<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article> <!--$Id$--> <articleinfo> <title>DHCP</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2001</year> <year>2002</year> <year>2004</year> <year>2005</year> <year>2010</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <note> <para>For most operations, DHCP software interfaces to the Linux IP stack at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The <quote>dhcp</quote> interface option described in this article allows for Netfilter to stay out of DHCP's way for those operations that can be controlled by Netfilter and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules.</para> </note> <section id="Firewall"> <title>If you want to Run a DHCP Server on your firewall</title> <itemizedlist> <listitem> <para>Specify the <quote>dhcp</quote> option on each interface to be served by your server in the <filename><ulink url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename> file. This will generate rules that will allow DHCP to and from your firewall system.</para> </listitem> <listitem> <para>When starting <quote>dhcpd</quote>, you need to list those interfaces on the run line. On a RedHat system, this is done by modifying <filename>/etc/sysconfig/dhcpd</filename>.</para> </listitem> <listitem> <para>If you set 'ping-check' true in your <filename>/etc/shorewall/dhcpd.conf</filename> file then you will want to <ulink url="ping.htm">accept 'ping'</ulink> from your firewall to the zone(s) served by the firewall's DHCP server.</para> </listitem> </itemizedlist> </section> <section id="Client"> <title>If a Firewall Interface gets its IP Address via DHCP</title> <itemizedlist> <listitem> <para>Specify the <quote>dhcp</quote> option for this interface in the <ulink url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink> file. This will generate rules that will allow DHCP to and from your firewall system.</para> </listitem> <listitem> <para>If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the <ulink url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink> file.</para> </listitem> <listitem> <para>If you don't know the subnet address in advance, you should specify <quote>detect</quote> for the interface's subnet address in the <ulink url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink> file and start Shorewall after the interface has started.</para> </listitem> <listitem> <para>In the event that the subnet address might change while Shorewall is started, you need to arrange for a <quote>shorewall refresh</quote> command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.</para> </listitem> <listitem> <para>It is a good idea to <ulink url="ping.htm">accept 'ping'</ulink> on any interface that gets its IP address via DHCP. That way, if the DHCP server is configured with 'ping-check' true, you won't be blocking its 'ping' requests.</para> </listitem> </itemizedlist> </section> <section id="Bridge"> <title>If you wish to pass DHCP requests and responses through a bridge</title> <itemizedlist> <listitem> <para>Specify the <quote>dhcp</quote> option for the bridge interface in the <ulink url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink> file. This will generate rules that will allow DHCP to and from your firewall system as well as through the bridge.</para> </listitem> </itemizedlist> </section> <section id="Relay"> <title>Running dhcrelay on the firewall</title> <itemizedlist> <listitem> <para>Specify the "dhcp" option (in <filename><ulink url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>) on the interface facing the DHCP server and on the interfaces to be relayed.</para> </listitem> <listitem> <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and the server zone:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT ZONEA ZONEB udp 67:68 ACCEPT ZONEB ZONEA udp 67:68</programlisting> <para>Alternatively, use the DHCPfwd macro:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting> </listitem> <listitem> <para>If the server is configured with 'ping-check' true, then you must <ulink url="ping.htm">allow 'ping'</ulink> from the server's zone to the zone(s) served by dhcrelay.</para> </listitem> </itemizedlist> </section> </article>