dnsmasq DHCP server with nwfilter

2024-08-30 Thread Kai 

Hello,

I'm trying to set up a nwfilter ruleset, where the client only should be 
able to answer to incoming requests and pings. The outbound traffic (LAN 
and Internet) shouldn't be working.


I've gut the rules as mentioned below (I moved all filterref inside for 
debugging):


  89daa6f3-0300-439d-bbba-4d298b4420f2
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  


When the guest already has a proper IP address, this seems to work on 
first sight, the client can't talk to the internet anymore, but is 
reachable for TCP and UDP requests.


However, I can't get DHCP working. I'm using the integrated dnsmasq 
service for DHCP.

It works again, when I remove the last DROP rule taking care of the rest.


I looked inside tcpdump / Wireshark for the corresponding interface 
(virbr4). With the enabled DHCP port rules I can see that DHCP requests 
go out to 255.255.255.255.
I also activated dnsmasq logging for the virbr4 instance. Here, I don't 
get any DHCP logs.
 Without the last DROP rule, I can see clients getting an IP address. I 
currently have no idea where to look "in between" as the dnsmasq is 
listening von virbr4.


My expectation for DHCP was ports 67 <-> 68 to be open as in the 
nwfilter 'allow-dhcp'.

Am I missing here something?

Thank you!
Kai

Re: dnsmasq DHCP server with nwfilter

2024-08-30 Thread Kai 
I had the allow-dhcp rule included by filterref in previous tries. I 
tried to get an overview for testing into one file.


From what I understood in the documentation, the root chain takes every 
rule and includes the chains like IPv4 to it.
So bringing it into root is as not as efficient, because the IPv4 chain 
only concerns IPv4 packages, while the root chain takes every packet.

Did I get this right?

Without the drop rule, I can track the flow in Wireshark:
0.0.0.0 -> 255.255.255.255 UDP 68->67 Discover
10.16.136.9 -> 255.255.255.255 UDP UDP 67->68 Offer
0.0.0.0 -> 255.255.255.255 UDP 68->67 Request
10.16.136.9 -> 255.255.255.255 UDP UDP 67->68 ACK

Couldn't see anything that shouldn't be captured by the 'allow-dhcp' rule.


Am 30.08.24 um 12:20 schrieb Daniel P. Berrangé:

On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote:

Hello,

I'm trying to set up a nwfilter ruleset, where the client only should be
able to answer to incoming requests and pings. The outbound traffic (LAN and
Internet) shouldn't be working.

I've gut the rules as mentioned below (I moved all filterref inside for
debugging):

   89daa6f3-0300-439d-bbba-4d298b4420f2
   
     
   
   
     
   

snip



My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter
'allow-dhcp'.
Am I missing here something?

You've got a subtle difference - the 'allow-dhcp' filter is adding
rules to the 'ipv4' chain, while you're adding rules to the 'root'
chain, which might make a difference.

Rather than duplicating rules for port 67/68, you could just reference it:




With regards,
Daniel