Firewall Wizards mailing list archives
Re: Dual-homed firewall with DHCP on one of the interfaces.
From: Daniel Knighten <daniel () knighten org>
Date: Tue, 23 Mar 1999 21:48:36 -0800
This is causing some confusion, let me provide a more detailed description of the configuration. Internet | US-West.Net | ADSL | ADSL/Ethernet Bridge (Cisco 675) | Ethernet Interface1 (eth1) IP=Dynamic via DHCP | [ Router/Firewall] | Ethernet Interface2 (eth2) IP=192.168.1.1 | [ Hub ] |- Client1 IP=192.168.1.10 |- Client2 IP=192.168.1.11 |- Client3 IP=192.168.1.12 |- Client4 IP=192.168.1.13 |- Client5 IP=192.168.1.14 There are several key points about this scenario which cause problems and make the situation less than ideal. These are basically related to cost and result in some sub optimal compromises. The Router/Firewall is not a completely stripped down machine. For cost reasons the R/F acts as the office mail server/gateway and I also allow telnet for remote admin. I have both sendmail and inetd configured to ignore connection attempts from IP addresses other than 192.168.1.0/24. I have also taken the usual steps to maximize the host based security of the R/F. However I also like the belt and suspenders approach of running a standard packet filter on top of all this which blocks spoofed traffic, source routed traffic, and traffic to or from ports 0-1024. I realized that blocking everything to or from 0-1024 would also block the necessary DHCP traffic so I specifically created a hole for ports 67 and 68. However that has not worked, i.e. DHCP is still blocked. My question is what the protocol behavior of DHCP is, so that I can write some correct filters. I understand that the best and simplest option is to get a static IP address for the external interface. I may well pursue this option if squatting on an address proves unfeasible. Thanks, Dan -- ____________________________________ | Daniel Knighten | | Quad Group Computer Solutions, Inc. | P.O. Box 590 | Dupont, WA 98327-0590 | | Voice: (360) 507-7842 | Fax: (360) 455-0463 | | dknighten () qgcs com | http://www.qgcs.com | ____________________________________|
Current thread:
- Dual-homed firewall with DHCP on one of the interfaces. Daniel Knighten (Mar 23)
- Re: Dual-homed firewall with DHCP on one of the interfaces. Steve George (Mar 23)
- <Possible follow-ups>
- RE: Dual-homed firewall with DHCP on one of the interfaces. Cottrell, Ian (Mar 23)
- Re: Dual-homed firewall with DHCP on one of the interfaces. Daniel Knighten (Mar 24)
- RE: Dual-homed firewall with DHCP on one of the interfaces. Keller, Dennis (Mar 23)
- RE: Dual-homed firewall with DHCP on one of the interfaces. Peter Capelli (Mar 24)