On Wed, Aug 14, 2002 at 12:04:36PM -0400, James A. Robbins wrote: > > It does. It uses UDP riding on IP. Ports 68 and 69 to be > > exact. Nothing about DHCP is specific to Ethernet either. It's IP all > > the way. > > My bad, you right.
Actually, it's 67 and 68. TFTP is 69. > I just double checked another firewall that we set up to pass DHCP > and found that we had to include rules to pass packets with a > destination address of 255.255.255.255 in both directions to allow > DHCP to work. The requests are sent to the ultimate broadcast > address to try to contact any DHCP server within hearing range. I > assume that 255.255.255.255 is blocked by a router up the line > somewhere so that the entire Internet doesn't get these requests. These two rules should be all you need to pass DHCP: pass in quick proto udp from any port = 67 to any port = 68 pass in quick proto udp from any port = 68 to any port = 67 So long as you don't have a previous rule explicitly blocking 255.255.255.255, those two should be sufficient. Of course, you can refine them a bit based on which side of the firewall your clients are on and which side has the server if you wish. -c
