DHCP/DHCPv6 automatically configured firewall rules

Started by incorrect, July 05, 2020, 02:10:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 05, 2020, 02:10:41 PM
Is there a reason IPv4 UDP ports 546/547 and IPv6 UDP ports 67/68 are added automatically as allow when DHCP/DHCPv6 are used on an interface?
July 05, 2020, 11:17:23 PM #1 Last Edit: July 05, 2020, 11:24:24 PM by marjohn56
Think about it... what ports do dhcp and dhcp6 use? Now what would happen if the ports were closed?
Very easily googled..
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
July 05, 2020, 11:47:37 PM #2
I understand why IPv4 UDP 67/68 and IPv6 UDP 546/547 need to be permitted, but as far as I'm aware DHCP doesn't use IPv6 and DHCPv6 doesn't use IPv4. The rules should match what the protocols use and require.
July 06, 2020, 08:31:31 AM #3
Good point, never noticed that.. Perhaps Franco or Ad can answer.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
July 11, 2020, 08:03:40 PM #4
I'm sure they will fix this issue. Somthing I noticed for awhile now is that there isn't enough coding logic to remove unneccesary automatically generated ipv4+v6 rules when IPv6 is disabled.
July 24, 2020, 09:39:44 AM #5
DHCP relay agents (DHCPv4 over IPv6 , vice versa) would use these ports afaik.
July 30, 2020, 03:21:56 AM #6
I've tried to find reference in the relevant RFCs which explicitly permit this, but from my reading it is at least implied DHCP is restricted to transport via IPv4 and DHCPv6 via IPv6.

Is there any supporting documentation which specifies otherwise?

Is there an example of this being implemented outside of the formal specifications?
Print
Go Up Pages1
User actions