Re: [Shorewall-users] DHCP with Maclist

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Julio Torres <jct...@wa...> wrote:

> Hello everybody.
> I have set up an interface in bridge mode with eth0 and eth1. the configuration on interfaces: eth0 is connected to the router and eth1 is connected to local network.
> 
> I work with mac verification
> 
> MACLIST_TABLE=mangle
> MACLIST_DISPOSITION=DROP
> On interfaces file I set the maclist on eth1
> 
> I have a problem with DHCP on devices when shorewall is running and the PC's try to connect, they can't get IP

I'm not too sure you can filter DHCP. Because it needs to operate when a client doesn't have an address, the server has to use raw sockets to get the broadcast packets from the client. These packets don't (AFAIK) then pass through the IP stack. Also, for this reason I think that the server has to listen on the physical interfaces rather than the bridge - though I'm not too sure of that.

> On the Logs only I can see:
> 
> [909539.918061] Shorewall:eth1_rec:DROP:IN=br0 OUT= PHYSIN=eth1 MAC=ff:ff:ff:ff:ff:ff:10:15:a1:b3:19:c9:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=200 TOS=0x00 PREC=0x00 TTL=1 ID=44061 DF PROTO=UDP SPT=44559 DPT=1900 LEN=180

That's nothing to do with DHCP - AFAICS UDP port 1900 is used for uPnP