Is my understanding of https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol correct that the 'from' IPv4 address of the initial discovery and the first DHCP request from a DHCP client are always 0.0.0.0 and always from port 68/udp?
Next, I want to allow DHCP only from select MAC addresses, and they will include visitor devices. How can I discover MAC addresses to be manually allowed if they are not printed on the device or supplied by the visitor? Only by looking at the log for DHCPREQUEST ... from ... when the device is plugged in?
Yes, DHCP uses broadcast. Restricting clients by MAC has limited value since you cannot control the address that the client uses. For instance, an attacker can sniff packets on the network and assume the MAC and IP of a client that is allowed to connect.
Do your hardening on layer 2 by implementing VLAN separation on managed switches and multi-SSID WiFi access points.
Not really looking for design suggestions ATM, only for the answers to the original questions.
Capture the DHCP traffic on the firewall while bringing the device on the network.
The initial DHCPDISCOVER message from the client includes its MAC address. It goes in the log at Info level.
If you block unknown clients, there won't be a reply...
FWIW, newer Apple products have a privacy feature that randomizes the MAC.
Do they always originate from ip 0.0.0.0 and port 68/udp?
Yes, according to https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol (https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)
The client does not have an IP yet. UDP Port is 67 on the server side, 68 client side. The auto-generated rules include these for a reason...