[Dnsmasq-discuss] dnasmasq/ntp/shorewall conandrum: can't make clients query locally ...

Jim Alles kb3tbx at gmail.com
Sat Feb 28 22:39:03 GMT 2015


Your DHCP range is not what is required: a pair of start and stop IP addresses.
like 10.10.0.2, 10.10.255.254

- look at syslog and see what dnsmasq is complaining about.

On Sat, Feb 28, 2015 at 11:53 AM, Johannes Graumann
<johannes_graumann at web.de> wrote:
> Hello,
>
> I'm running a debian firewall that uses dnsmasq to provide dhcp to the local
> subnets, firewalls usng shorewall and has ntpd running to locally serve time
> as well.
>
> The relevant (according to me) config options look as follows:
> 1) /etc/dnsmasq.conf
> bogus-priv
> interface=eth1
> interface=eth2
> domain=<MYDOMAIN>
> dhcp-range=10.10.0.0,255.255.0.0,static
> # One of many hosts
> dhcp-host=f0:da:f3:c4:59:b7,68:d8:19:ab:b3:c9,onemachine,10.10.1.2,2h
> dhcp-option=42,10.10.1.1
>
> 2) /etc/shorwall/rules
> # Accept pwln networ access to $FW as ntp server
> NTP(ACCEPT)     pwln            $FW
>
> 3) /etc/ntp.conf
> driftfile /var/lib/ntp/ntp.drift
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> server 0.debian.pool.ntp.org iburst
> server 1.debian.pool.ntp.org iburst
> server 2.debian.pool.ntp.org iburst
> server 3.debian.pool.ntp.org iburst
> restrict default nopeer nomodify notrap noquery
> restrict 127.0.0.1
> restrict 10.10.0.0 mask 255.255.0.0
>
> Despite all this, my logs get flooded with things like this:
>> Feb 28 18:02:52 morannon kernel: [241886.597125]
>> Shorewall:pwln2net:REJECT:IN=eth1 OUT=eth0
>> MAC=00:00:24:d0:62:dd:00:0d:b9:1a:85:b4:08:00 SRC=10.10.1.70
>> DST=194.27.44.55 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=4016 DF PROTO=UDP
>> SPT=50658 DPT=123 LEN=56
>
> Which I interpret as 10.10.1.70 NOT heeding the NTP proposal (supposedly)
> served by dnsmasq and trying to get time from outside (destination port
> (DPT) 123 = NTP).
>
> What may be going on? Anything obvious I'm screwing up?
>
> Sincerely, Joh
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list