Quote:
Originally Posted by
chebarbudo
Indeed, all adresses like 172.16.xxx.2 are DHCP Relay.
I tried to setup a firewall with the help of the administrator but in the end, we had to give up because for some weird reason, the DHCP starts in a way that puts it before the netfilter.
This is to be expected. Here is how DHCP works:
1. A client comes to life. It sends a DHCP-Request packet. This packet is a broadcast (the client has no idea who its server is) and has - of course - no IP-address. Therefore packet-filtering based on source- or target-addresses fall short.
2a. If there is a DHCP-server in the same subnet it will either do nothing (if it is not willing to give out a lease for whatever reason) or send a the ingredients for the new IP-interface (IP, SNM and whatever is configured in the option fields). This agan has to be a broadcast, because the interface still has no IP address at this time.
2b. If there is no DHCP-server on this net a router may be configured as "bootp-relay-agent". (bootp is a subset of DHCP, but essentially the same protocol). It will relay all the broadcasts involved in this case, otherwise see 2a.
3. Once the client receives the lease data, it configures its interface and sends a DHCP-ACK(nowledge) back to the server. The rest of the communication is normal IP-traffic, not broadcasts.
If you want to block DHCP you cannot base it on addresses, because there are none for a signifikant part of the communication (ecco!) and if you block it based on protocol you simply shut the aforementioned relay. This will block legitimate as well as unwanted DHCP traffic.
Seems like your only option - since the only problem you have seems to be your logs - is to filter these logs. I suggest some "grep -v".
I hope this helps.
bakunin