>The rc.firewall rule set documents how to enable DHCP renewal
>traffic INBOUND, if the MASQ box is the DHCP provider for the local network,
>but in my case the MASQ box is a DHCP client which has to allow OUTBOUND
>renewal traffic. Dranch pointed this out to me and indicated I should
>modify my rules to allow this, but I obviously do not understand the
>relationship between ports 67 & 68 and DHCP traffic.
Ok, From the DHCP RFC:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2132.html
Here is the whole index btw:
http://www.cis.ohio-state.edu/htbin/rfc/INDEX.rfc.html
DHCP works as follows:
67 - server's port
68 - requestor's port
1. a client sends a 0.0.0.0 DHCP packet from port 68 to 255.255.255.255
on port 67
2. the server responds with a DHCP packet from its IP on port 67 back
to 255.255.255.255 on port 68
So, you'll need the following:
1. A broadcast route on your internet-based NIC (say eth1). Depending
on your linux distrobution, this might need to be put in the
dhcpcd client script or the network startup script.
route add -host 255.255.255.255 eth1
2. You'll need to add the following IPFWADM rulesets:
extif="eth1"
# DHCP - CLIENT
/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe 67 -D $broadcast 68
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe 67 -D $broadcast 68
# DHCP - CLIENT
/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe 68 -D $broadcast 67
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe 68 -D $broadcast 67
>In my logs, it indicates that: (letters used for IP values)
>Jan 21 12:00:54 IP fw-out rej eth1 UDP www.xxx.yyy.zzz:68 sss.ttt.uuu.vvv:67
>L=576 S=0x00 I=18 F=0x0000 T=64
Exactly. The above rules should work. Once you can confirm this, please let
me know and I'll put them into the TrinityOS ruleset.
>It appears rc.firewall is rejecting the traffic (as it is supposed to do
>normally) and not letting the address renew.
You might also think that the above rulesets seem to be semi-generic since
it isn't using any specific IP address. It must be this way since you might
get a different IP address. BUT.. it is now CRITICAL that you re-run your
rc.firewall script with the NEW IP address.
Important:
----------
1. You need to set the $extip via the PPP0 IP command line with the
proper editing to use the "eth0" interface vs. the "ppp0" interface
name.
2. You'll have to figure out if the DHCPc program will execute a
script file once its done. Put /etc/rc.d/rc.firewall script into
this file for proper execution.
>I've attempted to "reverse" dranch's INPUT rule to allow DHCP OUTPUT but
>have failed miserably so far.
Hmmmm.. You are probably hardcoding the $extip address in the rc.firewall
ruleset and not re-executing the rc.firewall once DHCPc is done.
Let us know if this fixes your problems!
--David
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
