Hi I've been thinking for some time now about the rules needed to allow the firewallbox to receive its public IP from a DHCP-server but everywhere I look it's done in different ways. My first thought was to open up for the DHCP-request in the OUTPUT-chain (all policies DROP) and let netfilters connection-tracking abilities take care of the rest. Like this: iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i $WAN -p UDP --dport 67 --sport 68 -j ACCEPT But then I realised that since I don't have a source or destination address netfilter will probably not be able to track the connection. On the net I found this: $IPTABLES -A OUTPUT -o eth1 -p tcp -s 0.0.0.0/32 --sport 67 \ -d 255.255.255.255/32 --dport 68 -j ACCEPT $IPTABLES -A OUTPUT -o $internal_int -p udp -s $internal_ip --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT $IPTABLES -A INPUT -i $internal_int -p tcp --sport 68 --dport 67 -j ACC\EPT $IPTABLES -A INPUT -i $internal_int -p udp --sport 68 --dport 67 -j ACCEPT Looks a bit much I think. Also found this: $IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport \ 67:68 -j ACCEPT But this opens two ports and the only protocol I know of that uses two ports is FTP, so If someone could give me some hints I'd be happy. I was also wondering if about Ident, today I use it only when connecting to IRC-servers and have port 113 forwarded to the computer running the IRC-client but this solution is not so good if another computer on my network should have a need of Ident. So I was wondering: If I install an Identd on my firewallbox and let it take care of requests would it work, considering that the connection does not origin from the firewallbox? Thanks for your time. -- Erik Wikström
