[TriLUG] Re: Firewall question
James Manning
trilug at sublogic.com
Tue Apr 23 13:48:35 EDT 2002
[Janyne Kizer]
> I had a nice firewall set up and found that it did not allow DHCP to
> work. I opened up with the following lines:
>
> iptables -A INPUT -p udp --destination-port 67 -j ACCEPT
> iptables -A INPUT -p udp --destination-port 68 -j ACCEPT
>
> Is there a better way to do this? The problem is that the terminals
> don't have their address so their requests are being dropped unless I
> allow all traffic. Thanks!
I'd prob. go ahead and use symbolic port names to make the lines clearer
and my guess would be that you'd only need to let bootps/67 traffic
on inbound (bootpc/68 on outbound would already be allowed, I guess)
but I'd have to admit to not having played with that yet, so both may
indeed be necessary.
If you wanna be "more secure" you could do a for loop around this and
--mac-source the list of MAC addresses you're comfortable serving DHCP
to, I'd imagine :)
--
James Manning <jmm at sublogic.com>
GPG Key fingerprint = B913 2FBD 14A9 CE18 B2B7 9C8E A0BF B026 EEBB F6E4
More information about the TriLUG
mailing list