Firewall Wizards mailing list archives
Re: Re: dhcp altering firewall rules
From: Stephan <chenette () ccs neu edu>
Date: Sat, 5 May 2001 22:40:43 -0400 (EDT)
Stephan "It's been said that a million monkeys banging on a million keyboards will eventually turn out the works of Shakespeare. Thanks to the Internet we know this is not true."--Unknown Random Sig:26 On Fri, 4 May 2001 bgrubin () speakeasy net wrote:
I don't understand why you'd want to modify the filtering rules based on obtaining a lease from DHCP. An "intruder" could just as easily obtain a DHCP address as forge his own, unless you are statically mapping DHCP leases to specific hardware via MAC address. If you *are* statically assigning all DHCP leases, you could just as easily create a big fat static arp table containing all the legit ones, and block dynamic arp resolution.
to not allow the dhcp clients to bypass dhcp and set their own static ip address. If they set their own static ip address then they bypass dhcp registration and get net. We don't want this. Initially all ip address will not by allowed to pass through the firewall. The dhcp server (which runs on the same machine) will execute firelwall rules to open ip addresses as it gives out a lease for a specific ip.
The only usefullness I could see here is some form of rate limiting or other traffic control based on the number of active DHCP leases. Maybe I'm confused... Cheers, Ben -- Original Message -- one 'hack' of a solution (not compromise hack, just .. a hack) use atchange[1] to monitor the dhcp leases file. when it changes, call a script that will rebuild the ipf.rules file (ie fill in the blank for $IPADDR) and reload the firewall rules. another solution is to treat your host as a member of a network, the DHCP network your provider uses. chances are you wont have problems with traffic intended for your neighbors, i think. resources: 1. http://www.lecb.ncifcrf.gov/~toms/atchange.html ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: dhcp altering firewall rules Stephan (May 07)
- <Possible follow-ups>
- RE: Re: dhcp altering firewall rules Goldberg, Dan B (May 07)
- RE: Re: dhcp altering firewall rules Crispin Harris (May 08)
- Re: dhcp altering firewall rules George Capehart (May 10)
- Re: dhcp altering firewall rules Stephan (May 10)