dnsmasq DHCP server with nwfilter

Kai <l1800turbo@xxxxxxxxx> · Fri, 30 Aug 2024 11:47:15 +0200

Hello,

I'm trying to set up a nwfilter ruleset, where the client only should be 
able to answer to incoming requests and pings. The outbound traffic (LAN 
and Internet) shouldn't be working.

I've gut the rules as mentioned below (I moved all filterref inside for 
debugging):
<filter name='fwrule-test0' chain='root' priority='-700'>
  <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid>
  <rule action='accept' direction='out' priority='100'>
    <ip protocol='udp' srcportstart='68' dstportstart='67'/>
  </rule>
  <rule action='accept' direction='in' priority='101'>
    <ip protocol='udp' srcportstart='67' dstportstart='68'/>
  </rule>
  <rule action='accept' direction='out' priority='200'>
    <ip dstipaddr='10.16.136.6'/>
  </rule>
  <rule action='accept' direction='out' priority='200'>
    <ip dstipaddr='10.16.136.9'/>
  </rule>
  <rule action='accept' direction='in' priority='250'>
    <all/>
  </rule>
  <rule action='accept' direction='inout' priority='300'>
    <all state='ESTABLISHED,RELATED'/>
  </rule>
  <rule action='accept' direction='inout' priority='301'>
    <icmp/>
  </rule>
  <rule action='accept' direction='out' priority='400'>
    <udp dstportstart='53'/>
  </rule>
  <rule action='accept' direction='inout' priority='400'>
    <mac protocolid='arp'/>
  </rule>
  <rule action='drop' direction='out' priority='800'>
    <all/>
  </rule>
</filter>

When the guest already has a proper IP address, this seems to work on 
first sight, the client can't talk to the internet anymore, but is 
reachable for TCP and UDP requests.

However, I can't get DHCP working. I'm using the integrated dnsmasq 
service for DHCP.
It works again, when I remove the last DROP rule taking care of the rest.

I looked inside tcpdump / Wireshark for the corresponding interface 
(virbr4). With the enabled DHCP port rules I can see that DHCP requests 
go out to 255.255.255.255.
I also activated dnsmasq logging for the virbr4 instance. Here, I don't 
get any DHCP logs.
 Without the last DROP rule, I can see clients getting an IP address. I 
currently have no idea where to look "in between" as the dnsmasq is 
listening von virbr4.

My expectation for DHCP was ports 67 <-> 68 to be open as in the 
nwfilter 'allow-dhcp'.
Am I missing here something?

Thank you!
Kai