[Dnsmasq-discuss] dnsmasq ignores DHCPDISCOVER
Rainer Dorsch
rdorsch at web.de
Sun Dec 30 23:58:06 GMT 2007
Am Sonntag, 30. Dezember 2007 schrieb Simon Kelley:
> Rainer Dorsch wrote:
> > Am Sonntag, 30. Dezember 2007 schrieben Sie:
> >
> >
> > Thanks for the quick reply. Which broadcasts do you think are dropped?
> > The incoming dhcpdiscover requests or the outgoing response?
>
> dhcpdiscover. If they were getting through, you would see them logged by
> dnsmasq. The responses are not (normally) broadcasts.
>
> > I use shorewall to configure the firewall on the nslu2 (running dnsmasq)
> > and it should not have any ports blocked to the local net and visa versa
> > (iptables output at the end of the mail):
> >
> >
> > #Basically defines loc (192.168.1.*) and net (internet)
> > rd at nslu2:~$ grep -E -v '^#' /etc/shorewall/interfaces
> > net ppp0 detect
> > dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
> > loc eth0 detect tcpflags,detectnets,nosmurfs
> > rd at nslu2:~$
> >
> > # Defines the firewall fw
> > rd at nslu2:~$ grep -E -v '^#' /etc/shorewall/zones
> > fw firewall
> > net ipv4
> > loc ipv4
> > rd at nslu2:~$
> >
> > # does not block anything between FW and loc
> > rd at nslu2:~$ grep -E '(loc|all)' /etc/shorewall/policy|grep FW|grep -v -E
> > '^#' loc $FW ACCEPT
> > $FW all ACCEPT
> > rd at nslu2:~$
> >
> > The whole config translates into a lengthy set of iptables (which I am
> > not very familar to read directly):
> >
> > http://bokomoko.de/~rd/iptables.out
> >
> > Rainer
>
> I'm not a great firewall expert, and the raw iptables is very difficult
> to read, but there's a reference at the end of this:
> http://leaf.sourceforge.net/doc/buci-dnsmasq.html which looks like it
> might be the answer.
Thanks again for the quick reply.
That rule does not solve my problem, but stopping shorewall makes the dhcp
server in dnsmasq working.
Although I tried for a while, I do not understand at all, why shorewall drops
the packet. I cannot even make shorewall logging the rejected or dropped
broadcst packets (although it does so for packets coming from the internet).
When I log all packets, I see the broadcast (?) packets though:
Dec 31 00:27:22 nslu2 kernel: Shorewall:mangle:PREROUTING:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:60:79:f8:ba:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 31 00:27:22 nslu2 kernel: Shorewall:nat:PREROUTING:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:60:79:f8:ba:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 31 00:27:22 nslu2 kernel: Shorewall:mangle:INPUT:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:60:79:f8:ba:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 31 00:27:22 nslu2 kernel: Shorewall:filter:INPUT:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:60:79:f8:ba:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Now I found the root cause:
loc eth0 detect tcpflags,nosmurfs,detectnets
needs to become
loc eth0 detect tcpflags,nosmurfs
From the description it does additional filtering and maybe filters out the
SRC 0.0.0.0 (?):
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only
those
# hosts routed through the interface.
Thanks,
Rainer
--
Rainer Dorsch
Lärchenstr. 6
D-72135 Dettenhausen
07157-734133
email: rdorsch at web.de
jabber: rdorsch at jabber.org
GPG Fingerprint: 5966 C54C 2B3C 42CC 1F4F 8F59 E3A8 C538 7519 141E
Full GPG key: http://pgp.mit.edu/
More information about the Dnsmasq-discuss
mailing list