Shorewall users - Feb 2008 - Interfaces file - DHCP option

Shorewall 4.x

If a firewall has its interfaces statically configured and does not run 
a DHCP server itself, but there is a DHCP server in the dmz zone to 
provide machines of the loc zone with TCP/IP configurations, on what 
interfaces must the  dhcp   option in the Interfaces file be specified?

According to the manual
  dhcp   Specify this option when any of the following are true:
         1.  the interface gets its IP address via DHCP
         2.  the interface is used by a DHCP server running on the
             firewall
         3.  you have a static IP but are on a  LAN  segment  with
             lots of DHCP clients.
         4.  the  interface  is a bridge with a DHCP server on one
             port and DHCP clients on another port.

1. does not apply to any of the interfaces.

2. does not apply.

3. seems to apply to the interface for the loc zone, (shouldn''t
''you have'' not better be rephrased as ''the interface
has'')

4. does this apply to my situation?

What is meant here by ''port'' (TCP/UDP port number ?) 
How to interpret the word ''bridge''. Is it just in the general
meaning
of a ''path'' (from the DHCP server in dmz zone to the machines
in the loc zone) or in a restricted network-technology term of bridge?

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Pieter Donche wrote:
> Shorewall 4.x
> 
> If a firewall has its interfaces statically configured and does not run 
> a DHCP server itself, but there is a DHCP server in the dmz zone to 
> provide machines of the loc zone with TCP/IP configurations, on what 
> interfaces must the  dhcp   option in the Interfaces file be specified?
Assuming that the dmz and loc zones are connected via different network
interfaces, you would normally need to run dhcrelay on the firewall; in any
event, you should specify the dhcp option on both the loc and dmz interfaces.
> 
> According to the manual
>   dhcp   Specify this option when any of the following are true:
>          1.  the interface gets its IP address via DHCP
>          2.  the interface is used by a DHCP server running on the
>              firewall
>          3.  you have a static IP but are on a  LAN  segment  with
>              lots of DHCP clients.
>          4.  the  interface  is a bridge with a DHCP server on one
>              port and DHCP clients on another port.
> 
> 1. does not apply to any of the interfaces.
> 
> 2. does not apply.
> 
> 3. seems to apply to the interface for the loc zone, (shouldn''t
> ''you have'' not better be rephrased as ''the
interface has'')
> 
> 4. does this apply to my situation?
> 
> What is meant here by ''port'' (TCP/UDP port number ?) 
Those are ports on the bridge. See below.
> How to interpret the word ''bridge''. Is it just in the
general meaning
> of a ''path'' (from the DHCP server in dmz zone to the
machines
> in the loc zone) or in a restricted network-technology term of bridge?
It is the latter. A bridge is basically an ethernet switch implemented in
software. A bridge is created and interfaces assigned as ports using the
brctl utility. A bridge may be assigned an IP address which allows the
system hosting the bridge to communicate with hosts attached to the bridge.

For more information on DHCP and Shorewall, see
http://www.shorewall.net/dhcp.htm For information about bridges and
Shorewall, see http://www.shorewall.net/bridge-Shorewall-perl.html and
http://www.shorewall.net/SimpleBridge.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/