Not wishing to be paranoid, buuuuuuuuutttttttt..... couldn't you usefully restrict those by source and destination IP?
Probably, but... You usually don't know IP address of DHCP server in advance (ISP can chage it without prior notice, which will happen each time they deem it is time to reorganize their network). You don't know what will be your address before it is assigned to you.
Theoretically, you could modify dhcpclient so that it opens up firewall to be more permissive for those two ports when initially getting IP address, and than making it more strict when both local and DHCP server's addresses are known (and making it more permissive again if DHCP server goes south, so that new one could be discovered).
Theretically, your ISP (I guess it's cable, if using DHCP) should have been protecting you anyhow. Otherwise, any wise ass with Windblows or Linux box could screw up entire cable segment. It would be the last thing he would do (since it would be trivial to pinpoint him). But it might be considered as fun last thing by the before mentioned wise ass.
On the other hand, you should also assume ISP is brain dead and have everything misconfigured (or in better case, not configured at all ;-)
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
