problem s BINDem / dhclient

[Miroslav Lachman]

Miroslav Lachman wrote on 2019/04/28 23:34:
> Dan Lukes wrote on 2019/04/28 22:36:

>> No a firewall propousti jen ty prvni pakety ...

> Ale v logu se mi zase objevilo dhclient[40538]: send_packet: Permission 
> denied.
> 
> Takze co by melo byt povoleno?

Zda se, ze uz jsem na to prisel, i kdyz moc nerozumim tomu, proc prvni 
ziskani IP adresy projde a prodlouzeni lease ne.

V pf.conf mam tabulku "reserved":

table <reserved> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 
127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 
224.0.0.0/3 }

a ta se dale pouziva v pravidlu pro blokovani techto siti na vnejsim 
interface, protoze tam takove adresy zpravidla nemaji co delat:

## Deny all non routable trafic on external interface
block log quick on $ext_if inet from <reserved> to any
block log quick on $ext_if inet from any to <reserved>

Jenze z /var/db/dhclient.leases.bge0 jsem se docetl, ze DHCP server ma 
adresu 10.128.129.89:

   option dhcp-server-identifier 10.128.129.89;

Tuhle IP jsem tedy vyloucil z tabulky reserved:

table <reserved> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 
127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 
224.0.0.0/3, !10.128.129.89 }

A zpravy "send_packet: Permission denied" uz se v logu nevyskytujou.

Takze na zaver jen otazka do plena - tusite nekdo, jestli UPC DHCP 
server ma vzdy adresu 10.128.129.89, nebo se jich pouziva vice ruznych, 
podle subnetu atd.? (i kdyz ma DHCP server adresu 10.x.x.x, stroj 
dostava verejnou adresu, ale mohou to byt ruzne subnety, 62.24.x.x, 
84.x.x.x atd.)

Mirek