Erwin Lam
On Mon, 1 Apr 2002, Alan Hadsell wrote:
AH> My problem: When the DHCP lease times out, the firewall box can't AH> acquire a new one. It appears that the firewall's anti-spoofing rules AH> are blocking the DHCP server's reply. At the time when this happens, AH> I get numerous SuSE-FW-DROP-ANTI-SPOOFING messages with source port = AH> 67 and destination port = 68. At this point, I lose all Internet AH> connectivity until I reboot the firewall box. AH> AH> My configuration includes FW_SERVICE_DHCLIENT="yes".
You also need to set
FW_SERVICES_EXT_UDP="bootpc"
This should be equivalent to FW_SERVICES_EXT_UDP="68", right? OK, I'll try that. I guess I don't understand why it's necessary, though. The script says: ,----[ from SuSEfirewall2 ] | test "$FW_SERVICE_DHCLIENT" = yes && { | $LAA $IPTABLES -A INPUT -j LOG ${LOG}"-ACCEPT " -p udp --sport 67 -d 255.255.255.255/32 --dport 68 | $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED -p udp --sport 67 -d 255.255.255.255/32 --dport 68 | } `---- ...which seems to imply that any such packet would be accepted, and not hit the anti-spoofing rules (which are applied later). Or is it tripping over the "--state ESTABLISHED"? I also don't understand this: if this is an issue of not ACCEPTing the message, why don't I get UNALLOWED-TARGET messages, rather than ANTI-SPOOFING messages (in other words, I don't understand why it has decided this is a spoofed messaged rather than just one directed to a closed port). -- Alan Hadsell "Whatever does not kill me makes me stranger".