OPNsense Forum

English Forums => General Discussion => Topic started by: mjholgate on October 18, 2020, 12:38:58 am

Title: DHCP firewall default rules
Post by: mjholgate on October 18, 2020, 12:38:58 am
Hi there,

Apologies - this is a dumb newbie question, but I'm trying to get my head around the default firewall rules for DHCP (v4 and v6):

[1] IPv6 UDP   fe80::/10   546   fe80::/10   546   *   *   allow dhcpv6 client in WAN   
[2] IPv4+6 UDP   *   547   *   546   *   *   allow dhcpv6 client in WAN   
[3] IPv4+6 UDP   *   546   *   547   *   *   allow dhcpv6 client in WAN   
[4] IPv4+6 UDP   *   67   *   68   *   *   allow DHCP client on WAN   
[5] IPv4+6 UDP   *   68   *   67   *   *   allow DHCP client on WAN

I understand rule [1] - as it's on the link local address (which is used for IPv6 AIUI).

But for [2], [3], [4] and [5] is there a risk with these rules as they use the wildcard address - and are not restricted to the link local address (for IPv6) or the broadcast address (for IPv4)?

Is there a risk with these rules that someone could someone on the internet inject malicious packets to clients on their DHCP client port (or indeed to the DHCPv6 server on the LAN interface?). I've almost certainly missed something here but keen to understand!

thanks
Matt.
Title: Re: DHCP firewall default rules
Post by: Gauss23 on October 20, 2020, 07:57:49 am
If you enable DHCP client on WAN there is a need to have these ports open. Where should the IP be coming from?

With a static IP enabled, those rules are gone.