On Thu, 23 Mar 2006, Hans-Werner Hilse wrote:
Hi,
On Thu, 23 Mar 2006 15:10:31 +0100 (CET) Martin Skarda
<[EMAIL PROTECTED]> wrote:
Your description tells me that your packetfilter is not on the
same host as your DHCP server.
Sorry if I did not describe the installation correctly.
You did. But it doesn't matter much, because the problem is that the
dhcpd brings its own set of IP operations (yuck!) and handles
interfaces in packet mode. So you probably have to go to ethernet level
in order to effectively manage that... Googling showed up this in
Shorewall's DHCP how-to:
---snip
Note
For most operations, DHCP software interfaces to the Linux IP stack at
a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The ÿÿdhcpÿÿ interface option
described in this article allows for Netfilter to stay out of DHCP's
way for those operations that can be controlled by Netfilter and
prevents unwanted logging of DHCP-related traffic by
Shorewall-generated Netfilter logging rules.
---snip
So shorewall basically only offers the option to keep out of dhcpd's
way completely.
Maybe you can reach your goal by setting up a filtering bridge to a
dummy device on which dhcpd can listen. Or you just rely on QoS/Traffic
shaping, if that's possible...
yes, meanwhile I also found the shorewall howto. I assumed, that the dhcpd
does not use the normal stack. But I did not understand this behavior,
because when I look into the RFC regarding bootp/dhcp I found that this
service is "defined to use the udp protocol"....
thank you for your assistance,
Martin
