Pieter Donche wrote: > Shorewall 4.x > > If a firewall has its interfaces statically configured and does not run > a DHCP server itself, but there is a DHCP server in the dmz zone to > provide machines of the loc zone with TCP/IP configurations, on what > interfaces must the dhcp option in the Interfaces file be specified?
Assuming that the dmz and loc zones are connected via different network interfaces, you would normally need to run dhcrelay on the firewall; in any event, you should specify the dhcp option on both the loc and dmz interfaces. > > According to the manual > dhcp Specify this option when any of the following are true: > 1. the interface gets its IP address via DHCP > 2. the interface is used by a DHCP server running on the > firewall > 3. you have a static IP but are on a LAN segment with > lots of DHCP clients. > 4. the interface is a bridge with a DHCP server on one > port and DHCP clients on another port. > > 1. does not apply to any of the interfaces. > > 2. does not apply. > > 3. seems to apply to the interface for the loc zone, (shouldn't > 'you have' not better be rephrased as 'the interface has') > > 4. does this apply to my situation? > > What is meant here by 'port' (TCP/UDP port number ?) Those are ports on the bridge. See below. > How to interpret the word 'bridge'. Is it just in the general meaning > of a 'path' (from the DHCP server in dmz zone to the machines > in the loc zone) or in a restricted network-technology term of bridge? It is the latter. A bridge is basically an ethernet switch implemented in software. A bridge is created and interfaces assigned as ports using the brctl utility. A bridge may be assigned an IP address which allows the system hosting the bridge to communicate with hosts attached to the bridge. For more information on DHCP and Shorewall, see http://www.shorewall.net/dhcp.htm For information about bridges and Shorewall, see http://www.shorewall.net/bridge-Shorewall-perl.html and http://www.shorewall.net/SimpleBridge.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
