--- On Thu, 2/24/11, Simon Hobson <linux@thehobsons.co.uk> wrote:
> >In other words, can I have a DHCP server on one side of
> the bridge
> >leasing IP addresses ONLY for that side and another
> DHCP server on
> >the other side giving out IP addresses ONLY for that
> side?
>
> Yes, you can do that, just don''t allow traffic on UDP ports
> 67 & 68.
My shorewall default policy is to drop everything except specific ports which do
not include UDP 67 & 68.
On one side (say, side1) of the bridge I have a DHCP server with IP addr.
10.215.144.90 (alias 192.168.144.90) leasing addresses in a 192.168.211.0 range.
On the other side (say, side2) I have another DHCP server with IP addr.
10.215.144.7 giving out addresses in a 10.215.144.0 range.
When I turn on a DHCP client host in side2, it gets a DHCP lease from DHCP
server in side1. If I stop the DHCP server in side1 then it gets a DHCP lease
from side2.
A tcpdump on the shorewall bridge shows traffic going from the DHCP server in
side1 (192.168.144.90) to client host in side2 (192.168.211.39).
I''ll re-check everything but does the tcpdump below imply that my
Shorewall configuration does not block UDP ports 67 & 68?
# tcpdump -n -i br0 host 192.168.211
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
12:58:59.829412 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.860566 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.875586 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.894729 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.907444 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.919232 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.929736 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.956607 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.970177 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.972108 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.984158 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:58:59.996231 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.006700 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.009868 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.019716 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.026990 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.039945 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.040512 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.053408 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.053973 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.067239 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.067812 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.081051 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.081616 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.093288 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.095054 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.106973 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.112701 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.133496 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.151905 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.175497 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.203058 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.227219 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.240501 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.253645 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.265566 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.277460 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.291624 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.303516 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.315767 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.327759 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.340066 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.352628 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.364730 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.376735 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.391777 IP 192.168.144.90.67 > 192.168.211.39.68: BOOTP/DHCP, Reply,
length 300
12:59:00.436849 arp who-has 192.168.144.92 tell 192.168.211.39
12:59:00.437041 arp reply 192.168.144.92 is-at 00:04:75:9e:6b:01
12:59:00.437335 IP 192.168.211.39.61645 > 10.215.144.31.53: 42942+ A?
isatap.hman.org. (44)
12:59:00.444446 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:00.444495 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:00.446545 arp who-has 192.168.144.92 tell 192.168.211.39
12:59:00.446691 arp reply 192.168.144.92 is-at 00:04:75:9e:6b:01
12:59:00.468015 arp who-has 192.168.211.39 tell 0.0.0.0
12:59:00.492769 IP 192.168.211.39.63894 > 224.0.0.252.5355: UDP, length 31
12:59:00.505152 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:00.507900 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:00.507917 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:00.509491 arp who-has 192.168.144.92 tell 192.168.211.39
12:59:00.509635 arp reply 192.168.144.92 is-at 00:04:75:9e:6b:01
12:59:00.509760 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:00.510401 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:00.595547 IP 192.168.211.39 > 224.0.0.22: igmp v3 report, 1 group
record(s)
12:59:00.694171 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
12:59:00.760028 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:00.760046 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:00.968224 IP 192.168.211.39 > 224.0.0.22: igmp v3 report, 1 group
record(s)
12:59:01.088180 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:01.088200 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:01.092112 arp who-has 192.168.144.92 tell 192.168.211.39
12:59:01.092270 arp reply 192.168.144.92 is-at 00:04:75:9e:6b:01
12:59:01.254341 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:01.259797 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:01.260234 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:01.436422 IP 192.168.211.39.61645 > 192.168.144.92.53: 42942+ A?
isatap.hman.org. (44)
12:59:01.443294 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
12:59:01.468017 arp who-has 192.168.211.39 tell 0.0.0.0
12:59:01.722642 IP 192.168.211.39.62978 > 10.215.144.31.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:01.820813 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
133
12:59:01.967778 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:01.967814 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:01.967801 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:01.967848 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:02.004316 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:02.009257 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:02.010278 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:02.193243 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
12:59:02.436378 IP 192.168.211.39.61645 > 192.168.144.92.53: 42942+ A?
isatap.hman.org. (44)
12:59:02.467981 arp who-has 192.168.211.39 tell 0.0.0.0
12:59:02.723358 IP 192.168.211.39.62978 > 192.168.144.92.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:02.754279 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:02.759268 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:02.760239 IP 192.168.211.39.137 > 192.168.255.255.137: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
12:59:03.509413 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:03.509434 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:03.510060 arp who-has 192.168.144.92 tell 192.168.211.39
12:59:03.510211 arp reply 192.168.144.92 is-at 00:04:75:9e:6b:01
12:59:03.520325 arp who-has 192.168.144.92 tell 192.168.211.39
12:59:03.520468 arp reply 192.168.144.92 is-at 00:04:75:9e:6b:01
12:59:03.723191 IP 192.168.211.39.62978 > 192.168.144.92.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:04.438363 IP 192.168.211.39.61645 > 10.215.144.31.53: 42942+ A?
isatap.hman.org. (44)
12:59:04.438568 IP 192.168.211.39.61645 > 192.168.144.92.53: 42942+ A?
isatap.hman.org. (44)
12:59:04.823296 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
133
12:59:04.986546 arp who-has 10.215.144.91 tell 192.168.211.39
12:59:04.986568 arp reply 10.215.144.91 is-at 00:01:02:a4:3a:1e
12:59:05.723143 IP 192.168.211.39.62978 > 10.215.144.31.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:05.723263 IP 192.168.211.39.62978 > 192.168.144.92.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:06.894566 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
125
12:59:06.934112 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
123
12:59:06.959420 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
133
12:59:07.869156 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
133
12:59:08.438051 IP 192.168.211.39.61645 > 10.215.144.31.53: 42942+ A?
isatap.hman.org. (44)
12:59:08.438182 IP 192.168.211.39.61645 > 192.168.144.92.53: 42942+ A?
isatap.hman.org. (44)
12:59:09.723043 IP 192.168.211.39.62978 > 10.215.144.31.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:09.723163 IP 192.168.211.39.62978 > 192.168.144.92.53: 5204+ A?
dns.msftncsi.com. (34)
12:59:09.959751 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
125
12:59:09.985479 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
123
12:59:10.011059 IP 192.168.211.39.61650 > 239.255.255.250.1900: UDP, length
133
118 packets captured
118 packets received by filter
0 packets dropped by kernel
Thanks
Vieri
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev