Re: dnsmasq DHCP server with nwfilter
On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote:
Hello,
I'm trying to set up a nwfilter ruleset, where the client only should be
able to answer to incoming requests and pings. The outbound traffic (LAN and
Internet) shouldn't be working.
I've gut the rules as mentioned below (I moved all filterref inside for
debugging):
<filter name='fwrule-test0' chain='root' priority='-700'>
<uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid>
<rule action='accept' direction='out' priority='100'>
<ip protocol='udp' srcportstart='68'
dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='101'>
<ip protocol='udp' srcportstart='67'
dstportstart='68'/>
</rule>
snip
</filter>
My expectation for DHCP was ports 67 <-> 68 to be open as in
the nwfilter
'allow-dhcp'.
Am I missing here something?
You've got a subtle difference - the 'allow-dhcp' filter is adding
rules to the 'ipv4' chain, while you're adding rules to the 'root'
chain, which might make a difference.
Rather than duplicating rules for port 67/68, you could just reference it:
<filterref filter='allow-dhcp'/>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|