzur.localdomain dragon.localdomain udp dpt:domain ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 DROP all -- 255.255.255.255 anywhere DROP all -- anywhere 0.0.0.0 DROP all -- anywhere anywhere state INVALID OUTBOUND all -- anywhere anywhere OUTBOUND all -- anywhere anywhere LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Unknown Output' Chain INBOUND (4 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- dragon.localdomain anywhere tcp dpt:ssh ACCEPT udp -- dragon.localdomain anywhere udp dpt:ssh ACCEPT tcp -- dragonland.localdomain anywhere tcp dpt:ssh ACCEPT udp -- dragonland.localdomain anywhere udp dpt:ssh ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:www ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:www ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:www ACCEPT udp -- 192.168.122.0/24 anywhere udp dpt:www ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:3551 ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:3551 ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:domain ACCEPT udp -- 192.168.122.0/24 anywhere udp dpt:domain ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpts:bootps:bootpc ACCEPT udp -- 192.168.122.0/24 anywhere udp dpts:bootps:bootpc ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ipp ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:ipp ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ipp ACCEPT udp -- 192.168.122.0/24 anywhere udp dpt:ipp ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:smtp ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:25 ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:3551 ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:3551 ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpts:netbios-ns:netbios-ssn ACCEPT udp -- 192.168.122.0/24 anywhere udp dpts:netbios-ns:netbios-ssn ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:microsoft-ds ACCEPT udp -- 192.168.122.0/24 anywhere udp dpt:microsoft-ds ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpts:netbios-ns:netbios-ssn ACCEPT udp -- 192.168.1.0/24 anywhere udp dpts:netbios-ns:netbios-ssn ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:microsoft-ds ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc LSI all -- anywhere anywhere Chain LOG_FILTER (5 references) target prot opt source destination Chain LSI (4 references) target prot opt source destination LOG_FILTER all -- anywhere anywhere LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' DROP all -- anywhere anywhere Chain LSO (0 references) target prot opt source destination LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTBOUND (3 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere r...@dzur:/var/log#
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
