Erwin Lam
When you first try to acquire an ip-address using dhcp, your computer doesn't have an ip-address yet. Therefore, your computer and the dhcp-server must use broadcasts (address 255.255.255.255) to exchange information (the dhcp-client uses udp port 68 and the dhcp-server uses udp port 67). That traffic is allowed by the above rule.
Duh. I should have figured that out. I was tripping over the fact that the DHCP setup happens before the firewall is created. Thanks for the whack in the head.
Once you have a valid lease and half of the lease time has expired, the dhcp-client (your computer) requests renewal of the lease from the dhcp-server. Because the client now has a valid ip-address and also knows the ip-address of the dhcp-server, this exchange of information uses the valid ip-addreses of both client and server, i.e. it no longer relies on broadcasts. However, this requires you to set FW_SERVICES_EXT_UDP="bootpc". Otherwise, response from the dhcp-server to port 68 at your ip-address will be blocked by your firewall.
OK, that makes sense.
AH> ANTI-SPOOFING messages (in other words, I don't understand why it has AH> decided this is a spoofed messaged rather than just one directed to a AH> closed port).
Well,... I am not an expert in this matter and I don't understand it either, but could you please post that log entry so we can have a look at it.
I'll post it as soon as I get back to my system, which will be this weekend. I'm on the road just now, and I can't get to my firewall from the outside. Thanks for your help. -- Alan Hadsell "Whatever does not kill me makes me stranger".