Firewall Wizards mailing list archives
Re: Dual-homed firewall with DHCP on one of the interfaces.
From: Steve George <stevege () i-way net uk>
Date: Tue, 23 Mar 1999 17:18:55 +0000
Hi, Hmm I take it that you mean the external interface gets it's IP via DHCP from an external DHCP server? This might happen where the connection is a dial-up one for example and the ISP is assigning dynamic IP from a small address range. The way I have got round this with a dial-up group access server is to have nearly all the filtering done on the interface and use the 'ip-up' scripts to tighten the FW afterwards. These scripts are only run AFTER the interface is up so it is then safe to refuse further DHCP traffic. I think this is only really safe where the DHCP server is on the same machine as the one your are dialing into as the time interval is tiny and it should be impossible to hit the machine in the gap. The only problem that comes to mind is where one user disconnects from the IP to be replaced by another, if you are filtering some 'established' connections then presumably it might be possible for some traffic to get through before your 'final' tightening up. If you want to be more secure and the connection is intermittant then I would suggest using a fixed IP and slip/spppd. Realistically if you are being assigned you 'identity' from an external entity then you are at the mercy of that entity and the channel between the two of you to a greater or lesser degree. HTH, Steve Daniel Knighten wrote:
I have connected a small office to the Internet through a Linux based router/firewall. This machine employs network address translation and a combination of packet filtering and proxies to firewall the internal network. The problem I am having is that the external (Internet) interface receives it's IP address via DHCP. When the machine first boots the firewall is not initialized till after DHCP has obtained it's address. However once the firewall has been initialized DHCP traffic is no longer passed. I thought I had anticipated the problem by creating holes in the firewall for TCP/UDP ports 67-68, but nonetheless the problem exist. My current solution is to simply squat on an IP after DHCP has acquired it, however I would like to understand the full ramifications. Has anybody encountered this before and are there any suggestions? Thanks, Dan -- ____________________________________ | Daniel Knighten | | Quad Group Computer Solutions, Inc. | P.O. Box 590 | Dupont, WA 98327-0590 | | Voice: (360) 507-7842 | Fax : (360) 455-0463 | | dknighten () qgcs com | http://www.qgcs.com | ____________________________________|
Current thread:
- Dual-homed firewall with DHCP on one of the interfaces. Daniel Knighten (Mar 23)
- Re: Dual-homed firewall with DHCP on one of the interfaces. Steve George (Mar 23)
- <Possible follow-ups>
- RE: Dual-homed firewall with DHCP on one of the interfaces. Cottrell, Ian (Mar 23)
- Re: Dual-homed firewall with DHCP on one of the interfaces. Daniel Knighten (Mar 24)
- RE: Dual-homed firewall with DHCP on one of the interfaces. Keller, Dennis (Mar 23)
- RE: Dual-homed firewall with DHCP on one of the interfaces. Peter Capelli (Mar 24)