At 11:23 2/01/02 +1000, Andrew Hatfield wrote: >I set the default policy for INPUT to DROP and have the following... > >ACCEPT icmp -- anywhere anywhere > >ACCEPT all -- localoffice/24 anywhere >ACCEPT all -- localhost.localdomain anywhere >mail all -- anywhere anywhere > >other_services all -- anywhere anywhere >dns all -- anywhere anywhere > >ipsec all -- anywhere anywhere > >ACCEPT gre -- anywhere anywhere > > >what i don't understand is, that if the default policy is DROP but i >allow all local traffic, why the client's can't get a dhcp assigned >address. but if i set the default INPUT policy to ACCEPT then it works.
You need to look at how the DHCP protocol works. When a client comes online and looks for a DHCP server it does so by sending a UDP broadcast packet with a source ip address of 0.0.0.0 and a destination of 255.255.255.255. This is because it doesnt *have* a normal ip address at this time. Your firewall rules will be blocking packets with a source ip address of 0.0.0.0. Try running tcpdump and monitoring a normal DHCP exchange to see what is sent, or check out the RFC's for DHCP. (I don't recall the numbers off hand) Regards, Simon
