Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Jan 2003 01:30:16 -0500
From:      Bill Moran <wmoran@potentialtech.com>
To:        Warren Block <wblock@wonkity.com>
Cc:        Brian McCann <bjm1287@ritvax.rit.edu>, questions@freebsd.org
Subject:   Re: IPFW and DHCPD
Message-ID:  <3E34D1F8.2050209@potentialtech.com>
References:  <000801c2c5ba$cf7845b0$1500a8c0@dogbert> <20030126215555.U2592@wonkity.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Warren Block wrote:
> On Sun, 26 Jan 2003, Brian McCann wrote:
> 
> 
>>You need to allow UDP ports 67&68 for full DHCP support, in both
>>directions...so....
>>
>>"ipfw add allow any 67 to any any via int out"
>>"ipfw add allow any 67 to any any via int in"
>>"ipfw add allow any 68 to any any via int out"
>>"ipfw add allow any 68 to any any via int in"
>>
>>Something like that should do it.
>>
>>Hope that helps.
> 
> 
> ipfw didn't like those rules (ipfw: invalid protocol ``any'').  I think
> it can be done easier, too:
> 
> ${fwcmd} add pass udp from any 67,68 to any via ${iif}
> 
> But I'm not seeing any counts on that rule when a notebook client tries
> for a DHCP lease, and the client never gets a lease.

This is crazy.  There is no sane way that anyone can give you rules for
this without knowing the rest of your firewall rules.  Amoung other things,
_where_ you place the rules in the list, and what other rules that may
match DCHP traffic are critical to the success of your firewall rules.

Considering you stated that you're not sure if your firewall or dhcpd was
problematic, I would suggest the following diag procedure.

1) Set the machine to the "open" firewall profile and attempt to get a
    DHCP addy.  If you can, then the problem is in the firewall, if you
    can't, then fix your dhcpd config before worrying about the firewall.
2) Here's the basic rules for DHCP:
    You need to allow udp traffic in/out to ports 67/68.  You need to make
    sure this includes traffic from 0.0.0.0 (this is the IP that DHCP uses
    before it has a DHCP addy) to 255.255.255.255.
3) If you have trouble, pretend to be an IP packed and trace through the
    rules to see where you get caught.  The most frustrating thing I hit
    with firewall rules is when an earlier rule inadvertently catchs the
    traffic before the rule I intended.
4) If you're still having trouble, post the _entire_ ruleset to the list
    asking for help.  It's the only way anyone can expect to give you any
    real help.  Firewalls are just like that, you have to look at the whole
    thing or you can't see any of it.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E34D1F8.2050209>