The trouble is that when you normally have a rule for example for ping from say IP 10.10.10.10 to IP 8.8.8.8 in a stateful firewall then the same rule allows return traffic automatically with the help of established sessions mechanism.
So when this firewall sees a ping packet (ICMP Echo Request) going from 10.10.10.10 to 8.8.8.8 it allows it through but also creates a new ICMP session into its established sessions table. So when any packet arrives, and its source is 8.8.8.8 and destination is 10.10.10.10, and packet type is ICMP Echo Reply, it matches to this session as a return packet and is allowed to go through. Same applies for any unicast traffic whether TCP or UDP protocols with subtle detail differences.
But in DHCP protocol the client discovers or requests for an address by broadcasting a DHCP packet to 255.255.255.255 and the server doesn't answer from that address but from its own address. Let's simulate DHCP protocol. Assume that DHCP server uses IP address 10.10.10.2 and offers address 10.10.10.5 for this particular client.
- Client sends a DHCP Discover from 0.0.0.0 to 255.255.255.255 (to MAC FF:FF:FF:FF:FF:FF)
- Server replies with a DHCP Offer from 10.10.10.2 to 10.10.10.5 (to client's MAC address)
As you see, the packets don't match together concerning their IP addresses. So the firewall has to think differently with DHCP. It might be that with a DHCP protocol selected it actually doesn't even care about IP addresses of return packets and destination 255.255.255.255/32 might actually work, but if it doesn't care, what's wrong with "any" anyway? In addition there is a special type of DHCP unicast request where the destination IP is DHCP server's IP. This is probably sent before the lease time expires, probably in the middle of it.
I've set dozens of rules to allow DHCP in firewalls, but I've never thought about "limiting it". Also Spoofguard has additional options if you want to avoid rogue DHCP servers in your LANs.
In summary: DHCP is special.
