12756 – IPS drops Unbound traffic from an IPFire located behind another IPFire

Bug 12756 - IPS drops Unbound traffic from an IPFire located behind another IPFire

Summary: IPS drops Unbound traffic from an IPFire located behind another IPFire

Status:	NEW

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	all All

Importance:	- Unknown - Major Usability
Assignee:	Assigned to nobody - feel free to grab it and work on it
QA Contact:	Arne.F

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-04 17:43 UTC by Peter MÃ¼ller
Modified:	2022-01-04 17:44 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter MÃ¼ller 2022-01-04 17:43:48 UTC

As discussed in https://wiki.ipfire.org/devel/telco/2022-01-03, I am raising a bug for investigating into this issue. It appears to have been around for a long time, particularly affecting IPFire users behind a slow internet connection, running another ("nested") IPFire behind it.

In such cases, Suricata seems to block necessary Unbound traffic after a little while (within minutes?), causing DNS not to work properly anymore on the second machine. Unfortunately, nothing is logged.

Arne is observing this in his environment.

Comment 1 Peter MÃ¼ller 2022-01-04 17:44:57 UTC

@Stefan: I vaguely remember you mentioned being able to force Suricata logging such packets/incidents. If this is correct, could you tell us what you did and/or maybe help Arne investigating on this? Thanks.