<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>DHCP</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>DHCP</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001, 2002, 2004, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id257918"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Firewall">If you want to Run a DHCP Server on your firewall</a></span></dt><dt><span class="section"><a href="#Client">If a Firewall Interface gets its IP Address via DHCP</a></span></dt><dt><span class="section"><a href="#Bridge">If you wish to pass DHCP requests and responses through a bridge</a></span></dt><dt><span class="section"><a href="#Relay">Running dhcrelay on the firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>For most operations, DHCP software interfaces to the Linux IP stack at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The “<span class="quote">dhcp</span>” interface option described in this article allows for Netfilter to stay out of DHCP's way for those operations that can be controlled by Netfilter and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Firewall"></a>If you want to Run a DHCP Server on your firewall</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the “<span class="quote">dhcp</span>” option on each interface to be served by your server in the <code class="filename"><a class="ulink" href="manpages/shorewall-interfaces.html" target="_self">/etc/shorewall/interfaces</a></code> file. This will generate rules that will allow DHCP to and from your firewall system.</p></li><li><p>When starting “<span class="quote">dhcpd</span>”, you need to list those interfaces on the run line. On a RedHat system, this is done by modifying <code class="filename">/etc/sysconfig/dhcpd</code>.</p></li><li><p>If you set 'ping-check' true in your <code class="filename">/etc/shorewall/dhcpd.conf</code> file then you will want to <a class="ulink" href="ping.htm" target="_self">accept 'ping'</a> from your firewall to the zone(s) served by the firewall's DHCP server.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Client"></a>If a Firewall Interface gets its IP Address via DHCP</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the “<span class="quote">dhcp</span>” option for this interface in the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a> file. This will generate rules that will allow DHCP to and from your firewall system.</p></li><li><p>If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a> file.</p></li><li><p>If you don't know the subnet address in advance, you should specify “<span class="quote">detect</span>” for the interface's subnet address in the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a> file and start Shorewall after the interface has started.</p></li><li><p>In the event that the subnet address might change while Shorewall is started, you need to arrange for a “<span class="quote">shorewall refresh</span>” command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.</p></li><li><p>It is a good idea to <a class="ulink" href="ping.htm" target="_self">accept 'ping'</a> on any interface that gets its IP address via DHCP. That way, if the DHCP server is configured with 'ping-check' true, you won't be blocking its 'ping' requests.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Bridge"></a>If you wish to pass DHCP requests and responses through a bridge</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the “<span class="quote">dhcp</span>” option for the bridge interface in the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a> file. This will generate rules that will allow DHCP to and from your firewall system as well as through the bridge.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Relay"></a>Running dhcrelay on the firewall</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the "dhcp" option (in <code class="filename"><a class="ulink" href="manpages/shorewall-interfaces.html" target="_self">/etc/shorewall/interfaces</a></code>) on the interface facing the DHCP server and on the interfaces to be relayed.</p></li><li><p>If the server is configured with 'ping-check' true, then you must <a class="ulink" href="ping.htm" target="_self">allow 'ping'</a> from the server's zone to the zone(s) served by dhcrelay.</p></li></ul></div></div></div></body></html>