Andrew Greig wrote:
Firestarter has an explicit option to "Enable DHCP for the local network" however this turned out to just (re)start ISC dhcpd if you had it installed. No firewall rules related to the protocol are added by this option, so it seems a bit of a red herring.
This is an ongoing source of confusion. In the spirit of Andrew's excellent post, I'll try and explain here what's happening, for future reference.
The ISC dhcpd, at least on Linux, uses the Linux Packet Filter to do most network access. This is a very low level facility which just delivers raw copies of packets, before any of the network stack processing. The LPF is so low-level that it gets packets before the iptables firewall code, hence iptables rules don't affect delivery of packets to the ISC dhcpd, and there's no need for firewall designers to worry about the strange source and destination addresses which are encountered in some legitimate DHCP packets.
On the other hand, dnsmasq (and, at least udhpcd) use the normal IP network stack for receiving DHCP packets. They are therefore affected by iptables rules, and any firewall design has to allow for DHCP packets with strange addresses.
Cheers, Simon.
