Thanks, your reply really helps.. On 9/20/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > > On Tuesday 20 September 2005 07:36, Askar wrote: > > I'm configuring a firewall on dhcp server, i'm a bit confuse which > > port to allow on INPUT that users (clients) get IP from the server > > > > from /etc/sevices... > > > > bootps 67/tcp dhcps #Bootstrap Protocol Server > > bootps 67/udp dhcps #Bootstrap Protocol Server > > bootpc 68/tcp dhcpc #Bootstrap Protocol Client > > bootpc 68/udp dhcpc #Bootstrap Protocol Client > > The server binds 67/udp, client binds 68/udp. TCP is not used. > > > dhcpv6-client 546/tcp #DHCPv6 Client > > dhcpv6-client 546/udp #DHCPv6 Client > > dhcpv6-server 547/tcp #DHCPv6 Server > > dhcpv6-server 547/udp #DHCPv6 Server > > I don't know about this but I bet it's also UDP-only. If you're not > using IPv6 addressing then you do not care. > > > lot of other services do runnig on this machine, however i'm very > > clear about all other services, ie which port to allow etc > > On the server machine you must allow connections to your 67/udp from > 68/udp. Some of these (renewals) will come addressed to the IP of your > dhcpd; others (broadcasts) will come to 255.255.255.255<http://255.255.255.255>. > The origin > IP's for such broadcasts are 0.0.0.0 <http://0.0.0.0>. > > DHCP service is generally a good thing to keep behind a firewall, IMO. > Mine at home is running on a server which gets pass-through DNAT from > the external router, so I had to be tricky about this. If the source > address is not in my LAN segment I handle it as an external packet, but > that was a problem for DHCP. I simply accept all from 255.255.255.255<http://255.255.255.255> > (those won't pass through the external router anyway), but if you want > to tighten it up you could try this: > > iptables -A INPUT -s 0.0.0.0 <http://0.0.0.0> -d 255.255.255.255<http://255.255.255.255>\ > -p udp --sport 68 --dport 67 -j ACCEPT however running tcpdump -n -i eth0 upd port 67 give me.... 09:21:55.685883 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:07:e9:60:a8:db, length: 300 its a client requesting an IP from dhcp server, 0.0.0.0:bootpc. greping bootpc from /etc/services gives.. bootps 67/tcp dhcps #Bootstrap Protocol Server bootps 67/udp dhcps #Bootstrap Protocol Server but not --sport 68, it mean client request also coming from --sport 67. therefore i thinks i must go with .. iptables -A INPUT -s 0.0.0.0 <http://0.0.0.0> -d 255.255.255.255<http://255.255.255.255>\ -p udp --dport 67 -j ACCEPT without specifying a --sport things Thanks and regards Askar 09:21:56.000922 IP 192.168.1.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300 > All the client machines are running MS. Therefore any other good > > suggestion will be appreciated to machine the network efficient. > > Get rid of all the MS machines. :) We are trying but it will takes time :) Only bind your DHCP service to the interface[s] where you intend to > offer DHCP. > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > > -- Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
