Firewall rule in before.rules for dhcp is wrong

Thank you for filing a bug.

The firewall policy is a combination of the default policy for each of 'incoming', 'outgoing' and 'routed' (forward) along with the policies shipped in before{,6}.rules, after{,6}.rules and whatever gets added to user{,6}.rules. Specifically, what is in before{,6}.rules is designed with default deny for incoming (and forward), default allow for outgoing and default accept for established connections. Considering that dhcp uses port 68/udp for the client and port 67/udp for the server, the shipped default policy allows:

* outgoing from this host port 68/udp to any port 67/udp (via default allow outgoing; eg, for dhcp request)
* incoming for established connection (via before.rules RELATED,ESTABLISHED; eg, dhcp reply from the server we connected to on port 67/udp)
* incoming from port 67/udp (via the before.rules you mentioned; eg, for a server responding to the broadcast)

I suspect that you've updated your default policy to deny to perform egress filtering so you need to add a corresponding 'ufw allow out to any port 67 proto udp comment "dhcp discover"' rule or similar.

Marking as Invalid since the default firewall policy is working as intended.

Thanks Jamie,

Ah, cool, so that ufw config is when the install is a client.

I am having issues with the install as a DHCPv4 server.

I will revert the UFW changes I have made and add in a new /etc/ufw/application.d/dhcpd config to allow the install to run a DHCPv4 server

Thanks
Josh

PS. isc-dhcp-server when setup, by default is using "raw" sockets and thus the ufw rules are bypassed