<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Well, I did a bit of research about it on google and came up with this interesting tidbit on the netfilter mailing list.<DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">On Monday 17 November 2003 4:35 pm, Chandana Bandara wrote:</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> Hi </FONT></I></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></I></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF">Mr.Antony & ALL ,</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> iptables -P INPUT DROP</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> iptables -P FORWARD DROP</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> iptables -P OUTPUT DROP.........only with those policies ,</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> should block the all incomming , outgoing from the machine ?????</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">Assuming you have flushed the rules as well, with:</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">iptables -F INPUT</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">iptables -F FORWARD</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">iptables -F OUTPUT</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">then no IP traffic will be allowed into, out of, or through, the machine.</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> This firewall running in my DHCP machne , but when a test with my DHCP</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> clients ..........those machone has taken ips. but this can't happen</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> .....isit ? if i correct where can be tbe problem ? pls ..............guide</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">></FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><I><FONT class="Apple-style-span" color="#1C1FFF"> me</FONT></I></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">It is important to bear in mind that DHCP is a protocol used for giving IP</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">addresses to clients which don't currently have them, therefore the traffic</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">involved in client requests and server responses will not have normal IP</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">addresses as you might expect, simply because the (client) machines in</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">question don't have IP addresses until the protocol is complete.</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">A quick inspection with a protocol analyser such as ethereal will easily show</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">you what I mean here.</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">However, once the clients do have IP addresses, the above rules will</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">certainly prevent them from communicating with, or through, the netfilter box.</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">If you want to block the ethernet traffic involved in communicating the DHCP</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">packets in the first place you might like to investigate ebtables at</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="http://ebtables.sf.net/"><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">http://ebtables.sf.net</FONT></SPAN></FONT></A><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> instead of iptables, as this is more appropriate to</FONT></SPAN></FONT><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF"> </FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">this purpose.</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">Regards,</FONT></SPAN></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><FONT class="Apple-style-span" color="#1C1FFF"><BR></FONT></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Courier" size="3"><SPAN class="Apple-style-span" style="font-size: 13px;"><FONT class="Apple-style-span" color="#1C1FFF">Antony.</FONT></SPAN></FONT></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>At least I feel a little safer now knowing that it's not a serious problem with my firewall. But it's also very interesting to know that IP tables won't block traffic that doesn't have an IP address yet. If I'm understanding this correctly. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I'll have to check out etables.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Thoughts???</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Romeo</DIV><DIV><BR><DIV><DIV>On Jun 9, 2006, at 9:51 PM, Carlos Rodrigues wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I've only briefly glanced through RFC2131(*), but it does seem to</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">imply that DHCP should only use UDP (as does BOOTP).</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">However, a "netstat -ap | grep dhcpd" shows an open "raw" socket. I've</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">never tried to firewall dhcpd (but I too noticed that it works even</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">with policy drop, no ports open), so I never gave it much thought, but</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">if I'd have to guess, I'd say dhcp packets don't go through the IP</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">stack (dhcpd decodes UDP/IP on its own, maybe because some IP stacks</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">don't do anything until configured, which is a chicken-and-egg</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">problem) and, as so, are invisible to netfilter/iptables.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Is this so? I'm rather curious about this myself.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">(*) <A href="ftp://ftp.rfc-editor.org/in-notes/rfc2131.txt">ftp://ftp.rfc-editor.org/in-notes/rfc2131.txt</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">On 6/10/06, Romeo Theriault <<A href="mailto:romeotheriault@gmail.com">romeotheriault@gmail.com</A>> wrote:</DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Hi, I'm having a bit of an issue with dhcp while using firehol. I have</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">eth0 which servers my private lan and I have eth1 with access to the</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">internet and I'm routing the internal lan to the network. This works</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">fine. I have DHCP bound to eth0 so it can server ip's the the clients</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">on the lan. From my understanding of the firewall config I have below</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">DHCP shouldn't be allowing my clients to get a ip address, but they</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">are getting an ip address. This worries me. I would of thought that I</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">would have to type something like</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">interface eth0 dhcp</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>policy return</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>server dhcp accept</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">before my</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">interface eth0 lan</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>etc.....</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">to get dhcp to work.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">If someone could look at my config file below and tell me what I'm</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">doing wrong I would be very grateful.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Thanks.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Romeo</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "># Require release 5 of FireHOL configuration directives</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">version 5</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "># A space separated list of all the IPs on the internet, I trust</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">sshTrust="130.111.68.145 130.111.68.212"</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "># The IP address of this Linux and LAN for the rest of the world</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">public_ip="130.111.68.110"</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "># My LAN.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>interface eth0 lan</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>protection strong</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>server ident reject with tcp-reset</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>client all accept</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Make sure the traffic coming in, comes from valid Internet IPs,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># and that is targeting my public IP</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>interface eth1 internet src not "$UNROUTABLE_IPS" dst "$public_ip"</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Protect me from various kinds of attacks.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>protection strong</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Public servers.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>server ssh<SPAN class="Apple-converted-space"> </SPAN>accept src "$sshTrust"</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Make sure idents do not timeout.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>server ident reject with tcp-reset</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># This is also a workstation.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>client all accept</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Route the LAN requests to the internet.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>router lan2internet inface eth0 outface eth1</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Masquerading on outface.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>masquerade</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># Route all specified requests from inface to outface</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN># and their replies back.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>route http accept</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>route https accept</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>route dns accept</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Firehol-support mailing list</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="mailto:Firehol-support@lists.sourceforge.net">Firehol-support@lists.sourceforge.net</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="https://lists.sourceforge.net/lists/listinfo/firehol-support">https://lists.sourceforge.net/lists/listinfo/firehol-support</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">--<SPAN class="Apple-converted-space"> </SPAN></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Carlos Rodrigues</DIV> </BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>