Questions regarding multicast firewall hits and unbound/suricata startup

jasha · 29 July 2020 12:32

hello since i installed ipfire with all recommended settings
my ipfire ,i means network (the red network)
i means that first of all:
the iptables report ALOT about that he blocks 224.0.0.1 ip (multicast)
after dome minutes the unbound reported the he starts the init processes and after that suricata start to booting up
its very annoying

mt network looks like that

------------| lan |------------| lan |----------|
my PC—|-----------------| IPFIRE–|-------------| router–|

pmueller · 29 July 2020 13:45

Hi,

welcome to the IPFire community.

the iptables report ALOT about that he blocks 224.0.0.1 ip (multicast)

Your router is most likely sending those, perhaps for detecting multimedia applications. Those are harmless almost every case and can be safely ignored.

after dome minutes the unbound reported the he starts the init processes and after that suricata start to booting up
its very annoying

I did not get your problem. Unbound is not starting init, it’s the other way round. Could you please describe your problem more detailed?

Thanks, and best regards,
Peter Müller

jasha · 29 July 2020 17:14

here some output of my log from messeges:

sorry for the text format
but be careful in analyzing the log

this url: https://pastebin.com/LbtA4gDN

u can see when some iptables monitoring/filtering the interfaces ,the unbound,and suricata starts their init once more
for first time ,i wrote in anacron some schedule to rebuilt the network (restart)

please help

jasha · 30 July 2020 07:03

somebody can help me?

arne_f · 30 July 2020 10:30

It is normal that unbound and suricata is restarted if the DHCP client brings up the red interface.
Also an additional unbound restart is normal if the system time is not correct and corrected via ntp with an hardcoded ip. unbound need correct time for validating signatures so it cannot use dns for this.

It looks like unbound is not working in your config. (Is a DNSSec upstream server configured?)

Sometimes also suricata blocks unbound if a slow server is configured and the queue overruns.

jasha · 30 July 2020 11:14

there is no dnssec in system also the dns is pihoe .
BUT THE DISCONNECTIONS TAKE PLACE every hour

its not normal!!!

jasha · 30 July 2020 11:16

also the time in my server(smart switch) is correct

jasha · 30 July 2020 13:06

if somebody want any log files
please write it!

arne_f · 30 July 2020 14:04

Unbound will refuse all server that not use DNSSec. PiHole is incompatible as upstream DNS server for IPFire.

jon · 30 July 2020 18:41

Hello @jasha - welcome to the IPFire Community.

I wanted to let you know that all of the people that respond to IPFire Community posts are volunteers. So some issues may take a day or so for a response. I am one of those volunteers.

If quicker response is needed, I believe there is paid support available. I have not reviewed the paid support so I know little to nothing about it.

Hope that helps explain why immediate response is not available.

Jon

jasha · 30 July 2020 20:11

ok @arne_f i thing i have done with these problem. i activated dnssec in pihole
and i will follow the system logs

thanks!

pmueller · 31 July 2020 14:42

Hi,

please start new threads for different questions/issues.

Thanks, and best regards,
Peter Müller