dhcpagent + ipfilter := delayed loss of IP functionality?
in [Solaris]
|
From: hume.spamfilter on 16 Jan 2010 12:36 Richard B. Gilbert <rgilbert88(a)comcast.net> wrote: > Do you really NEED ipfilter? My router, by default, will not allow any > incoming packet to pass unless it is a response to outgoing traffic. Pretty much anyone using Solaris in any form of server role isn't going to find that feasible. -- Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
From: Chris Ridd on 16 Jan 2010 12:49 On 2010-01-16 17:33:32 +0000, hume.spamfilter(a)bofh.ca said: > Jeroen Scheerder <js(a)xs4all.nl> wrote: >> suspected that. So I ran DHCP in debug mode, with a screen session >> containing a tcpdump writing all UDP 67, 68 packets to a file. > > I missed that bit. Regardless, it might be worthwhile to try adding an > explicit allow rule, just to see any difference. Also, you could add a > "log" keyword to the block-in-all rule to see if IPfilter is aware that > it's blocking DHCP (and why). How long does ipfilter keep state for connection tracking? Has it changed? -- Chris
From: Jeroen Scheerder on 16 Jan 2010 13:34 <hume.spamfilter(a)bofh.ca> wrote: > > suspected that. So I ran DHCP in debug mode, with a screen session > > containing a tcpdump writing all UDP 67, 68 packets to a file. > > I missed that bit. Regardless, it might be worthwhile to try adding an > explicit allow rule, just to see any difference. Also, you could add a > "log" keyword to the block-in-all rule to see if IPfilter is aware that > it's blocking DHCP (and why). Sure, if it looked as if DHCP was blocked. However, I have evidence to the contrary; I've been running dhcpagent in debug mode and logging its output, which shows valid lease extensions and renewals.
From: Jeroen Scheerder on 16 Jan 2010 13:34 Richard B. Gilbert <rgilbert88(a)comcast.net> wrote: > Do you really NEED ipfilter? My router, by default, will not allow any > incoming packet to pass unless it is a response to outgoing traffic. > It's simple, relatively cheap, and it works! (LinkSys BEFR81) No, I don't really need it. This is a very hardened installation, and I do maintain software and am very cautious (up to the point of fullblown paranoia) in service configurations. My paranoia also makes me want to block ports I'm not listening on anyway, and drop traffic I'm sure not to need on ports I might be listening on. FWIW, this system is quite near the Internet backbone. Fully routed, with a full 100mbit Internet link - and nothing inbetween except layer 3 routing. No NAT. No ACLs. Nothing.
From: Jeroen Scheerder on 16 Jan 2010 13:37
Canuck57 <Canuck57(a)nospam.com> wrote: > Could be the DHCP network. Did they change the lease times? Add more > PCs to cause it to recycle IPs? If the DHCP server is chanign the IP, > some rules will fail. Nope, that's not it. And my dhcpagent debug logs show operational DHCP. > My big question here is why not give it a fixed IP? That's a decistion of those running the network, who want to be free to renumber or subnet differently at any point in time, without notice - at which point anything on it should retain functionality without administrative action (which would be quite hard anyway, for after a network change there will be no access until reconfiguration). |