Hi, I just installed DHCP on my FW. It works fine and I don''t see that something is missing, but still I get the following messages: [eth1 is the interface to my local net] Nov 3 14:29:53 rock dhcpd-2.2.x: DHCPACK on 192.168.0.50 to xx:xx:xx:xx:xx:xx via eth1 --> Nov 3 14:29:53 rock kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.50 LEN=328 TOS=0 x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308 <-- Nov 3 14:29:53 rock dhcpd-2.2.x: send_packet: Operation not permitted Nov 3 14:29:54 rock dhcpd-2.2.x: DHCPREQUEST for 192.168.0.50 from xx:xx:xx:xx:xx:xx via eth1 Nov 3 14:29:54 rock dhcpd-2.2.x: DHCPACK on 192.168.0.50 to xx:xx:xx:xx:xx:xx via eth1 Sidebar: I substituted the mac adresses with xx:xx. Is it necessary? Can somebody use the mac address to do any harm? I am not quite sure why it says all2all as it comes from the local net (loc). Anyway ... I added the following line to rules: ACCEPT fw loc udp 67:68 Now the error messages aren''t appearing anymore, but I am not quite sure if I did the right thing?! Did I? And why did it work before? Cheers, Mariano
--On Sunday, November 03, 2002 01:12:57 PM +0100 Mariano Kamp <mkamp@gmx.de> wrote:> Hi, > > I just installed DHCP on my FW. It works fine and I don''t see that > something is missing, but still I get the following messages: > > [eth1 is the interface to my local net] > > Nov 3 14:29:53 rock dhcpd-2.2.x: DHCPACK on 192.168.0.50 to > xx:xx:xx:xx:xx:xx via eth1 > --> > Nov 3 14:29:53 rock kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=192.168.0.1 DST=192.168.0.50 LEN=328 TOS=0 > x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308 > <-- > > Nov 3 14:29:53 rock dhcpd-2.2.x: send_packet: Operation not permitted > Nov 3 14:29:54 rock dhcpd-2.2.x: DHCPREQUEST for 192.168.0.50 from > xx:xx:xx:xx:xx:xx via eth1 > Nov 3 14:29:54 rock dhcpd-2.2.x: DHCPACK on 192.168.0.50 to > xx:xx:xx:xx:xx:xx via eth1 > > Sidebar: I substituted the mac adresses with xx:xx. Is it necessary? > Can somebody use the mac address to do any harm?Not that I''m aware of.> > I am not quite sure why it says all2all as it comes from the local net > (loc).Because you don''t have a specific policy for fw->loc so the applicable policy is your all->all policy.> Anyway ... I added the following line to rules: > > ACCEPT fw loc udp 67:68 > > Now the error messages aren''t appearing anymore, but I am not quite > sure if I did the right thing?! Did I?The usual way to handle this would be to simply add the ''dhcp'' option to eth1. I realize that it is unfashionable to read the documentation but from the Shorewall home page if you click "Documentation" then "DHCP", you will find this explained.> And why did it work before?I''m not convinced that it was -- what are your other policies? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, I am old fashioned and did read the documentation! It''s not a rtfm case, I just have not understood it. I assumed that the parameter I found and you were talking about would enable dhcpd as a service. I didn''t quite understood why that was, but didn''t understand either that rules would be controlled from that point of the configuration. That''s the reason I am asking. Btw. The fulltext search is a quite helpful feature. Anyway I believe that I do understand this option now.> The usual way to handle this would be to simply add the ''dhcp'' option to > eth1. I realize that it is unfashionable to read the documentation but from > the Shorewall home page if you click "Documentation" then "DHCP", you will > find this explained. > > > And why did it work before? > > I''m not convinced that it was -- what are your other policies?Well, what kind of proof do you want? I didn''t have a look at the full lifecycle, but at least even with these error messages I was able to obtain new IP addresses and confirm existing ones. Here is an excerpt from my policy file. loc net ACCEPT net all DROP info fw net ACCEPT info loc fw ACCEPT info all all REJECT info But don''t bother anymore. It is working now without error messages. Mariano On Sun, 2002-11-03 at 14:51, Tom Eastep wrote:> > > --On Sunday, November 03, 2002 01:12:57 PM +0100 Mariano Kamp > <mkamp@gmx.de> wrote: > > > Hi, > > > > I just installed DHCP on my FW. It works fine and I don''t see that > > something is missing, but still I get the following messages: > > > > [eth1 is the interface to my local net] > > > > Nov 3 14:29:53 rock dhcpd-2.2.x: DHCPACK on 192.168.0.50 to > > xx:xx:xx:xx:xx:xx via eth1 > > --> > > Nov 3 14:29:53 rock kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=192.168.0.1 DST=192.168.0.50 LEN=328 TOS=0 > > x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308 > > <-- > > > > Nov 3 14:29:53 rock dhcpd-2.2.x: send_packet: Operation not permitted > > Nov 3 14:29:54 rock dhcpd-2.2.x: DHCPREQUEST for 192.168.0.50 from > > xx:xx:xx:xx:xx:xx via eth1 > > Nov 3 14:29:54 rock dhcpd-2.2.x: DHCPACK on 192.168.0.50 to > > xx:xx:xx:xx:xx:xx via eth1 > > > > Sidebar: I substituted the mac adresses with xx:xx. Is it necessary? > > Can somebody use the mac address to do any harm? > > Not that I''m aware of. > > > > > I am not quite sure why it says all2all as it comes from the local net > > (loc). > > Because you don''t have a specific policy for fw->loc so the applicable > policy is your all->all policy. > > > Anyway ... I added the following line to rules: > > > > ACCEPT fw loc udp 67:68 > > > > Now the error messages aren''t appearing anymore, but I am not quite > > sure if I did the right thing?! Did I? > > The usual way to handle this would be to simply add the ''dhcp'' option to > eth1. I realize that it is unfashionable to read the documentation but from > the Shorewall home page if you click "Documentation" then "DHCP", you will > find this explained. > > > And why did it work before? > > I''m not convinced that it was -- what are your other policies? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
--On Sunday, November 03, 2002 03:34:31 PM +0100 Mariano Kamp <mkamp@gmx.de> wrote:> > Well, what kind of proof do you want? I didn''t have a look at the full > lifecycle, but at least even with these error messages I was able to > obtain new IP addresses and confirm existing ones. > > Here is an excerpt from my policy file. > > loc net ACCEPT > net all DROP info > fw net ACCEPT info > loc fw ACCEPT info > all all REJECT info > > But don''t bother anymore. It is working now without error messages.The loc->fw ACCEPT policy is enough to make it work most of the time. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Sunday, November 03, 2002 03:34:31 PM +0100 Mariano Kamp <mkamp@gmx.de> wrote:> It''s not a rtfm case, I just have not understood it. I assumed that > the parameter I found and you were talking about would enable dhcpd as a > service. I didn''t quite understood why that was, but didn''t understand > either that rules would be controlled from that point of the > configuration.I have updated the documentation to make it clear that the reason for adding the ''dhcp'' option is so that firewall rules will be generated. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net