On 27 May 2016, at 08:21, Michele Alessandrini <[email protected]> wrote:
> The PC has a DHCP server for the eth1 interface. Now, in the interfaces > file I did not add the "dhcp" option to the eth1 interface, and the > default policy is rejecting packets from loc to fw, so I was expecting > that DHCP would not work for PCs in the loc zone. But instead it's > working, discover-offer-etc. all ok, an IP is assigned. After, and only > after, I can see from the logs that all the following requests on port > 67 (every about 5 minutes) are rejected. > How it this? Am I misunderstanding how the firewall work? I recognize > that a DHCP request is something at somewhat a lower level than the > firewall, after all the requesting PC has not an IP yet, but I would > like to be 100% confident on how the whole firewall is working. > Shouldn't the concept of "zones" filter everything from a given zone? You are correct that it's down to DHCP working at a somewhat lower level. By necessity, DHCP (on Linux, dunno about other OSs) must work on raw packets - bypassing most of the network stack. So the initial (broadcast) packets get picked up by DHCP (client or server as appropriate) at the raw packet level - they do not even get to the netfilter layer. Nothing you set in Shorewall can stop these packets. Once the client has an IP address, it is in a position to unicast packets with the server. These packets pass through the whole network stack and will be subject to whatever rules you've configured. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
