Date: Thu, 29 Mar 2007 20:00:01 -0700 From: David Benfell <benfell@parts-unknown.org> To: freebsd-questions@freebsd.org Subject: dhcpd assigns address, but DNS resolvers and ping fail Message-ID: <20070330030001.GA38549@parts-unknown.org>
next in thread | raw e-mail | index | archive | help
--mvpLiMfbWzRoNl4x Content-Type: multipart/mixed; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello all, Another in my mysterious problems list... pf.conf is set up to allow icmp anywhere. And dhcpd offers a plausible IP address and gateway that the client (tested under both Linux and Windows) accepts. The client doesn't get the DNS resolver information and can't ping anywhere, even by raw IP address, even to the router. The router also fails to ping the client. This is FreeBSD stable, updated about a week ago. dhcpd.conf and pf.conf files are attached. Any ideas? Thanks! --=20 David Benfell, LCP benfell@parts-unknown.org --- Resume available at http://www.parts-unknown.org/ NOTE: I sign all messages with GnuPG (0DD1D1E3). --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf.conf" Content-Transfer-Encoding: quoted-printable # $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last m= atch. # Macros: define common values, so they can be referenced and changed easil= y. #ext_if=3D"ext0" # replace with actual external interface name i.e., dc0 ext_if=3D"xl0" #int_if=3D"int0" # replace with actual internal interface name i.e., dc1 int_if=3D"dc0" dmz_if=3D"sf3" voip_cfg_if=3D"sf1" pub_if=3D"sf0" local_if=3D"lo0" #lupin_if=3D"sf1" #internal_net=3D"10.1.1.1/8" internal_net=3D"192.168.18.1/24" external_addr=3D"66.93.170.242" internal_addr=3D"192.168.18.1" routable_subnet=3D"66.93.170.241/28" dmz_net=3D"192.168.19.0/24" dmz_addr=3D"192.168.19.242" voip_cfg=3D"192.168.102.1" voip_local=3D"192.168.102.2" mta_ad =3D "192.168.19.242" mta_pt =3D "25" dhcp_net=3D"192.168.20.0/24" #lupin_net=3D"192.168.100.0/24" public_admin_net=3D"192.168.17.0/24" starshine=3D"216.240.40.160/27" #allowed_nets=3D"{ $starshine, $dmz_net, $internal_net }" trusted_external=3D"{ 12.22.55.0/24 64.0.0.0/4 134.154.0.0/16 216.240.40.16= 1/27 }" # Doubletree Local CSU Hayward starshine.org = =20 earth_ext=3D"66.93.170.243" earth_dmz=3D"192.168.19.243" earth_int=3D"192.168.18.43" dnscache=3D"192.168.19.4" kindling_ext=3D"66.93.170.244" kindling_int=3D"192.168.19.244" home_ext=3D"66.93.170.245" home_int=3D"192.168.18.44" raven_ext=3D"66.93.170.246" raven_int=3D"192.168.18.45" lair_ext=3D"66.93.170.247" lair_int=3D"192.168.18.46" thunder_ext=3D"66.93.170.248" thunder_int=3D"192.168.18.47" voip_ext=3D"66.93.170.254" #lupin_ext=3D"66.93.170.254" non_routable=3D"{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16= }" macintoshes=3D"{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }" linux_pcs=3D"{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_in= t, $raven_ext, $raven_int }" auth_local=3D"{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \ $earth_ext, $earth_dmz, $dnscache, $kindling_ext, $kindling_int, $home_ext= , $home_int, $raven_ext, $raven_int }" #lupin_router=3D"192.168.100.1" #lupin_net=3D"192.168.100.0/24" dmz_services=3D"port { 4, http, ftp-data, ftp, domain, ntp }" tcp_udp=3D"proto { tcp, udp }" in_out=3D"{ in, out }" # Tables: similar to macros, but more flexible for many addresses. #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 30, frag 10 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal set block-policy drop #set block-policy return #set require-order yes # Normalization: reassemble fragments and resolve or reduce traffic ambigui= ties. #scrub in from any to any scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #altq on $ext_if bandwidth 1.5Mb cbq queue { dflt, tor } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% #queue dflt bandwidth 85% cbq(default) priority 3 #queue tor bandwidth 15% priority 1 # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net = will # get translated as coming from the address of $ext_if, a state is created = for # such packets, and incoming packets will be redirected to the internal add= ress. rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 80= 25 # block SMTP from Hotmail and other spammer networks # hotmail.com rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8= 025 rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 80= 25 # prod-infinitum.com.mx rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1 = port 8025 # voyager.net rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1 = port 8025 #rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt # FTP rdr on { $int_if,$pub_if } proto tcp from any to any port ftp -> 127.0.0.1 #nat on $ext_if from $internal_net to any -> ($ext_if) #binat on $ext_if from $earth_dmz to any -> $earth_ext binat on $dmz_if from $earth_dmz to any -> $internal_addr binat on $ext_if from $home_int to any -> $home_ext binat on $ext_if from $raven_int to any -> $raven_ext binat on $ext_if from $lair_int to any -> $lair_ext binat on $ext_if from $thunder_int to any -> $thunder_ext #binat on $ext_if from $lupin_router to any -> 66.93.170.253 nat on $ext_if from $internal_net to any -> $external_addr nat on $ext_if from $dhcp_net to any -> $external_addr nat on $voip_cfg_if from $internal_net to any -> 192.168.102.2 nat on $dmz_if from $dhcp_net to any -> $dmz_addr #nat on $ext_if from $lupin_net to any -> $lupin_ext # rdr: packets coming in on $ext_if with destination $external_addr:1234 wi= ll # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1= =2E1 port 5678 # rdr NTP for the GPS time source to the internal network. Hopefully, this= way, # the time source will answer. #rdr on $dmz_if $tcp_udp from any to 192.168.18.10/32 port ntp -> $earth_int # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table <spamd>. table <spamd> persist no rdr on { lo0, lo1 } from any to any rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # redirect connections from spammers to spamd, all legitimate # connections will not be redirected #rdr on $ext_if inet proto tcp \ #from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025 # block IPv6 block in quick inet6 all antispoof log quick for { $ext_if, $pub_if } pass in log quick on lo0 from any to any # enable authpf rules anchor "authpf/*" # pass redirected connections to spamd listening on the local # loop interface (lo0) pass in log quick on lo0 inet proto tcp \ =66rom <spamd> to 127.0.0.1 port 8025 #allow SMTP, DNS, ICMP #pass in log quick on $int_if inet proto tcp from any to any port { smtp, d= omain } flags S/SA synproxy state pass in log quick on $int_if inet proto tcp from any to any port { smtp, do= main } keep state pass in log quick on $int_if inet proto udp from any to any port domain pass log quick proto icmp all #block the outside world unless... block in log on { $ext_if, $pub_if } all #allow access to the outside world unless... pass out log on { $ext_if, $pub_if } all # protect VOIP configuration #pass out log quick on $voip_cfg_if proto tcp from $internal_net to any fla= gs S/SA synproxy state pass out log quick on $voip_cfg_if proto tcp from $internal_net to any keep= state #allow ssh, printing from trusted networks #pass log quick on $ext_if proto tcp from $trusted_external to any port ssh= flags S/SA synproxy state pass log quick on $ext_if proto tcp from $trusted_external to any port ssh = keep state #pass log quick on { $int_if, $dmz_if, $pub_if } proto tcp from any to any = port { ssh, 515, 631 } flags S/SA synproxy state pass log quick on { $int_if, $dmz_if, $pub_if } proto tcp from any to any p= ort { ssh, 515, 631 } keep state #pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.1= 8.20 port { 515, 631 } flags S/SA synproxy state pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.18= =2E20 port { 515, 631 } keep state #allow NFS within site #sunrpc 111/tcp rpcbind #SUN Remote Procedure Call #sunrpc 111/udp rpcbind #SUN Remote Procedure Call #nfsd-status 1110/tcp #Cluster status info #nfsd-keepalive 1110/udp #Client status info #nfsd 2049/tcp nfs # NFS server daemon #nfsd 2049/udp nfs # NFS server daemon block log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port = { rpcbind, nfsd-status, nfsd-keepalive, nfsd } pass log quick inet $tcp_udp from any to any port { rpcbind, nfsd-status, n= fsd-keepalive, nfsd } keep state #block ports used by W32.Blaster.Worm, per Speakeasy alert 12 Aug 2003 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 134 >< 140 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 445 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 593 #block ports recommended by CERT block in log quick on { $ext_if, $pub_if } inet proto udp from any to any p= ort 69 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p= ort 87 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 111 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p= ort 511 >< 516 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p= ort 540 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 2000 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 2049 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 5999 >< 6064 #block ports recommended by Felix von Leitner block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 5000 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 1025 #LDAP stuff block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt ldap block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt ldaps #pass in log quick on $int_if inet $tcp_udp from any to any port ldap #pass in log quick on $int_if inet $tcp_udp from any to any port ldaps #allow non-privileged ports anywhere #pass log quick $tcp_udp from any to any port>1023 flags S/SA synproxy state pass log quick $tcp_udp from any to any port>1023 keep state #allow Tor services to router #pass in $tcp_udp from any to { $external_addr, $internal_addr } port { 90= 01, 9030 } flags S/SA synproxy state pass in $tcp_udp from any to { $external_addr, $internal_addr } port { 900= 1, 9030 } keep state #allow FTP to ftp-proxy #pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user pro= xy flags S/SA synproxy state pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user prox= y keep state #allow internal access to and from DMZ #pass in log quick $tcp_udp from { $internal_net, $dmz_net } to { $interna= l_net, $dmz_net } flags S/SA synproxy state pass in log quick $tcp_udp from { $internal_net, $dmz_net } to { $internal= _net, $dmz_net } keep state #pass out log quick $tcp_udp from { $internal_net, $dmz_net } to { $interna= l_net, $dmz_net } flags S/SA synproxy state pass out log quick $tcp_udp from { $internal_net, $dmz_net } to { $internal= _net, $dmz_net } keep state #allow Internet access here #pass in log quick on { $dmz_if, $int_if, $pub_if } $tcp_udp from { $intern= al_net, $dmz_net, $dhcp_net } to any flags S/SA synproxy state pass in log quick on { $dmz_if, $int_if, $pub_if } $tcp_udp from { $interna= l_net, $dmz_net, $dhcp_net } to any keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep stat= e queue dflt # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers= queue dflt #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing = queue dflt --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="dhcpd.conf" # $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $ # # DHCP server options. # See dhcpd.conf(5) and dhcpd(8) for more information. # # Network: 192.168.20.0/255.255.255.0 # Domain name: cybernude.org # Name servers: 192.168.19.4 # Default router: 192.168.17.1 # Addresses: 192.168.20.2 - 192.168.20.254 # shared-network LOCAL-NET { option domain-name "cybernude.org"; option domain-name-servers 192.168.18.31, 192.168.19.130, 64.81.79.2, 216.231.41.2; subnet 192.168.17.0 netmask 255.255.255.0 { option routers 192.168.17.1; } subnet 192.168.20.0 netmask 255.255.255.0 { option routers 192.168.20.1; range 192.168.20.2 192.168.20.254; } } #domain cybernude.org #nameserver 192.168.19.130 #nameserver 192.168.18.31 #nameserver 64.81.79.2 #nameserver 216.231.41.2 #shared-network LUPIN { #option domain-name "cybernude.org"; #option domain-name-servers 192.168.18.31; #subnet 192.168.100.0 netmask 255.255.255.0 { #option routers 192.168.100.1; #range 192.168.100.100 192.168.100.200; #} #} ddns-update-style ad-hoc; --uQr8t48UFsdbeI+V-- --mvpLiMfbWzRoNl4x Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFGDH0xUd+dMw3R0eMRAsxKAKCK8GdnHfgwov+L0vCLOJmT62U21wCfemZ7 SdO/Aam8vZG8zT5nbXYVHaM= =ySOu -----END PGP SIGNATURE----- --mvpLiMfbWzRoNl4x--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070330030001.GA38549>