The university DHCP service is compatible with departmental/college firewalls, although some care must be taken not to filter legitimate DHCP traffic. This document looks at DHCP traffic at a packet level and shows the minimum firewall rules needed to permit correct operation of clients on a subnet with the central servers.
UDP 0.0.0.0:68 (00:00:39:1C:0C:32) > 255.255.255.255:67 (FF:FF:FF:FF:FF:FF) DHCP DISCOVER
At this point the client has no IP address and so uses a source address of
0.0.0.0 and source port of 68 (often referred
bootpc, the BOOTP client port - BOOTP being the
forerunner of DHCP). The packet is sent as a UDP broadcast on port 67
bootps). Normally this packet will be seen by any host on
the local subnet.
Because the OUCS DHCP Service has two servers acting for many
different subnets, the packets must be passed from the local subnet to the
servers at OUCS. This is done at the router, which will forward any
broadcast packet received on an interface to the central DHCP servers
188.8.131.52: any change to
their IP addresses will be announced in advance on the itss-announce
mailing list). The forwarding
is performed as unicast packets from the router to each server in turn.
Because the central DHCP service is provided by two DHCP servers, normally a client will receive two offers of an IP address in response to its initial DISCOVER request. There are exceptions if one server is down, or has no free addresses available.
Because the DHCP servers see the request as originating from the router
address, they will return it to the router interface on the subnet in
question. The router is responsible for forwarding the responses to the
client. For a client on the
subnet, the reponses will be along the following lines:
UDP 184.108.40.206:67 (00:D0:BC:00:11:22) > 220.127.116.11:68 (00:00:39:1C:0C:32) DHCP OFFER UDP 18.104.22.168:67 (00:D0:BC:00:11:22) > 22.214.171.124:68 (00:00:39:1C:0C:32) DHCP OFFER
Note that the destination IP address is that which the server is offering to the client while the destination MAC address is that of the client's network interface. Thus the packet will reach the client even though it does not yet have its IP address.
This stage is similar to the first, except that the client now requests a particular IP address from the DHCP server. Additionally, some clients will use this method to request the IP address they previously used (for instance last bootup); if it is denied (DHCP NAK) they will fall back to the first stage.
UDP 0.0.0.0:68 (00:00:39:1C:0C:32) > 255.255.255.255:67 (FF:FF:FF:FF:FF:FF) DHCP REQUEST
Here the server acknowledges the client's request for an IP address. The basics of the packet are the same as for a DHCP OFFER. Once a client receives this packet, it keeps the IP address given until the expiry of the DHCP lease or until it sends a subsequent DHCP request.
UDP 126.96.36.199:67 (00:D0:BC:00:11:22) > 188.8.131.52:68 (00:00:39:1C:0C:32) DHCP ACK
This is similar to the first DHCP REQUEST but with a crucial difference: the client knows its IP address and that of the server. As the DHCP server is on a different subnet, requests bear the MAC address of the router.
UDP 184.108.40.206:68 (00:00:39:1C:0C:32) > 220.127.116.11:67 (00:D0:BC:00:11:22) DHCP REQUEST UDP 18.104.22.168:67 (00:D0:BC:00:11:22) > 22.214.171.124:68 (00:00:39:1C:0C:32) DHCP ACKA DHCP NAK may be returned by the DHCP server if the lease cannot be renewed, at which point the client should abandon its IP address (and may send a DHCPDISCOVER).
A bridging firewall should permit the following packets to pass. We again assume the 126.96.36.199/255.255.254.0 subnet with gateway 188.8.131.52; you will need to replace these with your own network, netmask and gateway addresses.
UDP 0.0.0.0 68 > 255.255.255.255 67 UDP 184.108.40.206/255.255.254.0 > 220.127.116.11 67 UDP 18.104.22.168/255.255.254.0 > 22.214.171.124 67
UDP 126.96.36.199 67 > 188.8.131.52/255.255.254.0 68 UDP 184.108.40.206 67 > 220.127.116.11/255.255.254.0 68 UDP 18.104.22.168 67 > 22.214.171.124/255.255.254.0 68
Routing firewalls are more complicated: the firewall itself will be acting as the gateway for internal hosts and must therefore be able to forward the traffic to the external DHCP servers. If purchasing such a firewall you will need to ensure that it can do this, or else implement your own DHCP server in-house.