On Fri, 22 Feb 2002, Steven W. Orr wrote: > I picked up an iptables firewall and I have a question in debugging it. > It erroneously makes reference to two variables which are not defined: > These are BROADCAST_0 and BROADCAST_1. I'm running dhcpcd as the firewall > prescribes. My problem is that I just don't have any idea what the intent > is of the first four iptables commands.
Well, I haven't bothered to learn the new IPTABLES syntax yet, but I can make some educated guesses. When a client needs to obtain information via DHCP, it sends a broadcast packet with a source port of 68 and a destination port of 67. The symbolic names are "bootpc" and "bootps" (boot protocol client and server), respectively. (DHCP was deprived from an older protocol called BOOTP.) If the information the client is seeking includes its own IP address, then it uses a source address of "0.0.0.0". The server sends a reply from port 67 to port 68. If the client knew its address, the packet will be unicast to it; otherwise it will be broadcast to the whole network. So, the firewall has to be configured to allow all those packets. This includes opening up specific ports for various addresses. You have to allow packets to be sent to the broadcast address from your host. You also have to allow your host to send and receive packets for that special address "0.0.0.0". Otherwise, you end up blocking your own DHCP requests. Things are tricky here because you generally do not know the address of your DHCP server -- or even your own address! That is, after all, the whole point of DHCP. So, I am guessing that script expects BROADCAST_0 and BROADCAST_1 to to be "0.0.0.0" and "255.255.255.255", respectively. It is worth noting that DHCP is, by nature, insecure. You're asking the world at large who you are, and taking the word of whoever is first to answer. I also note that the script you post assumes you know your own IP address and your DHCP server's address. If you know all that, why are you sending DHCP queries? > Anyone have any suggestions? I know that GNHLUG is rich with people who > think that vi is the best firewall editor out there :-) What we are really asserting is that there is no substitute for understanding what you are doing. This is a case in point. If you do not understand how DHCP works, you cannot configure your firewall to handle it properly. :-) So, in addition to saying "vi is the best firewall editor", we should also say that "/dev/null is the best canned firewall script". :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
