Firewalling a DHCP client the Right Way (TM)
I have a DHCP client that receives a lot of its networking information
from our DHCP servers. Things like routers, mail and name servers. I
would like to put an iptables based packet filtering firewall on this
client that by default drops everything unless explicitly allowed.
I set the default policy through a script in /etc/network/if-pre-up.d/
and add logging of everything that is dropped as a result of policy by
means of a script in /etc/network/if-up.d/. So far no problems.
Now I am wondering how to organise setting up the rest of the rules so
I don't go nuts. If it weren't for DHCP, I would have just added more
scripts in /etc/network/if-up.d/. Of course, you need to take care of
their ordering and cater to the possibility of running more than once
if you have multiple interfaces, but that is manageable.
However, how do I cater to DHCP telling me that the IP address of the
name server has changed, for example, or, tux forbid, the client's own
IP address. Any ideas on how to go about this are welcome.
Debian GNU/Linux 3.0
kernel 2.4.18 (custom), iptables 1.2.5-7, dhcp-client 2.0pl5-7
Olaf Meeuwissen Epson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
LPIC-2 -- I hack, therefore I am -- BOFH
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org