hi, in the interface documentation at the dhcp option 3. said: ----------------------------------- 3. you have a static IP but are on a LAN segment with lots of Laptop DHCP clients. ----------------------------------- can someone explain it for me? what the laptop means here? on the loc zones interface we have a static ip but the whole network is dhcp clients. but they are not laptops rather workstations. why the laptops are different? if the other three point do not fit to my case it''s still adviced? why is it useful in this case? i look through the /usr/share/shorewall/firewall script and see this only open port 67,68 on INPUT and OUTPUT chain. if i don''t run the dhcp server on the firewall why i should open these ports? what else do i lose? yours. -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote:> hi, > in the interface documentation at the dhcp option 3. said: > ----------------------------------- > 3. you have a static IP but are on a LAN segment with lots of Laptop > DHCP clients. > ----------------------------------- > can someone explain it for me? > what the laptop means here? on the loc zones interface we have a static > ip but the whole network is dhcp clients. but they are not laptops > rather workstations. why the laptops are different?Because laptops can be connected to different networks at different times -- when they are first connected, they may be configured with an RFC1918 address (and use that address as the source) and cause annoying ''rfc1918'' log messages as Windows on the laptop seeks to find the rest of its flock. A Shorewall user on a college campus reports that this is a real problem in his environment even though his system has a fixed IP address. Because the Shorewall-generated ruleset deals with DHCP *before* rfc1918 filtering, setting the ''dhcp'' flag stops these messages (at the cost of opening UDP 67:68). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdnkmO/MAbZfjDLIRAgrLAKDBzA0zk2DPbgj71cNxn45RF5Rc3ACghse4 jcjoclnIvfgMffBtBViypKI=6Mie -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Farkas Levente wrote: > >>>hi, >>>in the interface documentation at the dhcp option 3. said: >>>----------------------------------- >>>3. you have a static IP but are on a LAN segment with lots of Laptop >>>DHCP clients. >>>----------------------------------- >>>can someone explain it for me? >>>what the laptop means here? on the loc zones interface we have a static >>>ip but the whole network is dhcp clients. but they are not laptops >>>rather workstations. why the laptops are different? > > > Because laptops can be connected to different networks at different > times -- when they are first connected, they may be configured with an > RFC1918 address (and use that address as the source) and cause annoying > ''rfc1918'' log messages as Windows on the laptop seeks to find the rest > of its flock. A Shorewall user on a college campus reports that this is > a real problem in his environment even though his system has a fixed IP > address. Because the Shorewall-generated ruleset deals with DHCP > *before* rfc1918 filtering, setting the ''dhcp'' flag stops these messages > (at the cost of opening UDP 67:68). >Ignore the above stuff about windows -- it is actually DHCP requests that were the problem, not the windows "lost sheep" syndrone. Shouldn''t answer questions before having my coffee.... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdnrpO/MAbZfjDLIRAuUnAJwM5Buf/MLEo9UQrPzK3kgFnvKrqgCeLAzB CmQeO8StiO9083X/KCHXN9g=C37Y -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > >>Farkas Levente wrote: >> >> >>>>hi, >>>>in the interface documentation at the dhcp option 3. said: >>>>----------------------------------- >>>>3. you have a static IP but are on a LAN segment with lots of Laptop >>>>DHCP clients. >>>>----------------------------------- >>>>can someone explain it for me? >>>>what the laptop means here? on the loc zones interface we have a static >>>>ip but the whole network is dhcp clients. but they are not laptops >>>>rather workstations. why the laptops are different? >> >> >>Because laptops can be connected to different networks at different >>times -- when they are first connected, they may be configured with an >>RFC1918 address (and use that address as the source) and cause annoying >>''rfc1918'' log messages as Windows on the laptop seeks to find the rest >>of its flock. A Shorewall user on a college campus reports that this is >>a real problem in his environment even though his system has a fixed IP >>address. Because the Shorewall-generated ruleset deals with DHCP >>*before* rfc1918 filtering, setting the ''dhcp'' flag stops these messages >>(at the cost of opening UDP 67:68). >> > > > Ignore the above stuff about windows -- it is actually DHCP requests > that were the problem, not the windows "lost sheep" syndrone. Shouldn''t > answer questions before having my coffee....ticky. it''d be useful to put either into the interface or at least on the webpage this explanation. i''m sure not too many people find it out. eg modify it to: 3. you have a static IP but are on a LAN segment which use non RFC 1918 address and use norfc1918 with lots of Laptop DHCP clients. -- Levente "Si vis pacem para bellum!"