[Dnsmasq-discuss] dnasmasq/ntp/shorewall conandrum: can't make clients query locally ...

Jim Alles kb3tbx at gmail.com
Mon Mar 2 16:19:30 GMT 2015


ahah I learned something today.

I have not seen the static use-case, myself.

I used the manpage (only) for reference. That syntax is not mentioned there.

The manpage is also not clear as to what is valid for ipv4 vs ipv6 with
regard to ',static'.

I must defer to an expert at this point, sorry for the noise!

Regards,

Jim A.

On Mon, Mar 2, 2015 at 9:39 AM, Johannes Graumann <johannes_graumann at web.de>
wrote:

> Not correct. From the default file:
>
> # Specify a subnet which can't be used for dynamic address allocation,
> # is available for hosts with matching --dhcp-host lines. Note that
> # dhcp-host declarations will be ignored unless there is a dhcp-range
> # of some type for the subnet in question.
> # In this case the netmask is implied (it comes from the network
> # configuration on the machine running dnsmasq) it is possible to give
> # an explicit netmask instead.
> dhcp-range=10.10.0.0,255.255.0.0,static
>
> Works here.
>
> Joh
>
> Jim Alles wrote:
>
> > Your DHCP range is not what is required: a pair of start and stop IP
> > addresses. like 10.10.0.2, 10.10.255.254
> >
> > - look at syslog and see what dnsmasq is complaining about.
> >
> > On Sat, Feb 28, 2015 at 11:53 AM, Johannes Graumann
> > <johannes_graumann at web.de> wrote:
> >> Hello,
> >>
> >> I'm running a debian firewall that uses dnsmasq to provide dhcp to the
> >> local subnets, firewalls usng shorewall and has ntpd running to locally
> >> serve time as well.
> >>
> >> The relevant (according to me) config options look as follows:
> >> 1) /etc/dnsmasq.conf
> >> bogus-priv
> >> interface=eth1
> >> interface=eth2
> >> domain=<MYDOMAIN>
> >> dhcp-range=10.10.0.0,255.255.0.0,static
> >> # One of many hosts
> >> dhcp-host=f0:da:f3:c4:59:b7,68:d8:19:ab:b3:c9,onemachine,10.10.1.2,2h
> >> dhcp-option=42,10.10.1.1
> >>
> >> 2) /etc/shorwall/rules
> >> # Accept pwln networ access to $FW as ntp server
> >> NTP(ACCEPT)     pwln            $FW
> >>
> >> 3) /etc/ntp.conf
> >> driftfile /var/lib/ntp/ntp.drift
> >> statistics loopstats peerstats clockstats
> >> filegen loopstats file loopstats type day enable
> >> filegen peerstats file peerstats type day enable
> >> filegen clockstats file clockstats type day enable
> >> server 0.debian.pool.ntp.org iburst
> >> server 1.debian.pool.ntp.org iburst
> >> server 2.debian.pool.ntp.org iburst
> >> server 3.debian.pool.ntp.org iburst
> >> restrict default nopeer nomodify notrap noquery
> >> restrict 127.0.0.1
> >> restrict 10.10.0.0 mask 255.255.0.0
> >>
> >> Despite all this, my logs get flooded with things like this:
> >>> Feb 28 18:02:52 morannon kernel: [241886.597125]
> >>> Shorewall:pwln2net:REJECT:IN=eth1 OUT=eth0
> >>> MAC=00:00:24:d0:62:dd:00:0d:b9:1a:85:b4:08:00 SRC=10.10.1.70
> >>> DST=194.27.44.55 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=4016 DF PROTO=UDP
> >>> SPT=50658 DPT=123 LEN=56
> >>
> >> Which I interpret as 10.10.1.70 NOT heeding the NTP proposal
> (supposedly)
> >> served by dnsmasq and trying to get time from outside (destination port
> >> (DPT) 123 = NTP).
> >>
> >> What may be going on? Anything obvious I'm screwing up?
> >>
> >> Sincerely, Joh
> >>
> >>
> >>
> >> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150302/ef302d4c/attachment.html>


More information about the Dnsmasq-discuss mailing list