I ran into issue with DHCP with ZBFW. I read this official guide from Cisco:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/116117-configure-dhcp-zbf-00.html
But I am even more confused. Why is it suggesting us to bypass all UDP 67/68 traffic?
access-list extended 111
10 permit udp any any eq 67
access-list extended 112
10 permit udp any any eq 68
Wouldn't this opens up a bigger hole than necessary?
My router is both an DHCP client and server. But it seems to me that one can get away with a much more restricted ACL. To be honest, I am quite disappointed that ZBFW does not "just work" with DHCP.