[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: e1000 in rawhide kernel



On Friday 03 February 2006 02:16am, Peter Robinson wrote:
> On 2/3/06, Nigel Metheringham <nigel metheringham dev intechnology co uk> 
wrote:
> Not sure if this would be an issue but one other thing to look at is
> to make sure your not running and extremely tight custom firewall that
> blocks the dhcp response packets. Also does it work if you temporarily
> set a static IP.

Not possible.

Try running this filewall config:
----
iptables -F
iptables -t nat -F
iptables -t mangle -F
# For completeness, we would run three:
# iptables -X
# ..commands here, but it isn't necessary, this time
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
# For completeness, we should:
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# ..here, but we won't in this example.
----
With this config in place, you would be allowing no traffic of any kind on any 
interface.  If you're feeling pedantic, change the "ACCEPT"s to "DROP" but it 
won't change anything.  I use ACCEPT because the filter table is where we 
make filtering decisions, not nat or mangle.

On the machine with this firewall config, try to "ifup" your DHCP 
interface(s).  Notice how it works?  Netfilter will never block DHCP 
client-side (I've never tested this filewall config on the DHCP server; my 
first inclination is to expect that you could still get DHCP, but maybe not).

Remember, there are *no* rules in this config allowing traffic of *any* kind.  
And yet, DHCP still works.  This is an intentional feature in Netfilter.
-- 
Lamont R. Peterson <lamont gurulabs com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB  8CB3 F980 6C97 DC0D D409

Attachment: pgpa7gRZ2fmJi.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]