DHCP firewall default rules

Started by mjholgate, October 18, 2020, 12:38:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 18, 2020, 12:38:58 AM
Hi there,

Apologies - this is a dumb newbie question, but I'm trying to get my head around the default firewall rules for DHCP (v4 and v6):

[1] IPv6 UDP   fe80::/10   546   fe80::/10   546   *   *   allow dhcpv6 client in WAN   
[2] IPv4+6 UDP   *   547   *   546   *   *   allow dhcpv6 client in WAN   
[3] IPv4+6 UDP   *   546   *   547   *   *   allow dhcpv6 client in WAN   
[4] IPv4+6 UDP   *   67   *   68   *   *   allow DHCP client on WAN   
[5] IPv4+6 UDP   *   68   *   67   *   *   allow DHCP client on WAN

I understand rule [1] - as it's on the link local address (which is used for IPv6 AIUI).

But for [2], [3], [4] and [5] is there a risk with these rules as they use the wildcard address - and are not restricted to the link local address (for IPv6) or the broadcast address (for IPv4)?

Is there a risk with these rules that someone could someone on the internet inject malicious packets to clients on their DHCP client port (or indeed to the DHCPv6 server on the LAN interface?). I've almost certainly missed something here but keen to understand!

thanks
Matt.
October 20, 2020, 07:57:49 AM #1
If you enable DHCP client on WAN there is a need to have these ports open. Where should the IP be coming from?

With a static IP enabled, those rules are gone.
,,The S in IoT stands for Security!" :)
Print
Go Up Pages1
User actions