e1000 in rawhide kernel
Lamont R. Peterson
lamont at gurulabs.com
Fri Feb 3 20:02:34 UTC 2006
On Friday 03 February 2006 02:16am, Peter Robinson wrote:
> On 2/3/06, Nigel Metheringham <nigel.metheringham at dev.intechnology.co.uk>
wrote:
> Not sure if this would be an issue but one other thing to look at is
> to make sure your not running and extremely tight custom firewall that
> blocks the dhcp response packets. Also does it work if you temporarily
> set a static IP.
Not possible.
Try running this filewall config:
----
iptables -F
iptables -t nat -F
iptables -t mangle -F
# For completeness, we would run three:
# iptables -X
# ..commands here, but it isn't necessary, this time
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
# For completeness, we should:
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# ..here, but we won't in this example.
----
With this config in place, you would be allowing no traffic of any kind on any
interface. If you're feeling pedantic, change the "ACCEPT"s to "DROP" but it
won't change anything. I use ACCEPT because the filter table is where we
make filtering decisions, not nat or mangle.
On the machine with this firewall config, try to "ifup" your DHCP
interface(s). Notice how it works? Netfilter will never block DHCP
client-side (I've never tested this filewall config on the DHCP server; my
first inclination is to expect that you could still get DHCP, but maybe not).
Remember, there are *no* rules in this config allowing traffic of *any* kind.
And yet, DHCP still works. This is an intentional feature in Netfilter.
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060203/6a7f534d/attachment.sig>
More information about the fedora-devel-list
mailing list