Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
DHCP firewall default rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: DHCP firewall default rules (Read 3993 times)
mjholgate
Newbie
Posts: 12
Karma: 0
DHCP firewall default rules
«
on:
October 18, 2020, 12:38:58 am »
Hi there,
Apologies - this is a dumb newbie question, but I'm trying to get my head around the default firewall rules for DHCP (v4 and v6):
[1] IPv6 UDP fe80::/10 546 fe80::/10 546 * * allow dhcpv6 client in WAN
[2] IPv4+6 UDP * 547 * 546 * * allow dhcpv6 client in WAN
[3] IPv4+6 UDP * 546 * 547 * * allow dhcpv6 client in WAN
[4] IPv4+6 UDP * 67 * 68 * * allow DHCP client on WAN
[5] IPv4+6 UDP * 68 * 67 * * allow DHCP client on WAN
I understand rule [1] - as it's on the link local address (which is used for IPv6 AIUI).
But for [2], [3], [4] and [5] is there a risk with these rules as they use the wildcard address - and are not restricted to the link local address (for IPv6) or the broadcast address (for IPv4)?
Is there a risk with these rules that someone could someone on the internet inject malicious packets to clients on their DHCP client port (or indeed to the DHCPv6 server on the LAN interface?). I've almost certainly missed something here but keen to understand!
thanks
Matt.
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: DHCP firewall default rules
«
Reply #1 on:
October 20, 2020, 07:57:49 am »
If you enable DHCP client on WAN there is a need to have these ports open. Where should the IP be coming from?
With a static IP enabled, those rules are gone.
Logged
„The S in IoT stands for Security!“
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
DHCP firewall default rules