Tom Eastep 2004-05-24 2001 2002 2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. For most operations, DHCP software interfaces to the Linux IP stack at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The dhcp interface option described in this article allows for Netfilter to stay out of DHCP's way for those operations that can be controlled by Netfilter and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules.

Specify the dhcp option on each interface to be served by your server in the /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system. When starting dhcpd, you need to list those interfaces on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.

Specify the dhcp option for this interface in the /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system. If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the /etc/shorewall/interfaces file. If you don't know the subnet address in advance, you should specify detect for the interface's subnet address in the /etc/shorewall/interfaces file and start Shorewall after the interface has started. In the event that the subnet address might change while Shorewall is started, you need to arrange for a shorewall refresh command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.