From 8490e4961886c6fc44bbfcbaa5073484f235208e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 17 Apr 2014 12:31:27 +0200
Subject: [PATCH] firewall: Explicitely allow DHCP messages.

---
 src/initscripts/init.d/dhcp     | 25 +++++++++++++++++++------
 src/initscripts/init.d/firewall | 31 ++++++++++++++++++++++++++-----
 2 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/src/initscripts/init.d/dhcp b/src/initscripts/init.d/dhcp
index abc6b5c8f..bc0abcee6 100644
--- a/src/initscripts/init.d/dhcp
+++ b/src/initscripts/init.d/dhcp
@@ -9,19 +9,30 @@
 . $rc_functions
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
+function flush_chains() {
+	iptables -F DHCPGREENINPUT
+	iptables -F DHCPGREENOUTPUT
+	iptables -F DHCPBLUEINPUT
+	iptables -F DHCPBLUEOUTPUT
+}
+
 case "$1" in
 	start)
-		iptables -F DHCPBLUEINPUT
+		flush_chains
+
 		if [ -e /var/ipfire/dhcp/enable_green ]; then
 			devices="${GREEN_DEV}"
+
+			iptables -A DHCPGREENINPUT  -i "${GREEN_DEV}" -j DHCPINPUT
+			iptables -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT
 		fi
 		if [ -e /var/ipfire/dhcp/enable_blue ]; then
 			devices+=" ${BLUE_DEV}"
-			
-			iptables -A DHCPBLUEINPUT -p tcp --source-port 68 --destination-port 67 -i ${BLUE_DEV} -j ACCEPT > /dev/null 2>&1
-			iptables -A DHCPBLUEINPUT -p udp --source-port 68 --destination-port 67 -i ${BLUE_DEV} -j ACCEPT > /dev/null 2>&1
-		fi		
-		
+
+			iptables -A DHCPBLUEINPUT  -i "${BLUE_DEV}" -j DHCPINPUT
+			iptables -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT
+		fi
+
 		boot_mesg "Starting DHCP Server..."
 		loadproc /usr/sbin/dhcpd -q ${devices}
 		
@@ -29,6 +40,8 @@ case "$1" in
 		;;
 
 	stop)
+		flush_chains
+
 		boot_mesg "Stopping DHCP Server..."
 		killproc -p /var/run/dhcpd.pid /usr/sbin/dhcpd
 		if [ "$(ps -A | grep " dhcpd")" != "" ] ; then
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index f0d9c492a..837178110 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -143,6 +143,31 @@ iptables_init() {
 		iptables -A ${i} -j CONNTRACK
 	done
 
+	# Allow DHCP
+	iptables -N DHCPINPUT
+	iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+	iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+	iptables -N DHCPOUTPUT
+	iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+	iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+	# Allow DHCP on GREEN
+	iptables -N DHCPGREENINPUT
+	iptables -N DHCPGREENOUTPUT
+	if [ -n "${GREEN_DEV}" ]; then
+		iptables -A INPUT  -i "${GREEN_DEV}" -j DHCPGREENINPUT
+		iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+	fi
+
+	# allow DHCP on BLUE to be turned on/off
+	iptables -N DHCPBLUEINPUT
+	iptables -N DHCPBLUEOUTPUT
+	if [ -n "${BLUE_DEV}" ]; then
+		iptables -A INPUT  -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+	fi
+
 	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
 	iptables -N IPSECINPUT
 	iptables -N IPSECFORWARD
@@ -155,11 +180,7 @@ iptables_init() {
 
 	# localhost and ethernet.
 	iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
-	
-	# allow DHCP on BLUE to be turned on/off
-	iptables -N DHCPBLUEINPUT 
-	iptables -A INPUT -j DHCPBLUEINPUT
-	
+
 	# WIRELESS chains
 	iptables -N WIRELESSINPUT
 	iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
-- 
2.39.2