Copyright © 2001, 2002, 2004, 2005, 2010 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2020/02/16
Table of Contents
Note
For most operations, DHCP software interfaces to the Linux IP stack at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The “dhcp” interface option described in this article allows for Netfilter to stay out of DHCP's way for those operations that can be controlled by Netfilter and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules.
Specify the “dhcp” option on each interface to be served by your server in the
/etc/shorewall/interfaces
file. This will generate rules that will allow DHCP to and from your firewall system.When starting “dhcpd”, you need to list those interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd
.If you set 'ping-check' true in your
/etc/dhcp/dhcpd.conf
file then you will want to accept 'ping' from your firewall to the zone(s) served by the firewall's DHCP server.
Specify the “dhcp” option for this interface in the
/etc/shorewall/interfaces
file. This will generate rules that will allow DHCP to and from your firewall system.If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the
/etc/shorewall/interfaces
file.If you don't know the subnet address in advance, you should specify “detect” for the interface's subnet address in the
/etc/shorewall/interfaces
file and start Shorewall after the interface has started.In the event that the subnet address might change while Shorewall is started, you need to arrange for a shorewall reload command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.
It is a good idea to accept 'ping' on any interface that gets its IP address via DHCP. That way, if the DHCP server is configured with 'ping-check' true, you won't be blocking its 'ping' requests.
Specify the “dhcp” option for the bridge interface in the
/etc/shorewall/interfaces
file. This will generate rules that will allow DHCP to and from your firewall system as well as through the bridge.
Specify the "dhcp" option (in
/etc/shorewall/interfaces
) on the interface facing the DHCP server and on the interfaces to be relayed.Allow UDP ports 67 and 68 ("67:68") between the client zone and the server zone:
#ACTION SOURCE DEST PROTO DPORT ACCEPT ZONEA ZONEB udp 67:68 ACCEPT ZONEB ZONEA udp 67:68
Alternatively, use the DHCPfwd macro:
#ACTION SOURCE DEST PROTO DPORT DHCPfwd(ACCEPT) ZONEA ZONEB
If the server is configured with 'ping-check' true, then you must allow 'ping' from the server's zone to the zone(s) served by dhcrelay.