I''m hoping this is an easy one because I''m pulling out my hair. I have configured a new bridge using the shorewall V4 howto online on fedora 9. Everything is working fine except DHCP. The only way I can get the dhcp answer to come back to my clients is to disable shorewall or change the policy to "any any accept". According to the docs I''ve read it sounds like it should just pass it. I''ve also included ''dhcp'' in the bridge interface. Any help would be appreciated. ------------------------------------------------------------------------------
Jeff Armstrong wrote:> I’m hoping this is an easy one because I’m pulling out my hair. I have > configured a new bridge using the shorewall V4 howto online on fedora 9. > Everything is working fine except DHCP. The only way I can get the dhcp > answer to come back to my clients is to disable shorewall or change the > policy to “any any accept”. According to the docs I’ve read it sounds > like it should just pass it. I’ve also included ‘dhcp’ in the bridge > interface. > > > > Any help would be appreciated.We're not going to be much help without knowing more about the configuration and the problem. Please forward the output of 'shorewall dump' as an attachment and tell us a) where is the DHCP server running? If not on the Shorewall box, which bridge port is the server connected through? b) through which port do the clients interface? ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 b) The clients interface on eth2-5 c) eth0 is for management I have attached the dump file Thanks ________________________________________ From: Shorewall Geek [shorewalljunky@comcast.net] Sent: Friday, December 26, 2008 4:49 PM To: Shorewall Users Subject: Re: [Shorewall-users] DHCP bridge issue Jeff Armstrong wrote:> I’m hoping this is an easy one because I’m pulling out my hair. I have > configured a new bridge using the shorewall V4 howto online on fedora 9. > Everything is working fine except DHCP. The only way I can get the dhcp > answer to come back to my clients is to disable shorewall or change the > policy to “any any accept”. According to the docs I’ve read it sounds > like it should just pass it. I’ve also included ‘dhcp’ in the bridge > interface. > > > > Any help would be appreciated.We''re not going to be much help without knowing more about the configuration and the problem. Please forward the output of ''shorewall dump'' as an attachment and tell us a) where is the DHCP server running? If not on the Shorewall box, which bridge port is the server connected through? b) through which port do the clients interface? ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
Jeff Armstrong wrote:> a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 > b) The clients interface on eth2-5 > c) eth0 is for management > > I have attached the dump fileIt appears that you did not create a DHCP failure in the 5 seconds covered by this dump. As a consequence, we still have no idea where the DHCP packets are being dropped/rejected. It also appears that LOGFILE is not set properly in /etc/shorewall/shorewall.conf; it is set to /var/log/messages (the default) whereas, it seems that Netfilter is logging somewhere else. ------------------------------------------------------------------------------
Shorewall Guy wrote:> Jeff Armstrong wrote: >> a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 >> b) The clients interface on eth2-5 >> c) eth0 is for management >> >> I have attached the dump file > > It appears that you did not create a DHCP failure in the 5 seconds > covered by this dump. As a consequence, we still have no idea where the > DHCP packets are being dropped/rejected.Before submitting another dump, please try this rule: ACCEPT work serv udp 67:68 ------------------------------------------------------------------------------
Shorewall Guy wrote:> Shorewall Guy wrote: >> Jeff Armstrong wrote: >>> a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 >>> b) The clients interface on eth2-5 >>> c) eth0 is for management >>> >>> I have attached the dump file >> It appears that you did not create a DHCP failure in the 5 seconds >> covered by this dump. As a consequence, we still have no idea where the >> DHCP packets are being dropped/rejected. > > Before submitting another dump, please try this rule: > > ACCEPT work serv udp 67:68You may also need: ACCEPT work serv udp 67:68 ------------------------------------------------------------------------------
is that supposed to be ACCEPT serv work udp 67:68? ________________________________________ From: Shorewall Guy [shorewalljunky@comcast.net] Sent: Monday, December 29, 2008 11:33 AM To: Shorewall Users Subject: Re: [Shorewall-users] DHCP bridge issue Shorewall Guy wrote:> Shorewall Guy wrote: >> Jeff Armstrong wrote: >>> a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 >>> b) The clients interface on eth2-5 >>> c) eth0 is for management >>> >>> I have attached the dump file >> It appears that you did not create a DHCP failure in the 5 seconds >> covered by this dump. As a consequence, we still have no idea where the >> DHCP packets are being dropped/rejected. > > Before submitting another dump, please try this rule: > > ACCEPT work serv udp 67:68You may also need: ACCEPT work serv udp 67:68 ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
Shorewall Guy wrote:> Shorewall Guy wrote: >> Shorewall Guy wrote: >>> Jeff Armstrong wrote: >>>> a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 >>>> b) The clients interface on eth2-5 >>>> c) eth0 is for management >>>> >>>> I have attached the dump file >>> It appears that you did not create a DHCP failure in the 5 seconds >>> covered by this dump. As a consequence, we still have no idea where the >>> DHCP packets are being dropped/rejected. >> Before submitting another dump, please try this rule: >> >> ACCEPT work serv udp 67:68 > > You may also need: > > ACCEPT work serv udp 67:68Sorry -- make that: ACCEPT serv work udp 67:68 ------------------------------------------------------------------------------
That seems to have fixed it Thanks ________________________________________ From: Shorewall Guy [shorewalljunky@comcast.net] Sent: Monday, December 29, 2008 11:45 AM To: Shorewall Users Subject: Re: [Shorewall-users] DHCP bridge issue Shorewall Guy wrote:> Shorewall Guy wrote: >> Shorewall Guy wrote: >>> Jeff Armstrong wrote: >>>> a) The dhcp server is located on a server other than the shorewall box it is available on Bridgeport eth1 >>>> b) The clients interface on eth2-5 >>>> c) eth0 is for management >>>> >>>> I have attached the dump file >>> It appears that you did not create a DHCP failure in the 5 seconds >>> covered by this dump. As a consequence, we still have no idea where the >>> DHCP packets are being dropped/rejected. >> Before submitting another dump, please try this rule: >> >> ACCEPT work serv udp 67:68 > > You may also need: > > ACCEPT work serv udp 67:68Sorry -- make that: ACCEPT serv work udp 67:68 ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
Jeff Armstrong wrote:> That seems to have fixed itThanks, I''ve change shorewall-interfaces(5) to make it clear that the ''dhcp'' option is only effective on simple bridges and that bridge/firewall requires DHCP-specific rules. ------------------------------------------------------------------------------