[Firehol-support] DHCP firewall issue

Carlos Rodrigues carlos.efr at mail.telepac.pt
Sat Jun 10 02:51:33 BST 2006


I've only briefly glanced through RFC2131(*), but it does seem to
imply that DHCP should only use UDP (as does BOOTP).

However, a "netstat -ap | grep dhcpd" shows an open "raw" socket. I've
never tried to firewall dhcpd (but I too noticed that it works even
with policy drop, no ports open), so I never gave it much thought, but
if I'd have to guess, I'd say dhcp packets don't go through the IP
stack (dhcpd decodes UDP/IP on its own, maybe because some IP stacks
don't do anything until configured, which is a chicken-and-egg
problem) and, as so, are invisible to netfilter/iptables.

Is this so? I'm rather curious about this myself.

(*) ftp://ftp.rfc-editor.org/in-notes/rfc2131.txt

On 6/10/06, Romeo Theriault <romeotheriault at gmail.com> wrote:
> Hi, I'm having a bit of an issue with dhcp while using firehol. I have
> eth0 which servers my private lan and I have eth1 with access to the
> internet and I'm routing the internal lan to the network. This works
> fine. I have DHCP bound to eth0 so it can server ip's the the clients
> on the lan. From my understanding of the firewall config I have below
> DHCP shouldn't be allowing my clients to get a ip address, but they
> are getting an ip address. This worries me. I would of thought that I
> would have to type something like
>
> interface eth0 dhcp
>         policy return
>         server dhcp accept
>
> before my
>
> interface eth0 lan
>        etc.....
>
> to get dhcp to work.
>
> If someone could look at my config file below and tell me what I'm
> doing wrong I would be very grateful.
>
> Thanks.
>
> Romeo
>
>
> # Require release 5 of FireHOL configuration directives
> version 5
>
> # A space separated list of all the IPs on the internet, I trust
> sshTrust="130.111.68.145 130.111.68.212"
>
> # The IP address of this Linux and LAN for the rest of the world
> public_ip="130.111.68.110"
>
>
> # My LAN.
>         interface eth0 lan
>                 protection strong
>                 server ident reject with tcp-reset
>                 client all accept
>
>
>         # Make sure the traffic coming in, comes from valid Internet IPs,
>         # and that is targeting my public IP
>         interface eth1 internet src not "$UNROUTABLE_IPS" dst "$public_ip"
>                 # Protect me from various kinds of attacks.
>                 protection strong
>
>                 # Public servers.
>                 server ssh  accept src "$sshTrust"
>
>                 # Make sure idents do not timeout.
>                 server ident reject with tcp-reset
>
>                 # This is also a workstation.
>                 client all accept
>
>
>         # Route the LAN requests to the internet.
>         router lan2internet inface eth0 outface eth1
>
>                 # Masquerading on outface.
>                 masquerade
>
>                 # Route all specified requests from inface to outface
>                 # and their replies back.
>                 route http accept
>                 route https accept
>                 route dns accept
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>


-- 
Carlos Rodrigues




More information about the Firehol-support mailing list