PacketFence - BTS - PacketFence
View Issue Details
0001271PacketFenceconfigurationpublic2011-09-19 08:462011-10-26 14:27
fgaudreault 
obilodeau 
normalmajoralways
closedduplicate 
devel 
3.0.0 
0001271: IPTables rules not enough strong in registration/isolation VLAN
Apparently, we are not sealing the registration or isolation VLAN enough. Some users are reporting that they can torrent while in registration/isolation VLAN, which is not good.

We should allow only DHCP and DNS externally, and keep the HTTP/HTTPS redirect.
On 17/09/11 12:19 AM, Randy Chockley wrote:
> I have installed CentOS 5.7 and the latest DEVEL build to manage a
> student network. All of my switches are unmanaged, I've got 2 network
> interfaces, one in the ip range of the campus, and another in it's own
> subnet to DHCP to clients. DHCP is working, violations are working
> (some what), we have had some copyright letters sent to us, so I need to
> monitor and block p2p. When a violation is detected browsing the web is
> disabled, and redirected, but the p2p application can continue to
> download. I am not sure I have the pf.conf setup correctly because I
> have been unable to find much documentation, all has been for vlan which
> I am unable to do. My pf.conf:
>
> [general]
> domain=metro
> hostname=packetfence
> dnsservers=8.8.8.8,8.8.4.4
>
> [trapping]
> range=10.10.11.0/24 <http://10.10.11.0/24> [^]
> detection=enabled
> redirtimer=10s
>
> [database]
> pass=*******
>
> [interface eth0]
> ip=10.10.10.113
> mask=255.255.255.0
> type=management
> gateway=10.10.10.1
> authorizedips=
>
> [interface eth1]
> ip=10.10.11.1
> mask=255.255.255.0
> type=internal,monitor
> gateway=10.10.11.1
> enforcement=inline
>
> [services]
> named=disabled
>
No tags attached.
duplicate of 0001269closed obilodeau iptables not starting if having more than 1 DNS server in the config - inline mode 
? pf.conf (469) 2011-09-19 11:46
https://www.packetfence.org/bugs/file_download.php?file_id=102&type=bug
? networks.conf (248) 2011-09-19 11:47
https://www.packetfence.org/bugs/file_download.php?file_id=103&type=bug
Issue History
2011-09-19 08:46fgaudreaultNew Issue
2011-09-19 10:47obilodeauAdditional Information Updated
2011-09-19 10:48obilodeauNote Added: 0002210
2011-09-19 11:38chockrlNote Added: 0002211
2011-09-19 11:41obilodeauNote Added: 0002212
2011-09-19 11:46chockrlFile Added: pf.conf
2011-09-19 11:47chockrlFile Added: networks.conf
2011-09-19 11:47chockrlNote Added: 0002213
2011-09-19 13:55obilodeauNote Added: 0002216
2011-09-19 14:23obilodeauRelationship addedduplicate of 0001269
2011-09-19 14:24obilodeauNote Added: 0002217
2011-09-19 14:24obilodeauStatusnew => resolved
2011-09-19 14:24obilodeauResolutionopen => duplicate
2011-09-19 14:24obilodeauAssigned To => obilodeau
2011-10-26 14:27obilodeauStatusresolved => closed
2011-10-26 14:27obilodeauFixed in Version => 3.0.0

Notes
(0002210)
obilodeau   
2011-09-19 10:48   
Not sure about internal and monitor on the same interface plus inline enforcement...
(0002211)
chockrl   
2011-09-19 11:38   
I believe I have found a work around for the issue. I have changed the pf.conf slightly from the one attached. The parameter that seems to correct the issue is general.dnsservers by entering only one ip address everything is functioning correctly. I also turned on registration, but had the same issue if two dns servers were entered and separated by a comma. I made the same change in network.conf for my DHCP server config.
(0002212)
obilodeau   
2011-09-19 11:41   
Reminder sent to: chockrl

Can you attach your new pf.conf and networks.conf? We are not quite sure at this point if this is a duplicate of 0001269 or not.
(0002213)
chockrl   
2011-09-19 11:47   
I may have read that issue when trying to get this work. Files attached.
(0002216)
obilodeau   
2011-09-19 13:55   
I fixed 0001269. I'll try to reproduce the 'p2p still works' portion of the issue in our lab and if I can't I'll mark this as a duplicate of 0001269 which is now fixed.

Thanks for your help!
(0002217)
obilodeau   
2011-09-19 14:24   
confirmed as a dupe of 0001269 which is fixed