Firewall Wizards mailing list archives

Re: Dual-homed firewall with DHCP on one of the interfaces.

From: Daniel Knighten <daniel () knighten org>
Date: Tue, 23 Mar 1999 21:48:36 -0800

This is causing some confusion, let me provide a more detailed
description of the configuration.

Internet
   |
US-West.Net
   |
ADSL
   |
ADSL/Ethernet Bridge (Cisco 675)
   |
Ethernet Interface1 (eth1) IP=Dynamic via DHCP
   |
[ Router/Firewall]
   |
Ethernet Interface2 (eth2) IP=192.168.1.1
   |
[ Hub ]
   |- Client1 IP=192.168.1.10
   |- Client2 IP=192.168.1.11
   |- Client3 IP=192.168.1.12
   |- Client4 IP=192.168.1.13
   |- Client5 IP=192.168.1.14

There are several key points about this scenario which cause problems
and make the situation less than ideal.  These are basically related
to cost and result in some sub optimal compromises.  The
Router/Firewall is not a completely stripped down machine.  For cost
reasons the R/F acts as the office mail server/gateway and I also
allow telnet for remote admin.  I have both sendmail and inetd
configured to ignore connection attempts from IP addresses other than
192.168.1.0/24.  I have also taken the usual steps to maximize the
host based security of the R/F.  However I also like the belt and
suspenders approach of running a standard packet filter on top of all
this which blocks spoofed traffic, source routed traffic, and traffic
to or from ports 0-1024.  I realized that blocking everything to or
from 0-1024 would also block the necessary DHCP traffic so I
specifically created a hole for ports 67 and 68.  However that has not
worked, i.e. DHCP is still blocked.  My question is what the protocol
behavior of DHCP is, so that I can write some correct filters.

I understand that the best and simplest option is to get a static IP
address for the external interface.  I may well pursue this option if
squatting on an address proves unfeasible.  

Thanks,
Dan
-- 
____________________________________
                                    |
Daniel Knighten                     |
                                    |
Quad Group Computer Solutions, Inc. |
P.O. Box 590                        |
Dupont, WA 98327-0590               |
                                    |
Voice: (360) 507-7842               |
Fax: (360) 455-0463               |
                                    |
dknighten () qgcs com                  |
http://www.qgcs.com                 |
____________________________________|

Current thread:

Dual-homed firewall with DHCP on one of the interfaces. Daniel Knighten (Mar 23)
- Re: Dual-homed firewall with DHCP on one of the interfaces. Steve George (Mar 23)
- <Possible follow-ups>
- RE: Dual-homed firewall with DHCP on one of the interfaces. Cottrell, Ian (Mar 23)
  - Re: Dual-homed firewall with DHCP on one of the interfaces. Daniel Knighten (Mar 24)
- RE: Dual-homed firewall with DHCP on one of the interfaces. Keller, Dennis (Mar 23)
- RE: Dual-homed firewall with DHCP on one of the interfaces. Peter Capelli (Mar 24)