UFW & Wi-Fi hotspot: allowing DHCP/DNS and making sure that these services are only accessible from the hotspot subnet

I am trying to set up UFW to allow DHCP and DNS for the clients connected to the Wi-Fi hotspot created using nmcli. I want the setup to be as restrictive as possible to avoid any DHCP clashes on the wired (eth0) -- i.e., "internet" -- interface etc. In a nutshell: * the hotspot clients on wlan0 must be behind NAT and must be able to get the IP and DNS configuration from the respective hotspot DHCP, * the hotspot clients on wlan0 must be able to access the internet provided by the wired interface (eth0), * other devices on the wired network (eth0) must be ignorant of the fact that one of their "neighbours" acts as a gateway, provides DHCP/DNS, etc. I have already set up NAT and forwarding via iptables, and everything works fine _provided that the client devices use static IP configuration._ However, when configured to use DHCP, the client devices fail to obtain this information, and consequently fail to connect to the hotspot. The subnet used by the hotspot is 10.42.0.0/24 with the gateway being 10.42.0.1 (the NetworkManager defaults). When I try to allow DHCP and DNS ports on wlan0 using # DHCP ufw allow in on wlan0 from 10.42.0.0/24 to 10.42.0.1 port 67 proto udp ufw allow out on wlan0 from 10.42.0.1 to 10.42.0.0/24 port 68 proto udp # DNS ufw allow in on wlan0 from 10.42.0.0/24 to 10.42.0.1 port 53 ufw allow out on wlan0 from 10.42.0.1 to 10.42.0.0/24 port 53 my UFW configuration becomes (i.e., only these four extra rules exist): $ ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 10.42.0.1 67/udp on wlan0 ALLOW IN 10.42.0.0/24 10.42.0.1 53 on wlan0 ALLOW IN 10.42.0.0/24 10.42.0.0/24 68/udp ALLOW OUT 10.42.0.1 on wlan0 10.42.0.0/24 53 ALLOW OUT 10.42.0.1 on wlan0 _But:_ even with these rules, hotspot clients fail to obtain IP/DNS configuration from DHCP. Needless to say that there are no such issues when I temporarily disable UFW... In a comment by the user "telcoM" in [this post](https://unix.stackexchange.com/a/638482) , I found that it might be necessary to allow the bootps and bootpc protocols instead of ports 67 and 68, respectively. Nonetheless, I am unable to find the UFW syntax needed to do so -- all attempts made thus far (e.g., ufw allow in on wlan0 from 10.42.0.0/24 to 10.42.0.1 bootps) resulted in UFW complaining (usually ERROR: Wrong number of arguments). What am I doing wrong? Thanks.