1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>DHCP</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2010</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para>For most operations, DHCP software interfaces to the Linux IP stack
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The <quote>dhcp</quote>
interface option described in this article allows for Netfilter to stay
out of DHCP's way for those operations that can be controlled by Netfilter
and prevents unwanted logging of DHCP-related traffic by
Shorewall-generated Netfilter logging rules.</para>
</note>
<section id="Firewall">
<title>If you want to Run a DHCP Server on your firewall</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option on each interface to be
served by your server in the <filename><ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>
file. This will generate rules that will allow DHCP to and from your
firewall system.</para>
</listitem>
<listitem>
<para>When starting <quote>dhcpd</quote>, you need to list those
interfaces on the run line. On a RedHat system, this is done by
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
</listitem>
<listitem>
<para>If you set 'ping-check' true in your
<filename>/etc/dhcp/dhcpd.conf</filename> file then you will want to
<ulink url="ping.html">accept 'ping'</ulink> from your firewall to the
zone(s) served by the firewall's DHCP server.</para>
</listitem>
</itemizedlist>
</section>
<section id="Client">
<title>If a Firewall Interface gets its IP Address via DHCP</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option for this interface in the
<ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file. This will generate rules that will allow DHCP to and from your
firewall system.</para>
</listitem>
<listitem>
<para>If you know that the dynamic address is always going to be in
the same subnet, you can specify the subnet address in the interface's
entry in the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file.</para>
</listitem>
<listitem>
<para>If you don't know the subnet address in advance, you should
specify <quote>detect</quote> for the interface's subnet address in
the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file and start Shorewall after the interface has started.</para>
</listitem>
<listitem>
<para>In the event that the subnet address might change while
Shorewall is started, you need to arrange for a <command>shorewall
reload</command> command to be executed when a new dynamic IP address
gets assigned to the interface. Check your DHCP client's
documentation.</para>
</listitem>
<listitem>
<para>It is a good idea to <ulink url="ping.html">accept
'ping'</ulink> on any interface that gets its IP address via DHCP.
That way, if the DHCP server is configured with 'ping-check' true, you
won't be blocking its 'ping' requests.</para>
</listitem>
</itemizedlist>
</section>
<section id="Bridge">
<title>If you wish to pass DHCP requests and responses through a
bridge</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option for the bridge interface
in the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file. This will generate rules that will allow DHCP to and from your
firewall system as well as through the bridge.</para>
</listitem>
</itemizedlist>
</section>
<section id="Relay">
<title>Running dhcrelay on the firewall</title>
<itemizedlist>
<listitem>
<para>Specify the "dhcp" option (in <filename><ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>)
on the interface facing the DHCP server and on the interfaces to be
relayed.</para>
</listitem>
<listitem>
<para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
the server zone:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT ZONEA ZONEB udp 67:68
ACCEPT ZONEB ZONEA udp 67:68</programlisting>
<para>Alternatively, use the DHCPfwd macro:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting>
</listitem>
<listitem>
<para>If the server is configured with 'ping-check' true, then you
must <ulink url="ping.html">allow 'ping'</ulink> from the server's
zone to the zone(s) served by dhcrelay.</para>
</listitem>
</itemizedlist>
</section>
</article>
|