Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in.
Stu...... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: > Normally the iptables script runs after the interfaces have been brought up > by the system. > By that time blocking DHCP is kind of irrelevant. A default policy of drop > should block everything > all right, but it is kind of closing the barn door after the horse has left. > Why not just set up the > interface so it doesn't make a DHCP request? If there are special > circumstances, you will have to > give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three "normal" chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bjørgum Rotvik