Roar:

        You are absolutely right. I just tried on one of my machines.
It still manages to get an ip and start up with ifup. I don't have an
explanation for it. Time for the  Guruz to chime in.

Stu......


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik
Sent: May 27, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: RE: Can't block DHCP with iptables?

On Mon, 27 May 2002, Stewart Thompson wrote:

>       Normally the iptables script runs after the interfaces have been
brought up
> by the system.
> By that time blocking DHCP is kind of irrelevant. A default policy of drop
> should block everything
> all right, but it is kind of closing the barn door after the horse has
left.
> Why not just set up the
> interface so it doesn't make a DHCP request? If there are special
> circumstances, you will have to
> give us some more details of what you are trying to accomplish.

I can see I didn't explain good enough.

I'm on a local machine with interface eth0 down. I manually enter the
iptables policy DROP for all three "normal" chains, and then start up
interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and
ONBOOT=n).

In this scenario, the policy DROP exists before DHCP client starts up, but
still the DHCP client manages to assign a new IP-address.

ifconfig shows shows that eth0 has been assigned new IP-address. ping or
any network traffic after that does not work, as expected.

What I want to accomplish is to block all network traffic in/out up until
a certain point, and that includes DHCP.

--
Roar Bjørgum Rotvik




Reply via email to