PacketFence - BTS - PacketFence
View Issue Details
0001374PacketFencecorepublic2012-02-03 14:342012-04-18 10:00
0001374: Inline mode should work as VLAN mode regarding DNS blackholing
Inline mode, as currently implemented, can be improved regarding DNS blackholing.

Right now you choose in configuration, either:
a) you use the portal in an IP-based way, and you provide a valid external DNS in
b) you use the portal with DNS but you might provide a valid internal DNS and add an FQDN to PacketFence's IP inline interface

It's more trouble to configure but also it causes problems because IP-based can't use an SSL-based portal and because of that configurable difference we have two different portal apache config.

Inecting a DNAT rule to refer to the local DNS on an inline network when the user is unreg (or in violation) would fix that problem: when DNAT'ed DNS blackholing makes the redirection dance happening again otherwise if not DNAT'ed DNS goes to the real DNS which should work.

Potential problem: named might not like to answer to the DNAT request or the client might refuse the reply from another IP (remember this is UDP.. thus rewriting source IP might be in order).

Once fixed don't forget to:
- drop the parameter regarding ip or dns based portal redirect from pf.conf
- drop apache config duplication
- update documentation accordingly
No tags attached.
related to 0001387closed obilodeau iptables forward filter customization 
related to 0001423resolved fgaudreault Weird behavior with DNS and connection tracking in inline enforcement 
Issue History
2012-02-03 14:34obilodeauNew Issue
2012-02-03 14:34obilodeauStatusnew => assigned
2012-02-03 14:34obilodeauAssigned To => dwuelfrath
2012-02-29 10:53obilodeauCategoryfeature => core
2012-02-29 11:10obilodeauRelationship addedrelated to 0001387
2012-04-12 13:13dwuelfrathStatusassigned => resolved
2012-04-12 13:13dwuelfrathResolutionopen => fixed
2012-04-12 13:13dwuelfrathFixed in Version => trunk
2012-04-16 11:24obilodeauRelationship addedrelated to 0001423
2012-04-18 09:49obilodeauTarget Version => 3.3.0
2012-04-18 09:50obilodeauFixed in Versiontrunk => 3.3.0
2012-04-18 09:59obilodeauNote Added: 0002660
2012-04-18 10:00obilodeauStatusresolved => closed

2012-04-18 09:59   
fix released in 3.3.0 last friday