| 1 |
On Thu, 23 Mar 2006, Hans-Werner Hilse wrote: |
| 2 |
|
| 3 |
> Hi, |
| 4 |
> |
| 5 |
> On Thu, 23 Mar 2006 15:10:31 +0100 (CET) Martin Skarda |
| 6 |
> <skarda@××××××××××××.de> wrote: |
| 7 |
> |
| 8 |
>>> Your description tells me that your packetfilter is not on the |
| 9 |
>>> same host as your DHCP server. |
| 10 |
>> |
| 11 |
>> Sorry if I did not describe the installation correctly. |
| 12 |
> |
| 13 |
> You did. But it doesn't matter much, because the problem is that the |
| 14 |
> dhcpd brings its own set of IP operations (yuck!) and handles |
| 15 |
> interfaces in packet mode. So you probably have to go to ethernet level |
| 16 |
> in order to effectively manage that... Googling showed up this in |
| 17 |
> Shorewall's DHCP how-to: |
| 18 |
> |
| 19 |
> ---snip |
| 20 |
> Note |
| 21 |
> |
| 22 |
> For most operations, DHCP software interfaces to the Linux IP stack at |
| 23 |
> a level below Netfilter. Hence, Netfilter (and therefore Shorewall) |
| 24 |
> cannot be used effectively to police DHCP. The ÿÿdhcpÿÿ interface option |
| 25 |
> described in this article allows for Netfilter to stay out of DHCP's |
| 26 |
> way for those operations that can be controlled by Netfilter and |
| 27 |
> prevents unwanted logging of DHCP-related traffic by |
| 28 |
> Shorewall-generated Netfilter logging rules. |
| 29 |
> ---snip |
| 30 |
> |
| 31 |
> So shorewall basically only offers the option to keep out of dhcpd's |
| 32 |
> way completely. |
| 33 |
> |
| 34 |
> Maybe you can reach your goal by setting up a filtering bridge to a |
| 35 |
> dummy device on which dhcpd can listen. Or you just rely on QoS/Traffic |
| 36 |
> shaping, if that's possible... |
| 37 |
|
| 38 |
|
| 39 |
yes, meanwhile I also found the shorewall howto. I assumed, that the dhcpd |
| 40 |
does not use the normal stack. But I did not understand this behavior, |
| 41 |
because when I look into the RFC regarding bootp/dhcp I found that this |
| 42 |
service is "defined to use the udp protocol".... |
| 43 |
|
| 44 |
thank you for your assistance, |
| 45 |
Martin |
Archives