Bug#427400: dhcp3-server: how to ignore an interface
Ross Boylan
Version: 3.0.4-14
Severity: minor
There seems to be some contradictory information about how to ignore
an interface. /usr/share/doc/dhcp3-server/examples/dhcpd.conf has
---------------------------------------------------
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.152.187.0 netmask 255.255.255.0 {
}
--------------------------------------------------
However, /usr/share/doc/dhcp3-common/README.gz says
----------------------------------------------------------
If you have a server that is connected to two networks, and you only
want to provide DHCP service on one of those networks (e.g., you are
using a cable modem and have set up a NAT router), if you don't write
any subnet declaration for the network you aren't supporting, the DHCP
server will ignore input on that network interface if it can. If it
can't, it will refuse to run
------------------------------------------------------
(Note that file is in a different binary package.)
The man pages for dhcpd and dhcpd.conf contained no clear guidance on
this situation that I could glean, that they sort of sounded as if I
should do a subnet declaration and then put ignore statements inside
it.
I also noticed, when I filed this, that there is an interfaces debconf
parameter.
I had my configuration set up as recommended in the
examples/dhcpd.conf, and was surprised to find these messages in my
logs:
May 25 16:30:43 corn dhcpd: DHCPACK to q.r.s.t (<no client hardware
address>) via eth0
where q.r.s.t was the address of my WAN card, and the one specified in
the empty subnet declaration (which required and range and a netmask).
Searching on this messages seems to show it's harmless, but I was
surprised to see anything involving the WAN showing up for dhcpd.
(Doubly surprised since I thought my firewall would block such traffic
anyway.) From some of the messages I found when searching it sounds
as if an internal client might actually be responsible for the
traffic.
I have since changed to the "leave it out completely" style, and
verified that the server does start. I have a hazy recollection that
it may not have started without such a declaration years ago, and the
README referenced above indicates there can be problems when multiple
interfaces are present. Early Linux kernels had such problems. So
perhaps the example is dated.
At any rate, it would be helpful if the documenation were clearer and
more consistent about how to handle this pretty common case (you want
to offer DHCP service to the LAN but not the WAN).
Severity is low because my understanding is that any of the
recommended settings will work. If one of them leaks information this
might be a security issue and warrant higher severity. Because of the
contradictory and unclear information, I'm not making this wishlist.
Thanks.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dhcp3-server depends on:
ii debconf [debconf-2.0] 1.5.13 Debian configuration management sy
ii debianutils 2.18 Miscellaneous utilities specific t
ii dhcp3-common 3.0.4-14 Common files used by all the dhcp3
ii libc6 2.5-9+b1 GNU C Library: Shared libraries
dhcp3-server recommends no packages.
-- debconf information:
* dhcp3-server/new_auth_behavior:
dhcp3-server/interfaces:
dhcp3-server/new_next-server_behaviour:
dhcp3-server/config_warn:
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org