1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>DHCP</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2010</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para>For most operations, DHCP software interfaces to the Linux IP stack
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The <quote>dhcp</quote>
interface option described in this article allows for Netfilter to stay
out of DHCP's way for those operations that can be controlled by Netfilter
and prevents unwanted logging of DHCP-related traffic by
Shorewall-generated Netfilter logging rules.</para>
</note>
<section id="Firewall">
<title>If you want to Run a DHCP Server on your firewall</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option on each interface to be
served by your server in the <filename><ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>
file. This will generate rules that will allow DHCP to and from your
firewall system.</para>
</listitem>
<listitem>
<para>When starting <quote>dhcpd</quote>, you need to list those
interfaces on the run line. On a RedHat system, this is done by
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
</listitem>
<listitem>
<para>If you set 'ping-check' true in your
<filename>/etc/dhcp/dhcpd.conf</filename> file then you will want to
<ulink url="ping.html">accept 'ping'</ulink> from your firewall to the
zone(s) served by the firewall's DHCP server.</para>
</listitem>
</itemizedlist>
</section>
<section id="Client">
<title>If a Firewall Interface gets its IP Address via DHCP</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option for this interface in the
<ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file. This will generate rules that will allow DHCP to and from your
firewall system.</para>
</listitem>
<listitem>
<para>If you know that the dynamic address is always going to be in
the same subnet, you can specify the subnet address in the interface's
entry in the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file.</para>
</listitem>
<listitem>
<para>If you don't know the subnet address in advance, you should
specify <quote>detect</quote> for the interface's subnet address in
the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file and start Shorewall after the interface has started.</para>
</listitem>
<listitem>
<para>In the event that the subnet address might change while
Shorewall is started, you need to arrange for a <command>shorewall
reload</command> command to be executed when a new dynamic IP address
gets assigned to the interface. Check your DHCP client's
documentation.</para>
</listitem>
<listitem>
<para>It is a good idea to <ulink url="ping.html">accept
'ping'</ulink> on any interface that gets its IP address via DHCP.
That way, if the DHCP server is configured with 'ping-check' true, you
won't be blocking its 'ping' requests.</para>
</listitem>
</itemizedlist>
</section>
<section id="Bridge">
<title>If you wish to pass DHCP requests and responses through a
bridge</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option for the bridge interface
in the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file. This will generate rules that will allow DHCP to and from your
firewall system as well as through the bridge.</para>
</listitem>
</itemizedlist>
</section>
<section id="Relay">
<title>Running dhcrelay on the firewall</title>
<itemizedlist>
<listitem>
<para>Specify the "dhcp" option (in <filename><ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>)
on the interface facing the DHCP server and on the interfaces to be
relayed.</para>
</listitem>
<listitem>
<para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
the server zone:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT ZONEA ZONEB udp 67:68
ACCEPT ZONEB ZONEA udp 67:68</programlisting>
<para>Alternatively, use the DHCPfwd macro:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting>
</listitem>
<listitem>
<para>If the server is configured with 'ping-check' true, then you
must <ulink url="ping.html">allow 'ping'</ulink> from the server's
zone to the zone(s) served by dhcrelay.</para>
</listitem>
</itemizedlist>
</section>
</article>
|
