DHCP firewall default rules

[mjholgate]

Hi there,

Apologies - this is a dumb newbie question, but I'm trying to get my head around the default firewall rules for DHCP (v4 and v6):

[1] IPv6 UDP   fe80::/10   546   fe80::/10   546   *   *   allow dhcpv6 client in WAN   
[2] IPv4+6 UDP   *   547   *   546   *   *   allow dhcpv6 client in WAN   
[3] IPv4+6 UDP   *   546   *   547   *   *   allow dhcpv6 client in WAN   
[4] IPv4+6 UDP   *   67   *   68   *   *   allow DHCP client on WAN   
[5] IPv4+6 UDP   *   68   *   67   *   *   allow DHCP client on WAN

I understand rule [1] - as it's on the link local address (which is used for IPv6 AIUI).

But for [2], [3], [4] and [5] is there a risk with these rules as they use the wildcard address - and are not restricted to the link local address (for IPv6) or the broadcast address (for IPv4)?

Is there a risk with these rules that someone could someone on the internet inject malicious packets to clients on their DHCP client port (or indeed to the DHCPv6 server on the LAN interface?). I've almost certainly missed something here but keen to understand!

thanks
Matt.

[Gauss23]

If you enable DHCP client on WAN there is a need to have these ports open. Where should the IP be coming from?

With a static IP enabled, those rules are gone.