PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001271 | PacketFence | configuration | public | 2011-09-19 08:46 | 2011-10-26 14:27 |
|
| Reporter | fgaudreault | |
| Assigned To | obilodeau | |
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | duplicate | |
| Platform | | OS | | OS Version | |
| Product Version | devel | |
| Target Version | | Fixed in Version | 3.0.0 | |
| fixed in git revision | |
| fixed in mtn revision | |
|
| Summary | 0001271: IPTables rules not enough strong in registration/isolation VLAN |
| Description | Apparently, we are not sealing the registration or isolation VLAN enough. Some users are reporting that they can torrent while in registration/isolation VLAN, which is not good.
We should allow only DHCP and DNS externally, and keep the HTTP/HTTPS redirect. |
| Steps To Reproduce | |
| Additional Information | On 17/09/11 12:19 AM, Randy Chockley wrote:
> I have installed CentOS 5.7 and the latest DEVEL build to manage a
> student network. All of my switches are unmanaged, I've got 2 network
> interfaces, one in the ip range of the campus, and another in it's own
> subnet to DHCP to clients. DHCP is working, violations are working
> (some what), we have had some copyright letters sent to us, so I need to
> monitor and block p2p. When a violation is detected browsing the web is
> disabled, and redirected, but the p2p application can continue to
> download. I am not sure I have the pf.conf setup correctly because I
> have been unable to find much documentation, all has been for vlan which
> I am unable to do. My pf.conf:
>
> [general]
> domain=metro
> hostname=packetfence
> dnsservers=8.8.8.8,8.8.4.4
>
> [trapping]
> range=10.10.11.0/24 <http://10.10.11.0/24> [^]
> detection=enabled
> redirtimer=10s
>
> [database]
> pass=*******
>
> [interface eth0]
> ip=10.10.10.113
> mask=255.255.255.0
> type=management
> gateway=10.10.10.1
> authorizedips=
>
> [interface eth1]
> ip=10.10.11.1
> mask=255.255.255.0
> type=internal,monitor
> gateway=10.10.11.1
> enforcement=inline
>
> [services]
> named=disabled
> |
| Tags | No tags attached. |
| Relationships | | duplicate of | 0001269 | closed | obilodeau | iptables not starting if having more than 1 DNS server in the config - inline mode |
|
| Attached Files |  pf.conf (469) 2011-09-19 11:46
https://www.packetfence.org/bugs/file_download.php?file_id=102&type=bug
networks.conf (248) 2011-09-19 11:47
https://www.packetfence.org/bugs/file_download.php?file_id=103&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2011-09-19 08:46 | fgaudreault | New Issue | |
| 2011-09-19 10:47 | obilodeau | Additional Information Updated | |
| 2011-09-19 10:48 | obilodeau | Note Added: 0002210 | |
| 2011-09-19 11:38 | chockrl | Note Added: 0002211 | |
| 2011-09-19 11:41 | obilodeau | Note Added: 0002212 | |
| 2011-09-19 11:46 | chockrl | File Added: pf.conf | |
| 2011-09-19 11:47 | chockrl | File Added: networks.conf | |
| 2011-09-19 11:47 | chockrl | Note Added: 0002213 | |
| 2011-09-19 13:55 | obilodeau | Note Added: 0002216 | |
| 2011-09-19 14:23 | obilodeau | Relationship added | duplicate of 0001269 |
| 2011-09-19 14:24 | obilodeau | Note Added: 0002217 | |
| 2011-09-19 14:24 | obilodeau | Status | new => resolved |
| 2011-09-19 14:24 | obilodeau | Resolution | open => duplicate |
| 2011-09-19 14:24 | obilodeau | Assigned To | => obilodeau |
| 2011-10-26 14:27 | obilodeau | Status | resolved => closed |
| 2011-10-26 14:27 | obilodeau | Fixed in Version | => 3.0.0 |
|
Notes |
|
|
|
|
Not sure about internal and monitor on the same interface plus inline enforcement... |
|
|
|
|
|
I believe I have found a work around for the issue. I have changed the pf.conf slightly from the one attached. The parameter that seems to correct the issue is general.dnsservers by entering only one ip address everything is functioning correctly. I also turned on registration, but had the same issue if two dns servers were entered and separated by a comma. I made the same change in network.conf for my DHCP server config. |
|
|
|
|
|
Reminder sent to: chockrl
Can you attach your new pf.conf and networks.conf? We are not quite sure at this point if this is a duplicate of 0001269 or not. |
|
|
|
|
|
I may have read that issue when trying to get this work. Files attached. |
|
|
|
|
I fixed 0001269. I'll try to reproduce the 'p2p still works' portion of the issue in our lab and if I can't I'll mark this as a duplicate of 0001269 which is now fixed.
Thanks for your help! |
|
|
|
|
|
confirmed as a dupe of 0001269 which is fixed |
|