1 |
On Thu, 23 Mar 2006, Hans-Werner Hilse wrote: |
2 |
|
3 |
> Hi, |
4 |
> |
5 |
> On Thu, 23 Mar 2006 15:10:31 +0100 (CET) Martin Skarda |
6 |
> <skarda@××××××××××××.de> wrote: |
7 |
> |
8 |
>>> Your description tells me that your packetfilter is not on the |
9 |
>>> same host as your DHCP server. |
10 |
>> |
11 |
>> Sorry if I did not describe the installation correctly. |
12 |
> |
13 |
> You did. But it doesn't matter much, because the problem is that the |
14 |
> dhcpd brings its own set of IP operations (yuck!) and handles |
15 |
> interfaces in packet mode. So you probably have to go to ethernet level |
16 |
> in order to effectively manage that... Googling showed up this in |
17 |
> Shorewall's DHCP how-to: |
18 |
> |
19 |
> ---snip |
20 |
> Note |
21 |
> |
22 |
> For most operations, DHCP software interfaces to the Linux IP stack at |
23 |
> a level below Netfilter. Hence, Netfilter (and therefore Shorewall) |
24 |
> cannot be used effectively to police DHCP. The ÿÿdhcpÿÿ interface option |
25 |
> described in this article allows for Netfilter to stay out of DHCP's |
26 |
> way for those operations that can be controlled by Netfilter and |
27 |
> prevents unwanted logging of DHCP-related traffic by |
28 |
> Shorewall-generated Netfilter logging rules. |
29 |
> ---snip |
30 |
> |
31 |
> So shorewall basically only offers the option to keep out of dhcpd's |
32 |
> way completely. |
33 |
> |
34 |
> Maybe you can reach your goal by setting up a filtering bridge to a |
35 |
> dummy device on which dhcpd can listen. Or you just rely on QoS/Traffic |
36 |
> shaping, if that's possible... |
37 |
|
38 |
|
39 |
yes, meanwhile I also found the shorewall howto. I assumed, that the dhcpd |
40 |
does not use the normal stack. But I did not understand this behavior, |
41 |
because when I look into the RFC regarding bootp/dhcp I found that this |
42 |
service is "defined to use the udp protocol".... |
43 |
|
44 |
thank you for your assistance, |
45 |
Martin |