Olaf Meeuwissen <[EMAIL PROTECTED]> writes: > Gabor Kovacs <[EMAIL PROTECTED]> writes: > > > Olaf Meeuwissen wrote: > > > > > Basically, I'd like to keep the setup as closed as possible so I make > > > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let > > > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking > > > this one step at a time ;-). At least, that's what I thought I should > > > do, but I noticed that packets are not logged! > > > > I think (but not sure) DHCP client is using (so called) raw sockets > > which are below the layer where iptables is in the kernel. That's why > > iptables is unable to see the packets. > > Looks like you are right. I set all built-in chains to LOG and a DROP > policy (no other rules) and my interface configures fine. Once it is > up there's an incessant stream of logged packets (mainly win-DoS hosts > letting everyone know who and where they are by shouting all over the > subnet and, occasionally, beyond). > > Oh well, I guess I can forget about making and plugging holes for the > DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies. > That makes my job easier, but I guess the docs then need a fix ;-)
I gotta set myself straight here. The DHCPDISCOVER does not need a hole to make it past the packet filtering layer, but the DHCPREQUEST does. And from experience, it seems that dhclient starts requesting without going through the /etc/dhclient-script. Bummer, 'cause that means you don't get the chance to open up a hole for the request and close it once your lease has been renewed. Oh well, I guess I have to leave a hole open permanently for the requests to and replies from the dhcp-server-identifier ... -- Olaf Meeuwissen Epson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]