[Dnsmasq-discuss] Firestarter interference

Andrew Greig agreig at gmail.com
Fri Sep 16 21:41:51 BST 2005


Hi folks.

This email is primarily to document my learning, to hopefully save 
someone else some time and frustration getting Firestarter and dnsmasq 
working together.  As seems to be a common problem, my firewall was 
preventing dnsmasq from working as a LAN DHCP server.

By default Firestarter (naturally) denies all inbound connections, so I 
attempted to whitelist DHCP packets by adding 'inbound policy rules'. 
This turned out to be futile, as Firestarter doesn't consider broadcast 
DHCP packets as 'inbound' since it doesn't recognise the destination IP 
(255.255.255.255) as belonging to the host.  Thus they were classed as 
'Unknown' and discarded, regardless of policy rules.

My troubleshooting was complicated by an advanced option I had enabled, 
titled "Block broadcasts from external network", which actually dropped 
broadcasts on *all* interfaces. I believe this is a bug and will be 
following it up.

Firestarter has an explicit option to "Enable DHCP for the local 
network" however this turned out to just (re)start ISC dhcpd if you had 
it installed.  No firewall rules related to the protocol are added by 
this option, so it seems a bit of a red herring.

My eventual solution was to add the following line to 
/etc/firestarter/user-pre to explicitly allow the DHCP broadcasts early 
in the INPUT table:

$IPT -A INPUT -i $INIF -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 
--dport 67 -j ACCEPT

I hope this tale didn't bore you all too much, and will be useful to 
someone :)

Cheers,
Andrew Greig



More information about the Dnsmasq-discuss mailing list