<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article> <!--$Id$--> <articleinfo> <title>DHCP</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2004-01-10</pubdate> <copyright> <year>2001</year> <year>2002</year> <year>2004</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <note> <para>For most operations, DHCP software interfaces to the Linux IP stack at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The <quote>dhcp</quote> interface option described in this article allows for Netfilter to stay out of DHCP's way for those operations that can be controlled by Netfilter and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules.</para> </note> <section> <title>If you want to Run a DHCP Server on your firewall</title> <itemizedlist> <listitem> <para>Specify the <quote>dhcp</quote> option on each interface to be served by your server in the <filename><ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename> file. This will generate rules that will allow DHCP to and from your firewall system.</para> </listitem> <listitem> <para>When starting <quote>dhcpd</quote>, you need to list those interfaces on the run line. On a RedHat system, this is done by modifying <filename>/etc/sysconfig/dhcpd</filename>.</para> </listitem> </itemizedlist> </section> <section> <title>If a Firewall Interface gets its IP Address via DHCP</title> <itemizedlist> <listitem> <para>Specify the <quote>dhcp</quote> option for this interface in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink> file. This will generate rules that will allow DHCP to and from your firewall system.</para> </listitem> <listitem> <para>If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink> file.</para> </listitem> <listitem> <para>If you don't know the subnet address in advance, you should specify <quote>detect</quote> for the interface's subnet address in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink> file and start Shorewall after the interface has started.</para> </listitem> <listitem> <para>In the event that the subnet address might change while Shorewall is started, you need to arrange for a <quote>shorewall refresh</quote> command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.</para> </listitem> </itemizedlist> </section> </article>