Firewall Wizards mailing list archives

Re: Re: dhcp altering firewall rules

From: Stephan <chenette () ccs neu edu>
Date: Sat, 5 May 2001 22:40:43 -0400 (EDT)


Stephan

"It's been said that a million monkeys banging on a million keyboards
will eventually turn out the works of Shakespeare. Thanks to the Internet
we know this is not true."--Unknown
Random Sig:26

On Fri, 4 May 2001 bgrubin () speakeasy net wrote:

I don't understand why you'd want to modify the filtering rules based on obtaining a lease from DHCP.  An "intruder" 
could just as easily obtain a DHCP address as forge his own, unless you are statically mapping DHCP leases to 
specific hardware via MAC address.  If you *are* statically assigning all DHCP leases, you could just as easily 
create a big fat static arp table containing all the legit ones, and block dynamic arp resolution.


to not allow the dhcp clients to bypass dhcp and set their own static ip
address. If they set their own static ip address then they bypass dhcp
registration and get net. We don't want this. Initially all ip address
will not by allowed to pass through the firewall. The dhcp server (which
runs on the same machine) will execute firelwall rules to open ip
addresses as it gives out a lease for a specific ip.


The only usefullness I could see here is some form of rate limiting or other traffic control based on the number of 
active DHCP leases.

Maybe I'm confused...  

Cheers,
Ben



-- Original Message --

one 'hack' of a solution (not compromise hack, just .. a hack)

use atchange[1] to monitor the dhcp leases file. when it changes, call a
script that will rebuild the ipf.rules file (ie fill in the blank for
$IPADDR) and reload the firewall rules.

another solution is to treat your host as a member of a network, the DHCP
network your provider uses. chances are you wont have problems with
traffic intended for your neighbors, i think.

resources:
1. http://www.lecb.ncifcrf.gov/~toms/atchange.html

____________________________
jose nazario                                               jose () cwru edu
                   PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                     PGP key ID 0xFD37F4E5 (pgp.mit.edu)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Re: dhcp altering firewall rules Stephan (May 07)
- <Possible follow-ups>
- RE: Re: dhcp altering firewall rules Goldberg, Dan B (May 07)
- RE: Re: dhcp altering firewall rules Crispin Harris (May 08)
- Re: dhcp altering firewall rules George Capehart (May 10)
  - Re: dhcp altering firewall rules Stephan (May 10)