OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: incorrect on July 05, 2020, 02:10:41 pm

Title: DHCP/DHCPv6 automatically configured firewall rules
Post by: incorrect on July 05, 2020, 02:10:41 pm

Is there a reason IPv4 UDP ports 546/547 and IPv6 UDP ports 67/68 are added automatically as allow when DHCP/DHCPv6 are used on an interface?

Title: Re: DHCP/DHCPv6 automatically configured firewall rules
Post by: marjohn56 on July 05, 2020, 11:17:23 pm

Think about it... what ports do dhcp and dhcp6 use? Now what would happen if the ports were closed?
Very easily googled..

Title: Re: DHCP/DHCPv6 automatically configured firewall rules
Post by: incorrect on July 05, 2020, 11:47:37 pm

I understand why IPv4 UDP 67/68 and IPv6 UDP 546/547 need to be permitted, but as far as I'm aware DHCP doesn't use IPv6 and DHCPv6 doesn't use IPv4. The rules should match what the protocols use and require.

Title: Re: DHCP/DHCPv6 automatically configured firewall rules
Post by: marjohn56 on July 06, 2020, 08:31:31 am

Good point, never noticed that.. Perhaps Franco or Ad can answer.

Title: Re: DHCP/DHCPv6 automatically configured firewall rules
Post by: packet loss on July 11, 2020, 08:03:40 pm

I'm sure they will fix this issue. Somthing I noticed for awhile now is that there isn't enough coding logic to remove unneccesary automatically generated ipv4+v6 rules when IPv6 is disabled.

Title: Re: DHCP/DHCPv6 automatically configured firewall rules
Post by: Redundanz on July 24, 2020, 09:39:44 am

DHCP relay agents (DHCPv4 over IPv6 , vice versa) would use these ports afaik.

Title: Re: DHCP/DHCPv6 automatically configured firewall rules
Post by: incorrect on July 30, 2020, 03:21:56 am

I've tried to find reference in the relevant RFCs which explicitly permit this, but from my reading it is at least implied DHCP is restricted to transport via IPv4 and DHCPv6 via IPv6.

Is there any supporting documentation which specifies otherwise?

Is there an example of this being implemented outside of the formal specifications?