| Author |
Message |
ah
Joined: 14 Aug 2009
Posts: 9
|
| Posted: Wed Aug 19, 2009 5:13 pm Post subject: DHCP and Firewall |
|
|
Hello,
I used the iptables guide in the wiki to set up my firewall rules. It works well. However, /var/log/daemon.log is getting spammed with the following error as a result:
Code: Aug 19 22:09:43 <host> dhclient: DHCPREQUEST on eth0 to <ip> port 67
Aug 19 22:09:43 <host> dhclient: send_packet: Operation not permitted
Is this a problem? Is there anything I can do to stop this message? Do I need to punch holes for DHCP through the firewall?
Thanks. |
|
| Back to top |
|
tronic
Joined: 04 Dec 2004
Posts: 145
|
| Posted: Wed Aug 19, 2009 9:27 pm Post subject: |
|
|
Kinda hard to even begin to suggest where your issue might be without seeing the iptables script or commands you use to set up, including any iptables flush commands.
But you're probably not having the right kind of iptables permit statements for DHCP and it's falling through to some sort of deny-by-default-and-log-it statement. Or you have a policy for one of the tables (e.g. INPUT, OUTPUT) set to DROP by default and don't have a corresponding permit statement.
I don't use DHCP on my Linodes -- I just set the IP statically. That saves me the need to run an extra daemon and frees up a bit of memory and a few seconds of waiting for the DHCP negotiation process to finish. DHCP is merely a convenience, but you'd do just fine with static IPs set up in your configs. |
|
| Back to top |
|
ah
Joined: 14 Aug 2009
Posts: 9
|
| Posted: Thu Aug 20, 2009 2:38 am Post subject: |
|
|
I'm sorry if I wasn't clear enough. I'm using the iptables script in the guide I linked to:
http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto
And what you said is exactly what's happening. The script blocks everything by default and then opens a few ports. DHCP is blocked.
I think that switching to static IP is good idea. Problem will happen if I clone my linode or move it to a different dc. But these should be easy to fix as long as I remember to do so quickly.
Still, if someone kindly answers my question, it will be great:
- Is it necessary to punch holes for DHCP? If yes, how? |
|
| Back to top |
|
fukawi2
Joined: 02 Feb 2009
Posts: 64
Location: Melbourne, Australia
|
| Posted: Thu Aug 20, 2009 9:53 pm Post subject: |
|
|
ah wrote:
- Is it necessary to punch holes for DHCP? If yes, how?
Yes, DHCP is network traffic. It doesn't get special treatment just because it's DHCP. |
|
| Back to top |
|
ah
Joined: 14 Aug 2009
Posts: 9
|
| Posted: Sat Aug 22, 2009 8:27 am Post subject: |
|
|
| Thanks everyone for your help. I decided that DHCP wasn't worth it and switched to a static IP configuration. |
|
| Back to top |
|
tronic
Joined: 04 Dec 2004
Posts: 145
|
| Posted: Sun Aug 23, 2009 1:28 pm Post subject: |
|
|
ah wrote: - Is it necessary to punch holes for DHCP? If yes, how?
iptables -I INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT |
|
| Back to top |
|
| |
