Fun with firewalls…
So I recently decided to beef up my network security. I decided to set up very tight controls on my firewall. Nothing is open to the outside except for a few VERY SELECT ports. 80, 25, and a few others and that’s it. Everything else is blocked.
Until, earlier today, my network connection died. I lost my DHCP lease from the cable modem and no matter what I did I couldn’t get it back. I tried 2 different ethernet cables and any number of combinations of power cycles, etc, to no avail. Finally, after a few hours of banging my head against the keyboard and dealing with no-nothing tech-support (and I use the term VERY loosely) people, it dawned on me. Maybe my firewall security is a bit too good!
Sure enough, I was blocking inbound port 67. Now, I hadn’t noticed any problems before because I’m using NAT for all of my inside connections, so anytime a connection is initiated internally, the traffic goes through without a problem. HOWEVER, when you’re dealing with DHCP things are a bit different. Since you don’t actually have an IP until AFTER the exchange is over, you’re dealing with generic broadcast traffic. And generic broadcast traffic is never allowed in. So I locked myself out of my modem, essentially.
In case anyone else has the problem in the future and happens to stumble across this, the solution is simple. Open up port 67 UDP INBOUND on your firewall. If the DHCP server you’re getting an IP from is reliable and has a static IP, restrict it to that. If not, you’ll have to settle for just restricting it to your external interface. Not as secure, but the next best thing.
Now, if you happen to be using fwbuilder, I would suggest AGAINST using the pre-defined DHCP group. They open up UDP ports 67 (server responses) and 68 (client communication) from the outside. You should NEVER have any traffic coming in on port 68 FROM the outside. If you do, you’ve got people from the internet at large getting DHCP leases from you. (You do, of course, run a local DHCP server, right?) So just use the bootps service and leave bootpc alone.
Now that’s quite enough geeking out for one evening. 
