On Mon, 1 Apr 2002, Alan Hadsell wrote:
AH> Erwin Lam writes:
AH>
AH> > On Mon, 1 Apr 2002, Alan Hadsell wrote:
AH> >
AH> > AH> My problem: When the DHCP lease times out, the firewall box can't
AH> > AH> acquire a new one. It appears that the firewall's anti-spoofing rules
AH> > AH> are blocking the DHCP server's reply. At the time when this happens,
AH> > AH> I get numerous SuSE-FW-DROP-ANTI-SPOOFING messages with source port =
AH> > AH> 67 and destination port = 68. At this point, I lose all Internet
AH> > AH> connectivity until I reboot the firewall box.
AH> > AH>
AH> > AH> My configuration includes FW_SERVICE_DHCLIENT="yes".
AH>
AH> > You also need to set
AH> >
AH> > FW_SERVICES_EXT_UDP="bootpc"
AH>
AH> This should be equivalent to FW_SERVICES_EXT_UDP="68", right? OK,
Yes, but you may also mention the port by its name "bootpc". Have a look
at the file "/etc/services".
AH> I'll try that. I guess I don't understand why it's necessary, though.
AH> The script says:
AH>
AH> ,----[ from SuSEfirewall2 ]
AH> | test "$FW_SERVICE_DHCLIENT" = yes && {
AH> | $LAA $IPTABLES -A INPUT -j LOG ${LOG}"-ACCEPT " -p udp --sport 67 -d 255.255.255.255/32 --dport 68
AH> | $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED -p udp --sport 67 -d 255.255.255.255/32 --dport 68
AH> | }
AH> `----
When you first try to acquire an ip-address using dhcp, your computer
doesn't have an ip-address yet. Therefore, your computer and the
dhcp-server must use broadcasts (address 255.255.255.255) to exchange
information (the dhcp-client uses udp port 68 and the dhcp-server uses
udp port 67). That traffic is allowed by the above rule.
Once you have a valid lease and half of the lease time has expired, the
dhcp-client (your computer) requests renewal of the lease from the
dhcp-server. Because the client now has a valid ip-address and also
knows the ip-address of the dhcp-server, this exchange of information
uses the valid ip-addreses of both client and server, i.e. it no longer
relies on broadcasts. However, this requires you to set
FW_SERVICES_EXT_UDP="bootpc". Otherwise, response from the dhcp-server
to port 68 at your ip-address will be blocked by your firewall.
AH> ...which seems to imply that any such packet would be accepted, and
AH> not hit the anti-spoofing rules (which are applied later). Or is it
AH> tripping over the "--state ESTABLISHED"?
No, see above.
AH> I also don't understand this: if this is an issue of not ACCEPTing the
AH> message, why don't I get UNALLOWED-TARGET messages, rather than
The packets were addressed to your ip-address which is not an unallowed
target.
AH> ANTI-SPOOFING messages (in other words, I don't understand why it has
AH> decided this is a spoofed messaged rather than just one directed to a
AH> closed port).
Well,... I am not an expert in this matter and I don't understand it
either, but could you please post that log entry so we can have a look
at it.
Regards
Erwin Lam
--
Erwin Lam (erwin.lam@gmx.net)