Sophie

Sophie

distrib > Mandriva > mes5 > x86_64 > by-pkgid > 45723c51178a73df679c2a8284d8eeff > files > 58

shorewall-doc-4.0.15-0.2mdvmes5.noarch.rpm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>DHCP</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>DHCP</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001, 2002, 2004, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id257918"></a><p>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
      License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Firewall">If you want to Run a DHCP Server on your firewall</a></span></dt><dt><span class="section"><a href="#Client">If a Firewall Interface gets its IP Address via DHCP</a></span></dt><dt><span class="section"><a href="#Bridge">If you wish to pass DHCP requests and responses through a
    bridge</a></span></dt><dt><span class="section"><a href="#Relay">Running dhcrelay on the firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>For most operations, DHCP software interfaces to the Linux IP stack
    at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
    cannot be used effectively to police DHCP. The “<span class="quote">dhcp</span>”
    interface option described in this article allows for Netfilter to stay
    out of DHCP's way for those operations that can be controlled by Netfilter
    and prevents unwanted logging of DHCP-related traffic by
    Shorewall-generated Netfilter logging rules.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Firewall"></a>If you want to Run a DHCP Server on your firewall</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the “<span class="quote">dhcp</span>” option on each interface to be
        served by your server in the <code class="filename"><a class="ulink" href="manpages/shorewall-interfaces.html" target="_self">/etc/shorewall/interfaces</a></code>
        file. This will generate rules that will allow DHCP to and from your
        firewall system.</p></li><li><p>When starting “<span class="quote">dhcpd</span>”, you need to list those
        interfaces on the run line. On a RedHat system, this is done by
        modifying <code class="filename">/etc/sysconfig/dhcpd</code>.</p></li><li><p>If you set 'ping-check' true in your
        <code class="filename">/etc/shorewall/dhcpd.conf</code> file then you will want
        to <a class="ulink" href="ping.htm" target="_self">accept 'ping'</a> from your firewall to
        the zone(s) served by the firewall's DHCP server.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Client"></a>If a Firewall Interface gets its IP Address via DHCP</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the “<span class="quote">dhcp</span>” option for this interface in the
        <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a>
        file. This will generate rules that will allow DHCP to and from
        your firewall system.</p></li><li><p>If you know that the dynamic address is always going to be in
        the same subnet, you can specify the subnet address in the interface's
        entry in the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a>
        file.</p></li><li><p>If you don't know the subnet address in advance, you should
        specify “<span class="quote">detect</span>” for the interface's subnet address in
        the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a>
        file and start Shorewall after the interface has started.</p></li><li><p>In the event that the subnet address might change while
        Shorewall is started, you need to arrange for a “<span class="quote">shorewall
        refresh</span>” command to be executed when a new dynamic IP address
        gets assigned to the interface. Check your DHCP client's
        documentation.</p></li><li><p>It is a good idea to <a class="ulink" href="ping.htm" target="_self">accept 'ping'</a>
        on any interface that gets its IP address via DHCP. That way, if the
        DHCP server is configured with 'ping-check' true, you won't be
        blocking its 'ping' requests.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Bridge"></a>If you wish to pass DHCP requests and responses through a
    bridge</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the “<span class="quote">dhcp</span>” option for the bridge interface
        in the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a>
        file. This will generate rules that will allow DHCP to and from
        your firewall system as well as through the bridge.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Relay"></a>Running dhcrelay on the firewall</h2></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Specify the "dhcp" option (in <code class="filename"><a class="ulink" href="manpages/shorewall-interfaces.html" target="_self">/etc/shorewall/interfaces</a></code>)
        on the interface facing the DHCP server and on the interfaces to be
        relayed.</p></li><li><p>If the server is configured with 'ping-check' true, then you
        must <a class="ulink" href="ping.htm" target="_self">allow 'ping'</a> from the server's zone
        to the zone(s) served by dhcrelay.</p></li></ul></div></div></div></body></html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional