VitalPBX version 3.2.4-3
Hi,
Since a long time, the voipbl ipset list supplied with VitalPBX contains 0.0.0.0/31. This is a problem for DHCP Discover and Requet traffic from the clients because this ipset is used in the firewall to filter INPUT traffic though target the INPUT_ZONES_SOURCE chain witch then sends it to the IN_drop chain that eventually DROPs the incoming DHCP packets having 0.0.0.0 as source IP.
A workaround that I use is to delete this entry from the voipbl ipset list, but it could also be left in place adding a specific INPUT rule that would allow udp traffic originating from 0.0.0.0/32 port 68 to 255.255.255.255 port 67, maybe in the INPUT_direct or as a first entry in the INPUT_ZONES_SOURCE chain ?
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1777K 540M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
727 43835 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1213 127K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1174 124K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1118 95450 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
56 28784 IN_drop all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] match-set voipbl src
Chain IN_drop (1 references)
pkts bytes target prot opt in out source destination
56 28784 IN_drop_log all -- * * 0.0.0.0/0 0.0.0.0/0
56 28784 IN_drop_deny all -- * * 0.0.0.0/0 0.0.0.0/0
56 28784 IN_drop_allow all -- * * 0.0.0.0/0 0.0.0.0/0
56 28784 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Best regards,
Clément