On Mon, 23 Nov 2020 23:11:26 +0100 Vieri Di Paola <[email protected]> wrote:
> Correct me if I'm wrong, but it seems that a reload is enough (no > restart needed) because it seems that the 'dhcp' option simply adds > the udp 67:68 rules on the specified interfaces. Right. For any rule change reload is always enough. > Also, "sniffing" the UDP 67 DHCP requests going out on the "ibs" eth > interface should be enough to state that if the reply is not coming > back or if the remote FW does not see the DHCP requests, it should not > be because of a blocking rule in my SW router. Am I right? That's not quite enough. When dhcp clients want to renew leases they need unicast dhcp access to your dns server. You can do that in rules with DHCPfwd macro. DHCPfwd(ACCEPT) lan1 ibs:10.215.137.54 Macro will allow traffic to both directions. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
