Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Jan 2005 03:34:58 +0000 (GMT)
From:      Robert Watson <rwatson@freebsd.org>
To:        Bob Hall <rjhjr@cox.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: dhclient: send_packet: Permission denied
Message-ID:  <Pine.NEB.3.96L.1050109033215.43829M-100000@fledge.watson.org>
In-Reply-To: <20050109012539.GA5042@kongemord.krig.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Jan 2005, Bob Hall wrote:

> I keep getting the message
>  	dhclient: send_packet: Permission denied

I believe this is actually a bug/feature in dhclient, which is trying to
send a packet from an IP address that it has a lease for, but isn't
configured on the network interface.  The IP stack says "no you don't",
which dhclient carefully reports to the user.  This would explain why you
never see a packet stopped by the firewall -- it never gets that far.
What you might want to do is run dhclient under ktrace to see which system
call causes the problem, and perhaps confirm that the system call
arguments are somewhat bogus.  All of this isn't necessarily a functional
bug, but telling the user about the error is frustrating for everyone,
because not only is it hard to interpret, but there's really nothing you
can do about it...

(I find it very annoying when error messages exist that provide no hint to
the user about what they should do, or worse, when the message is of no
value to anyone except that it is confusing!)

Robert N M Watson


>  
> I try 
>  	sockstat | grep dhclient
> and get
>  	root     dhclient   247   4  udp4   *:68                  *:*
>  	root     dhclient   247   6  dgram  -> /var/run/log
>  
> I utter
>  	psgrep dhclient
> and get
>  	root 247 0.0 1.0 1812 1284 ?? Ss 2:13PM 0:00.26 /sbin/dhclient rl0
>  
> I've tried setting up special rules in the firewall to catch the
> dhclient packets, and the firewall doesn't seem to be stopping them. The
> ipfw rules to pass the packets are
>  	allow udp from any 68 to 255.255.255.255 dst-port 67 out via rl0
>  	allow udp from any 67 to 255.255.255.255 dst-port 68 in via rl0
> "ipfw show" doesn't register any packets even when dhclient is
> complaining about not being able to send packets. 
>  
> I can get an IP address, no problem. From the messages log:
> 	dhclient: New IP Address (rl0): <ip address>
>  	dhclient: New Subnet Mask (rl0): 255.255.254.0
>  	dhclient: New Broadcast Address (rl0): <ip broadcast address>
>  	dhclient: New Routers: <ip router address>
> But even with this, I'm still getting the Permissin denied message.
>  
> The only DHCP configuration I've done is in the rc.conf file:
>  	ifconfig_rl0="DHCP"
> I'm not using inetd.
> 
> This has been a problem starting with FBSD 4.4 through 4.8. and with my
> current system, 5.2.1. I'll upgrade to 5.3 in a month or so when I have
> the time, but the problem seems to occur on all versions.
> 
> I've searched the archives and Googled extensively, and I can find
> messages from other people with the same problem, but I haven't found a
> solution. 
> 
> I used tcpdump to look at the UDP traffic through the bootp ports. About
> once an hour, my host would send a UDP packet out the bootpc port to the
> bootps port at the broadcast address. I would get a reply back from my
> ISP's router with the DHCP server's IP address. Shortly before it was
> time to renew the DHCP lease, my host started sending out a boatload of
> these broadcast packets, with no response from my ISP. This stopped at
> the time the old lease listed as the renew time. The only thing I
> received from the DHCP server IP address was an echo request packet,
> which I didn't respond to. In spite of the fact that there was no
> evidence of UDP traffic between my host and the DHCP server, my DHCP
> lease was renewed and my IP address was changed. That's the first time
> my IP address has been changed when I wasn't off line.
> 
> Output from ipfw list:
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from 192.168.0.240/28 to any in via rl0
> 00500 deny ip from 68.230.190.0/23 to any in via xl0
> 00600 deny ip from any to 10.0.0.0/8 via rl0
> 00700 deny ip from any to 172.16.0.0/12 via rl0
> 00800 deny ip from any to 192.168.0.0/16 via rl0
> 00900 deny ip from any to 0.0.0.0/8 via rl0
> 01000 deny ip from any to 169.254.0.0/16 via rl0
> 01100 deny ip from any to 192.0.2.0/24 via rl0
> 01200 deny ip from any to 224.0.0.0/4 via rl0
> 01300 deny ip from any to 240.0.0.0/4 via rl0
> 01400 allow ip from any to any via xl0
> 01500 divert 8668 ip from any to any via rl0
> 01700 deny ip from 10.0.0.0/8 to any via rl0
> 01800 deny ip from 172.16.0.0/12 to any via rl0
> 01900 deny ip from 192.168.0.0/16 to any via rl0
> 02000 deny ip from 0.0.0.0/8 to any via rl0
> 02100 deny ip from 169.254.0.0/16 to any via rl0
> 02200 deny ip from 192.0.2.0/24 to any via rl0
> 02300 deny ip from 224.0.0.0/4 to any via rl0
> 02400 deny ip from 240.0.0.0/4 to any via rl0
> 02500 allow tcp from any to any established
> 02600 allow ip from any to any frag
> 02700 deny log tcp from any to any in via rl0 setup
> 02800 allow tcp from any to any setup
> 02900 allow udp from 68.230.186.138 to any dst-port 53 keep-state
> 03000 allow udp from any 123 to any dst-port 123 via rl0
> 03100 allow icmp from any to any icmptypes 3,4,8 out via rl0
> 03200 allow icmp from any to any icmptypes 0,3,4,11 in via rl0
> 03300 allow udp from any to any dst-port 33434-33523 out via rl0
> 03400 allow udp from any 68 to any dst-port 67 out via rl0
> 03500 allow udp from any 67 to any dst-port 68 in via rl0
> 03600 allow udp from any 68 to 255.255.255.255 dst-port 67 out via rl0
> 03700 allow udp from any 67 to 255.255.255.255 dst-port 68 in via rl0
> 03800 allow udp from any 68,67 to any dst-port 68,67 via rl0
> 65535 deny ip from any to any
> 
> If I set up a specia deny all rule for UDP packets in IPFW (after rules
> allowing DNS, NTP, and traceroute and Windows ping), nothing triggers
> it. Nothing triggers the rules that I set up to allow the DHCP packets.
> Tcpdump doesn't show any UDP traffic between my host and the DHCP
> server. And yet dhclient is complaining that it doesn't have permission
> to send packets, and my DHCP lease is being renewed.
> 
> Can anybody explain to me what is happening?
> 
> Bob
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1050109033215.43829M-100000>