When ever an NT box behind my Shorewall gets an IP from my DHCP server (also on the Shorewall box) I get this sequence in the log: May 17 11:44:58 norcomix dhcpd: DHCPREQUEST for 192.168.2.147 from 00:d0:b7:1d:f2:eb (KJH333) via eth1 May 17 11:44:58 norcomix dhcpd: DHCPACK on 192.168.2.147 to 00:d0:b7:1d:f2:eb (KJH333) via eth1 That was the dhcp request, but then I get this: May 17 11:44:58 norcomix dhcpd: send_packet: Operation not permitted May 17 11:44:58 norcomix kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.2.80 DST=192.168.2.147 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308 Whats up with that packet from the firewall (x.x.2.80) to the station. Best I can tell this never happens to win9x boxes, only to NT. BootP is what those ports are said to be in /etc/services. Should I add a fw-to-loc for this? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
On Fri, 17 May 2002, John Andersen wrote:> When ever an NT box behind my Shorewall gets an IP from my > DHCP server (also on the Shorewall box) I get this sequence in the log: > > May 17 11:44:58 norcomix dhcpd: DHCPREQUEST for 192.168.2.147 from 00:d0:b7:1d:f2:eb (KJH333) via eth1 > May 17 11:44:58 norcomix dhcpd: DHCPACK on 192.168.2.147 to 00:d0:b7:1d:f2:eb (KJH333) via eth1 > > That was the dhcp request, but then I get this: > > May 17 11:44:58 norcomix dhcpd: send_packet: Operation not permitted > May 17 11:44:58 norcomix kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.2.80 DST=192.168.2.147 LEN=328 > TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308 > > Whats up with that packet from the firewall (x.x.2.80) to the station. Best I can tell this never happens to win9x boxes, only to NT. > BootP is what those ports are said to be in /etc/services. > Should I add a fw-to-loc for this?Do you have ''dhcp'' as an option on eth1? That should stop those messages. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 17 May 2002 at 13:42, Tom Eastep wrote:> > Best I can tell this never happens to win9x boxes, only to NT. BootP > > is what those ports are said to be in /etc/services. Should I add a > > fw-to-loc for this? > > Do you have ''dhcp'' as an option on eth1? That should stop those > messages.No I don''t, because I mis-understood that option to only be needed when my FW gets an IP dynamically. I''ll try that. Thanks. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/