[Dnsmasq-discuss] dnasmasq/ntp/shorewall conandrum: can't make clients query locally ...
Johannes Graumann
johannes_graumann at web.de
Mon Mar 2 14:39:39 GMT 2015
Not correct. From the default file:
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
dhcp-range=10.10.0.0,255.255.0.0,static
Works here.
Joh
Jim Alles wrote:
> Your DHCP range is not what is required: a pair of start and stop IP
> addresses. like 10.10.0.2, 10.10.255.254
>
> - look at syslog and see what dnsmasq is complaining about.
>
> On Sat, Feb 28, 2015 at 11:53 AM, Johannes Graumann
> <johannes_graumann at web.de> wrote:
>> Hello,
>>
>> I'm running a debian firewall that uses dnsmasq to provide dhcp to the
>> local subnets, firewalls usng shorewall and has ntpd running to locally
>> serve time as well.
>>
>> The relevant (according to me) config options look as follows:
>> 1) /etc/dnsmasq.conf
>> bogus-priv
>> interface=eth1
>> interface=eth2
>> domain=<MYDOMAIN>
>> dhcp-range=10.10.0.0,255.255.0.0,static
>> # One of many hosts
>> dhcp-host=f0:da:f3:c4:59:b7,68:d8:19:ab:b3:c9,onemachine,10.10.1.2,2h
>> dhcp-option=42,10.10.1.1
>>
>> 2) /etc/shorwall/rules
>> # Accept pwln networ access to $FW as ntp server
>> NTP(ACCEPT) pwln $FW
>>
>> 3) /etc/ntp.conf
>> driftfile /var/lib/ntp/ntp.drift
>> statistics loopstats peerstats clockstats
>> filegen loopstats file loopstats type day enable
>> filegen peerstats file peerstats type day enable
>> filegen clockstats file clockstats type day enable
>> server 0.debian.pool.ntp.org iburst
>> server 1.debian.pool.ntp.org iburst
>> server 2.debian.pool.ntp.org iburst
>> server 3.debian.pool.ntp.org iburst
>> restrict default nopeer nomodify notrap noquery
>> restrict 127.0.0.1
>> restrict 10.10.0.0 mask 255.255.0.0
>>
>> Despite all this, my logs get flooded with things like this:
>>> Feb 28 18:02:52 morannon kernel: [241886.597125]
>>> Shorewall:pwln2net:REJECT:IN=eth1 OUT=eth0
>>> MAC=00:00:24:d0:62:dd:00:0d:b9:1a:85:b4:08:00 SRC=10.10.1.70
>>> DST=194.27.44.55 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=4016 DF PROTO=UDP
>>> SPT=50658 DPT=123 LEN=56
>>
>> Which I interpret as 10.10.1.70 NOT heeding the NTP proposal (supposedly)
>> served by dnsmasq and trying to get time from outside (destination port
>> (DPT) 123 = NTP).
>>
>> What may be going on? Anything obvious I'm screwing up?
>>
>> Sincerely, Joh
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list