> Regarding the 'dhcp' option, I wonder if it should be deprecated in > favor of new 'dhcpclient' and 'dhcpserver' options; both of the new > options would optionally accept an address list. Without knowing whether > an interface gets its IP address via DHCP or whether a DHCP server on > the router provides DHCP services to the network connected to an > interface, unneeded rules must to be generated. The more I look into this, the more convinced I get that the 'dhcp' option should be deprecated and confined to history, without introducing any new options at all.
Even if you somehow add the 2 new options, that still won't secure the firewall as much as a rules statement will (owner id as well as secmark can't be specified to start with, which means that the firewall still won't be fully secured). I am guessing that you originally introduced this option to allow dhcp traffic even when the firewall was closed/stopped, but shorewall these days is much more flexible and dhcp traffic rules can now be defined in "rules" as well as the new "stoppedrules" files - with all bells and whistles attached. Having written all that, yesterday I found something extremely annoying - even if I design the most beautifully crafted iptables rules and "restrict" DHCP traffic to/from the firewall, this, as it turns out, is completely *futile* as the DHCP client I am using - ISC DHCP - uses raw sockets, which means that the whole netfilter malarkey is completely bypassed [1] and the client goes trough my firewall like the proverbial knife through butter! I've personally tested this today and saw it with my own eyes! So, any suggestions on how to restore control over my DHCP traffic is mostly welcome. Whoever invented DHCP should be rounded up and dragged back to the asylum s/he came from or shot on site! [1] - Why DHCP uses raw sockets: https://deepthought.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
