[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Blocking DHCP

  • Subject: Re: [Openvpn-users] Blocking DHCP
  • From: "Dave Lau" <dlau@xxxxxxxxxxxxxx>
  • Date: Thu, 11 Sep 2003 08:51:14 -0500
I don't think you are going to get this to work - dhcp (at least as
implemented by isc) uses raw sockets instead of TCP or UDP, and all packets
are received before iptables processes them.  As a result, iptables can't
match on these packets simply by looking at udp 67 and 68.  You might be
able to make something work, but nothing leaps immediately to mind.  This
isn't just an openVPN / bridging issue, either...set up a DHCP server on
your local network, and block udp 67 and 68 with shorewall.  Then, fire up a
client.  Contrary to intuition, the client will happily pull an IP address
from your DHCP server even though you've got 67 and 68 blocked.

I guess the easiest solution would be to route instead of bridge, but of
course I don't know anything about your intended use of openVPN, so maybe
this isn't even an option for you.  But at least it would solve the DHCP
dilemma...

-Dave

----- Original Message ----- 
From: "Dave B" <dragin33@xxxxxxxxxxx>
To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, September 10, 2003 3:15 AM
Subject: [Openvpn-users] Blocking DHCP


> Now that i have my vpn up and working with broadcast support i want to
block
> DHCP from crossing the network as i have two DHCP servers setup for
> different scopes and don't want the clients to get mixed up.  I tried all
> sorts of things with shorewall's rules trying to block ports 67 & 68 but
> just can't get it to go with the bridge.  Is there anyway that i can block
> this within openvpn?
>
> _________________________________________________________________
> Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage.
> http://join.msn.com/?PAGE=features/es
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users