Warren Block wrote:
On Sun, 26 Jan 2003, Brian McCann wrote:
You need to allow UDP ports 67&68 for full DHCP support, in both
directions...so....
"ipfw add allow any 67 to any any via int out"
"ipfw add allow any 67 to any any via int in"
"ipfw add allow any 68 to any any via int out"
"ipfw add allow any 68 to any any via int in"
Something like that should do it.
Hope that helps.
ipfw didn't like those rules (ipfw: invalid protocol ``any''). I think
it can be done easier, too:
${fwcmd} add pass udp from any 67,68 to any via ${iif}
But I'm not seeing any counts on that rule when a notebook client tries
for a DHCP lease, and the client never gets a lease.
This is crazy. There is no sane way that anyone can give you rules for
this without knowing the rest of your firewall rules. Amoung other things,
_where_ you place the rules in the list, and what other rules that may
match DCHP traffic are critical to the success of your firewall rules.
Considering you stated that you're not sure if your firewall or dhcpd was
problematic, I would suggest the following diag procedure.
1) Set the machine to the "open" firewall profile and attempt to get a
DHCP addy. If you can, then the problem is in the firewall, if you
can't, then fix your dhcpd config before worrying about the firewall.
2) Here's the basic rules for DHCP:
You need to allow udp traffic in/out to ports 67/68. You need to make
sure this includes traffic from 0.0.0.0 (this is the IP that DHCP uses
before it has a DHCP addy) to 255.255.255.255.
3) If you have trouble, pretend to be an IP packed and trace through the
rules to see where you get caught. The most frustrating thing I hit
with firewall rules is when an earlier rule inadvertently catchs the
traffic before the rule I intended.
4) If you're still having trouble, post the _entire_ ruleset to the list
asking for help. It's the only way anyone can expect to give you any
real help. Firewalls are just like that, you have to look at the whole
thing or you can't see any of it.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
