From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: rules for dhcp server
Date: Tue, 20 Sep 2005 08:46:36 -0500 [thread overview]
Message-ID: <200509200846.37890.rob0@gmx.co.uk> (raw)
In-Reply-To: <a0f69e5050920053621fc6fa5@mail.gmail.com>
On Tuesday 20 September 2005 07:36, Askar wrote:
> I'm configuring a firewall on dhcp server, i'm a bit confuse which
> port to allow on INPUT that users (clients) get IP from the server
>
> from /etc/sevices...
>
> bootps 67/tcp dhcps #Bootstrap Protocol Server
> bootps 67/udp dhcps #Bootstrap Protocol Server
> bootpc 68/tcp dhcpc #Bootstrap Protocol Client
> bootpc 68/udp dhcpc #Bootstrap Protocol Client
The server binds 67/udp, client binds 68/udp. TCP is not used.
> dhcpv6-client 546/tcp #DHCPv6 Client
> dhcpv6-client 546/udp #DHCPv6 Client
> dhcpv6-server 547/tcp #DHCPv6 Server
> dhcpv6-server 547/udp #DHCPv6 Server
I don't know about this but I bet it's also UDP-only. If you're not
using IPv6 addressing then you do not care.
> lot of other services do runnig on this machine, however i'm very
> clear about all other services, ie which port to allow etc
On the server machine you must allow connections to your 67/udp from
68/udp. Some of these (renewals) will come addressed to the IP of your
dhcpd; others (broadcasts) will come to 255.255.255.255. The origin
IP's for such broadcasts are 0.0.0.0.
DHCP service is generally a good thing to keep behind a firewall, IMO.
Mine at home is running on a server which gets pass-through DNAT from
the external router, so I had to be tricky about this. If the source
address is not in my LAN segment I handle it as an external packet, but
that was a problem for DHCP. I simply accept all from 255.255.255.255
(those won't pass through the external router anyway), but if you want
to tighten it up you could try this:
iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 \
-p udp --sport 68 --dport 67 -j ACCEPT
> All the client machines are running MS. Therefore any other good
> suggestion will be appreciated to machine the network efficient.
Get rid of all the MS machines. :)
Only bind your DHCP service to the interface[s] where you intend to
offer DHCP.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next prev parent reply other threads:[~2005-09-20 13:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-20 12:36 rules for dhcp server Askar
2005-09-20 12:40 ` Edmundo Carmona
2005-09-20 13:46 ` /dev/rob0 [this message]
2005-09-21 4:32 ` Askar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200509200846.37890.rob0@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.