1 |
Hi, |
2 |
|
3 |
On Thu, 23 Mar 2006 15:10:31 +0100 (CET) Martin Skarda |
4 |
<skarda@××××××××××××.de> wrote: |
5 |
|
6 |
> > Your description tells me that your packetfilter is not on the |
7 |
> > same host as your DHCP server. |
8 |
> |
9 |
> Sorry if I did not describe the installation correctly. |
10 |
|
11 |
You did. But it doesn't matter much, because the problem is that the |
12 |
dhcpd brings its own set of IP operations (yuck!) and handles |
13 |
interfaces in packet mode. So you probably have to go to ethernet level |
14 |
in order to effectively manage that... Googling showed up this in |
15 |
Shorewall's DHCP how-to: |
16 |
|
17 |
---snip |
18 |
Note |
19 |
|
20 |
For most operations, DHCP software interfaces to the Linux IP stack at |
21 |
a level below Netfilter. Hence, Netfilter (and therefore Shorewall) |
22 |
cannot be used effectively to police DHCP. The “dhcp” interface option |
23 |
described in this article allows for Netfilter to stay out of DHCP's |
24 |
way for those operations that can be controlled by Netfilter and |
25 |
prevents unwanted logging of DHCP-related traffic by |
26 |
Shorewall-generated Netfilter logging rules. |
27 |
---snip |
28 |
|
29 |
So shorewall basically only offers the option to keep out of dhcpd's |
30 |
way completely. |
31 |
|
32 |
Maybe you can reach your goal by setting up a filtering bridge to a |
33 |
dummy device on which dhcpd can listen. Or you just rely on QoS/Traffic |
34 |
shaping, if that's possible... |
35 |
|
36 |
|
37 |
-hwh |
38 |
-- |
39 |
gentoo-security@g.o mailing list |