<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>DHCP</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2001</year>

      <year>2002</year>

      <year>2004</year>

      <year>2005</year>

      <year>2010</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <note>
    <para>For most operations, DHCP software interfaces to the Linux IP stack
    at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
    cannot be used effectively to police DHCP. The <quote>dhcp</quote>
    interface option described in this article allows for Netfilter to stay
    out of DHCP's way for those operations that can be controlled by Netfilter
    and prevents unwanted logging of DHCP-related traffic by
    Shorewall-generated Netfilter logging rules.</para>
  </note>

  <section id="Firewall">
    <title>If you want to Run a DHCP Server on your firewall</title>

    <itemizedlist>
      <listitem>
        <para>Specify the <quote>dhcp</quote> option on each interface to be
        served by your server in the <filename><ulink
        url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>
        file. This will generate rules that will allow DHCP to and from your
        firewall system.</para>
      </listitem>

      <listitem>
        <para>When starting <quote>dhcpd</quote>, you need to list those
        interfaces on the run line. On a RedHat system, this is done by
        modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
      </listitem>

      <listitem>
        <para>If you set 'ping-check' true in your
        <filename>/etc/shorewall/dhcpd.conf</filename> file then you will want
        to <ulink url="ping.htm">accept 'ping'</ulink> from your firewall to
        the zone(s) served by the firewall's DHCP server.</para>
      </listitem>
    </itemizedlist>
  </section>

  <section id="Client">
    <title>If a Firewall Interface gets its IP Address via DHCP</title>

    <itemizedlist>
      <listitem>
        <para>Specify the <quote>dhcp</quote> option for this interface in the
        <ulink
        url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
        file. This will generate rules that will allow DHCP to and from your
        firewall system.</para>
      </listitem>

      <listitem>
        <para>If you know that the dynamic address is always going to be in
        the same subnet, you can specify the subnet address in the interface's
        entry in the <ulink
        url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
        file.</para>
      </listitem>

      <listitem>
        <para>If you don't know the subnet address in advance, you should
        specify <quote>detect</quote> for the interface's subnet address in
        the <ulink
        url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
        file and start Shorewall after the interface has started.</para>
      </listitem>

      <listitem>
        <para>In the event that the subnet address might change while
        Shorewall is started, you need to arrange for a <quote>shorewall
        refresh</quote> command to be executed when a new dynamic IP address
        gets assigned to the interface. Check your DHCP client's
        documentation.</para>
      </listitem>

      <listitem>
        <para>It is a good idea to <ulink url="ping.htm">accept 'ping'</ulink>
        on any interface that gets its IP address via DHCP. That way, if the
        DHCP server is configured with 'ping-check' true, you won't be
        blocking its 'ping' requests.</para>
      </listitem>
    </itemizedlist>
  </section>

  <section id="Bridge">
    <title>If you wish to pass DHCP requests and responses through a
    bridge</title>

    <itemizedlist>
      <listitem>
        <para>Specify the <quote>dhcp</quote> option for the bridge interface
        in the <ulink
        url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
        file. This will generate rules that will allow DHCP to and from your
        firewall system as well as through the bridge.</para>
      </listitem>
    </itemizedlist>
  </section>

  <section id="Relay">
    <title>Running dhcrelay on the firewall</title>

    <itemizedlist>
      <listitem>
        <para>Specify the "dhcp" option (in <filename><ulink
        url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink></filename>)
        on the interface facing the DHCP server and on the interfaces to be
        relayed.</para>
      </listitem>

      <listitem>
        <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
        the server zone:</para>

        <programlisting>#ACTION        SOURCE        DEST        PROTO       DEST
#                                                    PORT(S)
ACCEPT         ZONEA         ZONEB       udp         67:68
ACCEPT         ZONEB         ZONEA       udp         67:68</programlisting>

        <para>Alternatively, use the DHCPfwd macro:</para>

        <programlisting>#ACTION         SOURCE        DEST        PROTO       DEST
#                                                     PORT(S)
DHCPfwd(ACCEPT) ZONEA         ZONEB</programlisting>
      </listitem>

      <listitem>
        <para>If the server is configured with 'ping-check' true, then you
        must <ulink url="ping.htm">allow 'ping'</ulink> from the server's zone
        to the zone(s) served by dhcrelay.</para>
      </listitem>
    </itemizedlist>
  </section>
</article>