Miroslav Lachman wrote on 2019/04/28 23:34:
Dan Lukes wrote on 2019/04/28 22:36:
No a firewall propousti jen ty prvni pakety ...
Ale v logu se mi zase objevilo dhclient[40538]: send_packet: Permission
denied.
Takze co by melo byt povoleno?
Zda se, ze uz jsem na to prisel, i kdyz moc nerozumim tomu, proc prvni
ziskani IP adresy projde a prodlouzeni lease ne.
V pf.conf mam tabulku "reserved":
table <reserved> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3 }
a ta se dale pouziva v pravidlu pro blokovani techto siti na vnejsim
interface, protoze tam takove adresy zpravidla nemaji co delat:
## Deny all non routable trafic on external interface
block log quick on $ext_if inet from <reserved> to any
block log quick on $ext_if inet from any to <reserved>
Jenze z /var/db/dhclient.leases.bge0 jsem se docetl, ze DHCP server ma
adresu 10.128.129.89:
option dhcp-server-identifier 10.128.129.89;
Tuhle IP jsem tedy vyloucil z tabulky reserved:
table <reserved> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3, !10.128.129.89 }
A zpravy "send_packet: Permission denied" uz se v logu nevyskytujou.
Takze na zaver jen otazka do plena - tusite nekdo, jestli UPC DHCP
server ma vzdy adresu 10.128.129.89, nebo se jich pouziva vice ruznych,
podle subnetu atd.? (i kdyz ma DHCP server adresu 10.x.x.x, stroj
dostava verejnou adresu, ale mohou to byt ruzne subnety, 62.24.x.x,
84.x.x.x atd.)
Mirek
--
FreeBSD mailing list (users-l@freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l
