Mon, 21 Jan 2002 13:57:55 -0500
I would further suggest that the -s $LAN_IP_RANGE be removed also. I would
have it based *only* on input interface.
The reason for this is simple. Any brand new client will send a dhcp
request from 0.0.0.0, since it doesn't know its own ip address (that's the
whole reason for dhcp after all....) If it's a renewal, it may come from
the lan ip range, or it may come from the range of the last subnet that this
client was attached to. Basically, it might come from almost anywhere,
ip-wise. But it should only come from the internal interface.
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com]On Behalf Of Tommy Lacroix
> Sent: Monday, January 21, 2002 1:15 PM
> To: Justin Michael; firstname.lastname@example.org
> Subject: Re: DHCP
> > iptables -I INPUT -p udp --dport 67:68 -s $LAN_IP_RANGE -j ACCEPT
> IMHO, specifing the input interface would be a good idea in this
> case, since
> UDP is easily spoofable (although it might not be exploitable in any way
> with DHCP).
> # iptables -A INPUT -i $LAN_IFACE -p udp --dport 67:68 -s $LAN_IP_RANGE -j