[Dnsmasq-discuss] Firestarter interference

Simon Kelley simon at thekelleys.org.uk
Fri Sep 16 22:09:32 BST 2005

Andrew Greig wrote:

> Firestarter has an explicit option to "Enable DHCP for the local 
> network" however this turned out to just (re)start ISC dhcpd if you had 
> it installed.  No firewall rules related to the protocol are added by 
> this option, so it seems a bit of a red herring.

This is an ongoing source of confusion. In the spirit of Andrew's 
excellent post, I'll try and explain here what's happening, for future 

The ISC dhcpd, at least on Linux, uses the Linux Packet Filter to do 
most network access. This is a very low level facility which just 
delivers raw copies of packets, before any of the network stack 
processing. The LPF is so low-level that it gets packets before the 
iptables firewall code, hence iptables rules don't affect delivery of 
packets to the ISC dhcpd, and there's no need for firewall designers to 
worry about the strange source and destination addresses which are 
encountered in some legitimate DHCP packets.

On the other hand, dnsmasq (and, at least udhpcd) use the normal IP 
network stack for receiving DHCP packets. They are therefore affected by 
iptables rules, and any firewall design has to allow for DHCP packets 
with strange addresses.



More information about the Dnsmasq-discuss mailing list