Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp
Thanks for your comments. > Um, please don't post HTML to mailing lists. It is the evil web-mail I use, which use HTML by default, no fancy formatting. > And here's another problem: be careful with filtering in the raw > table. Filtering should be done in the filter table (which, go > figure, may be why they named it "filter".) I was just following some online examples of firewalls, for instance the one on the arch wiki: https://wiki.archlinux.org/index.php/Simple_stateful_firewall which states: This can be done with netfilter instead if statistics (and better logging) are desired: # iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP Anyway, rpfilter can only be used in the raw table, I think. By the way, filtering in iptables seems not exactly identical to rp_filter in sysctl. The one in iptables blocks messages from 0.0.0.0 to 255.255.255.255. Sysctl doesn't. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp
On Wed, Jan 04, 2017 at 06:38:30PM +0100, Archimede Pitagorico wrote: > it was arule in the PREROUTING chain of the raw > table: > > rpfilter --invert -j DROP > > that caused messages incoming from clients to be dropped. And here's another problem: be careful with filtering in the raw table. Filtering should be done in the filter table (which, go figure, may be why they named it "filter".) > > > It is easy to modify the rule to allow dhcp traffic > through, so problem solved. > > > > I have another question however about this: > > ISCs dhcp server uses a lower-level > networkmodel than dnsmasq, and can work despite > iptables rules to the contrary. > > How can an app bypass the kernel firewall? Can you please > suggest a reference for me to understand better? Well, that's overstating it a bit. ISC dhcpd uses raw sockets, and those are (like tcpdump) seen before the netfilter subsystem. But note, a complete DHCP exchange is "DORA": Discover by the client; Offer by the server; Request by the client; and Ack by the server. With dhcpd only DO are not blockable. RA certainly are. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp
That was indeed the problem. Thanks a lot! it was a rule in the PREROUTING chain of the raw table: rpfilter --invert -j DROP that caused messages incoming from clients to be dropped. It is easy to modify the rule to allow dhcp traffic through, so problem solved. I have another question however about this: > ISC's dhcp server uses a lower-level network model than dnsmasq, and can work despite iptables rules to the contrary. How can an app bypass the kernel firewall? Can you please suggest a reference for me to understand better? A. Sent: Wednesday, January 04, 2017 at 3:15 AM From: "Kurt H Maier" <k...@sciops.net> To: "Archimede Pitagorico" <archimede.pitagor...@mail.com> Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp On Mon, Jan 02, 2017 at 05:50:42AM +0100, Archimede Pitagorico wrote: > I am trying to migrate from dhcpd to dnsmasq for my home network, without > much luck. Make sure you don't have any iptables rules in place that would interfere with dnsmasq. ISC's dhcp server uses a lower-level network model than dnsmasq, and can work despite iptables rules to the contrary. Check for rules that are dropping packets with sources or destinations like 0.0.0.0 or 255.255.255.255. khm ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp
On Mon, Jan 02, 2017 at 05:50:42AM +0100, Archimede Pitagorico wrote: >I am trying to migrate from dhcpd to dnsmasq for my home network, without >much luck. Make sure you don't have any iptables rules in place that would interfere with dnsmasq. ISC's dhcp server uses a lower-level network model than dnsmasq, and can work despite iptables rules to the contrary. Check for rules that are dropping packets with sources or destinations like 0.0.0.0 or 255.255.255.255. khm ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
