Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.



For most operations, DHCP software interfaces to the Linux IP stack at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The dhcp interface option described in this article allows for Netfilter to stay out of DHCP's way for those operations that can be controlled by Netfilter and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules.

If you want to Run a DHCP Server on your firewall

  • Specify the dhcp option on each interface to be served by your server in the /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system.

  • When starting dhcpd, you need to list those interfaces on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.

  • If you set 'ping-check' true in your /etc/dhcp/dhcpd.conf file then you will want to accept 'ping' from your firewall to the zone(s) served by the firewall's DHCP server.

If a Firewall Interface gets its IP Address via DHCP

  • Specify the dhcp option for this interface in the /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system.

  • If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the /etc/shorewall/interfaces file.

  • If you don't know the subnet address in advance, you should specify detect for the interface's subnet address in the /etc/shorewall/interfaces file and start Shorewall after the interface has started.

  • In the event that the subnet address might change while Shorewall is started, you need to arrange for a shorewall reload command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.

  • It is a good idea to accept 'ping' on any interface that gets its IP address via DHCP. That way, if the DHCP server is configured with 'ping-check' true, you won't be blocking its 'ping' requests.

If you wish to pass DHCP requests and responses through a bridge

  • Specify the dhcp option for the bridge interface in the /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system as well as through the bridge.

Running dhcrelay on the firewall

  • Specify the "dhcp" option (in /etc/shorewall/interfaces) on the interface facing the DHCP server and on the interfaces to be relayed.

  • Allow UDP ports 67 and 68 ("67:68") between the client zone and the server zone:

    #ACTION        SOURCE        DEST        PROTO       DPORT
    ACCEPT         ZONEA         ZONEB       udp         67:68
    ACCEPT         ZONEB         ZONEA       udp         67:68

    Alternatively, use the DHCPfwd macro:

    #ACTION         SOURCE        DEST        PROTO       DPORT
  • If the server is configured with 'ping-check' true, then you must allow 'ping' from the server's zone to the zone(s) served by dhcrelay.


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation

Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page