Firewall Wizards mailing list archives
RE: Re: dhcp altering firewall rules
From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Tue, 8 May 2001 07:32:37 +1000
Firstly: I missed the beginning of this conversation, so may be missing the point. I can think of a number of situations in which you might want to be able to adjust your rules based on a DHCP lease. 1: Your internet connection is ADSL with PPPoE. (i.e. your ISP provides a DHCP address to the external interface of your home/small office firewall.) 2: You have a small fixed network, and a few laptops which (probably for ease of system configuration) run with DHCP enabled addapters (especially true for WinNT laptops). If these DHCP systems need special firewall access, then I can definately see a need for DHCP updates. As for solutions, that really depends on your Firewall software. Firewall-1: [This a a grotty hack, and an ugly kludge.] Assumtion: these addresses do not need STATIC NAT. Trick: Firewall-1 still refers to 'object groups' even in the penultimate rule files (the .pf files). Method: Generate two Fw-1 groups: DHCP_Allowed, and DHCP_denied. Whenever a rule is generated that affects these machines, ALWAYS use the group objects. All add denied addresses into DHCP_denied, try not to use this group except as a last resort, as it would complicate the text file modifications When an address is allocated, modify the contents of the group DHCP_Allowed in $FWDIR/conf/objects.C reload the policy file: fw load <policy>.pf SunScreen: Similar to the Firewall-1 kludge, but the configuration is stored in /etc/opt/SUNWicg/.... Trick: SunScreen objects can be modified on the command line. Gauntlet > 4.0: Yuck, sorry, this thing is GUI based, and command line changes don't work anymore. IBM SecureNetGateway: Grin - this is a ipfilter table. Need to write some perl, but still, it should not be too difficult. (Could even do it in m4!) ipchains: iptables: IPFw: See SecureNetGateway. Difference is really in the format of each line. Cisco IOS ACLS (IP FeatureSet or Firewall FeatureSet) This is dangerous, and not to be tried by the faint hearted. Trick 1: tftp is your friend. Trick 2: AAA, and user autocommands. Trick 3: VERY important: make sure the access list denies access to your tftp server!!! Also run tcp_wrappers on your tftp server. Method: See SecureNetGateway Cisco PIX: See IOS ACLs, but be careful. In general, the tricky bit isn't getting the firewall to accept a new set of rules, the hard part is doing it without adversely affecting system performance and availability. (No, I am not saying that it is easy, just that it is not "difficult" ). BTW: half the problem is fixed by 'atchange'. regards, crispin harris -----Original Message----- From: Stephan [mailto:chenette () ccs neu edu] Sent: Sunday, 6 May 2001 12:41 PM On Fri, 4 May 2001 bgrubin () speakeasy net wrote:
I don't understand why you'd want to modify the filtering rules based on
obtaining a lease from DHCP. An "intruder" could just as easily obtain a DHCP address as forge his own, unless you are statically mapping DHCP leases to specific hardware via MAC address. If you *are* statically assigning all DHCP leases, you could just as easily create a big fat static arp table containing all the legit ones, and block dynamic arp resolution. to not allow the dhcp clients to bypass dhcp and set their own static ip address. If they set their own static ip address then they bypass dhcp registration and get net. We don't want this. Initially all ip address will not by allowed to pass through the firewall. The dhcp server (which runs on the same machine) will execute firelwall rules to open ip addresses as it gives out a lease for a specific ip.
The only usefullness I could see here is some form of rate limiting or
other traffic control based on the number of active DHCP leases.
Maybe I'm confused... Cheers, Ben -- Original Message -- one 'hack' of a solution (not compromise hack, just .. a hack) use atchange[1] to monitor the dhcp leases file. when it changes, call a script that will rebuild the ipf.rules file (ie fill in the blank for $IPADDR) and reload the firewall rules. another solution is to treat your host as a member of a network, the DHCP network your provider uses. chances are you wont have problems with traffic intended for your neighbors, i think. resources: 1. http://www.lecb.ncifcrf.gov/~toms/atchange.html ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: dhcp altering firewall rules Stephan (May 07)
- <Possible follow-ups>
- RE: Re: dhcp altering firewall rules Goldberg, Dan B (May 07)
- RE: Re: dhcp altering firewall rules Crispin Harris (May 08)
- Re: dhcp altering firewall rules George Capehart (May 10)
- Re: dhcp altering firewall rules Stephan (May 10)