subject:"\[Dnsmasq\-discuss\] Problem using dnsmasq as dhcp"

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

2017-01-07 Thread Archimede Pitagorico

Thanks for your comments.

> Um, please don't post HTML to mailing lists. 
It is the evil web-mail I use, which use HTML by default, no fancy formatting.


> And here's another problem: be careful with filtering in the raw
> table. Filtering should be done in the filter table (which, go
> figure, may be why they named it "filter".)

I was just following some online examples of firewalls, for instance
the one on the arch wiki:
https://wiki.archlinux.org/index.php/Simple_stateful_firewall
which states:
This can be done with netfilter instead if statistics (and better logging) are 
desired:
# iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP

Anyway, rpfilter can only be used in the raw table, I think.

By the way, filtering in iptables seems not exactly identical to rp_filter in 
sysctl.
The one in iptables blocks messages from 0.0.0.0 to 255.255.255.255. Sysctl 
doesn't.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

2017-01-04 Thread /dev/rob0

On Wed, Jan 04, 2017 at 06:38:30PM +0100, Archimede Pitagorico wrote:
>  it was arule in the PREROUTING chain of the raw 
> table:
> 
> rpfilter --invert -j DROP
> 
> that caused messages incoming from clients to be dropped.

And here's another problem: be careful with filtering in the raw 
table.  Filtering should be done in the filter table (which, go 
figure, may be why they named it "filter".)

> 
> 
> It is easy to modify the rule to allow dhcp traffic
> through, so problem solved.
> 
> 
> 
> I have another question however about this:
> 
> ISCs dhcp server uses a lower-level 
> networkmodel than dnsmasq, and can work despite
> iptables rules to the contrary.
> 
> How can an app bypass the kernel firewall? Can you please 
> suggest a reference for me to understand better?

Well, that's overstating it a bit.

ISC dhcpd uses raw sockets, and those are (like tcpdump) seen before 
the netfilter subsystem.

But note, a complete DHCP exchange is "DORA": Discover by the client; 
Offer by the server; Request by the client; and Ack by the server.  
With dhcpd only DO are not blockable.  RA certainly are.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

2017-01-04 Thread Archimede Pitagorico

That was indeed the problem. Thanks a lot!

it was a rule in the PREROUTING chain of the raw table:

rpfilter --invert -j DROP 

that caused messages incoming from clients to be dropped.

It is easy to modify the rule to allow dhcp traffic through, so problem solved.

I have another question however about this:

> ISC's dhcp server uses a lower-level network model than dnsmasq, and can work despite iptables rules to the contrary.

How can an app bypass the kernel firewall? Can you please suggest a reference for me to understand better? 

A.

Sent: Wednesday, January 04, 2017 at 3:15 AM
From: "Kurt H Maier" <k...@sciops.net>
To: "Archimede Pitagorico" <archimede.pitagor...@mail.com>
Cc: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

On Mon, Jan 02, 2017 at 05:50:42AM +0100, Archimede Pitagorico wrote:
> I am trying to migrate from dhcpd to dnsmasq for my home network, without
> much luck.

Make sure you don't have any iptables rules in place that would
interfere with dnsmasq. ISC's dhcp server uses a lower-level network
model than dnsmasq, and can work despite iptables rules to the contrary.
Check for rules that are dropping packets with sources or destinations
like 0.0.0.0 or 255.255.255.255.

khm

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

2017-01-03 Thread Kurt H Maier

On Mon, Jan 02, 2017 at 05:50:42AM +0100, Archimede Pitagorico wrote:
>I am trying to migrate from dhcpd to dnsmasq for my home network, without
>much luck.

Make sure you don't have any iptables rules in place that would
interfere with dnsmasq.  ISC's dhcp server uses a lower-level network
model than dnsmasq, and can work despite iptables rules to the contrary.
Check for rules that are dropping packets with sources or destinations
like 0.0.0.0 or 255.255.255.255.

khm

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Problem using dnsmasq as dhcp

2017-01-01 Thread Archimede Pitagorico

I am trying to migrate from dhcpd to dnsmasq for my home network, without much luck.

 

I use the following simple configuration file:

 


port=0

interface=lan
bind-interfaces

dhcp-authoritative
dhcp-range=192.168.69.32,192.168.69.95,2h
dhcp-option=option:router,192.168.69.1
dhcp-option=option:dns-server,192.168.69.1

log-dhcp

 

My lan interface is configured as follows:

 

6: lan:  mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:c0:ca:89:35:9c brd ff:ff:ff:ff:ff:ff
    inet 192.168.69.1/24 scope global lan
       valid_lft forever preferred_lft forever
    inet 192.168.69.2/24 scope global secondary lan
       valid_lft forever preferred_lft forever
    inet6 fc00::c0a8:4502/120 scope global
       valid_lft forever preferred_lft forever
    inet6 fc00::c0a8:4501/120 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7c2b:c1ff:fec3:674d/64 scope link
       valid_lft forever preferred_lft forever

 

in the log, when I start dnsmasq, I can see:

 

Jan 02 11:25:11 archimede systemd[1]: Starting A lightweight DHCP and caching DNS server: dhcp...
Jan 02 11:25:11 archimede dnsmasq[8253]: dnsmasq: syntax check OK.
Jan 02 11:25:11 archimede systemd[1]: Started A lightweight DHCP and caching DNS server: dhcp.
Jan 02 11:25:11 archimede dnsmasq[8255]: started, version 2.76 DNS disabled
Jan 02 11:25:11 archimede dnsmasq[8255]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conn
Jan 02 11:25:11 archimede dnsmasq-dhcp[8255]: DHCP, IP range 192.168.69.32 -- 192.168.69.95, lease time 2h
Jan 02 11:25:11 archimede dnsmasq-dhcp[8255]: DHCP, sockets bound exclusively to interface lan

 

and nestat shows dnsmasq listening on UDP 0.0.0.0 port 67.

 

However it does not work. Using tcpdump, I can see incoming dhcp lease requests from clients, but there is no server response. I know the tcpdump command I am using is correct, because if I switch back to dhcpcd, I can see both dhcp client requests and server replies.

 

What did I miss? Thanks

 

 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp

[Dnsmasq-discuss] Problem using dnsmasq as dhcp

5 matches

Site Navigation

Mail list logo

Footer information