Re: Running DHCP on Firewall

From: Capps (capps_at_iozone.org)
Date: 08/13/03 

Date: Wed, 13 Aug 2003 15:20:02 GMT

My two cents:

    If I were to run DHCP on the firewall then I would want to
    have inbound traffic (from the external NIC) that is
    coming from port 68, to be dropped. And, outbound traffic
    (to the external NIC) that is going to UDP port 68 to be dropped.

/sbin/iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP \
        --sport 68 -j DROP
/sbin/iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
    --dport 68 -j DROP

    Also, start the DHCP server so that it is bound to the internal
interface.

/usr/sbin/dhcpd $INTERNAL_INTERFACE

    The tricky part is if one is using DHCP and DNS with dynamic updates.
    One needs to be careful to only permit dynamic updates to the DNS
    from the internal network, and not relay these updates to your ISP's
    DNS server :-)

    Note: If you don't know exactly what you are doing with DHCP, then
    don't do it. Your ISP would not like it, if you start handing out
    IP addresses that are in its IP block, and may promptly terminate
    your account.

Enjoy,
Don Capps

"Leythos" <void@nowhere.com> wrote in message
news:MPG.19a3ed0a3a02c34f989b60@news-server.columbus.rr.com...
> In article <5fa8f772.0308121344.47f2661@posting.google.com>,
> bobneworleans@yahoo.com says...
> > I'm thinking about setting up a firewall using linux and iptables. Is
> > it considered acceptable practice to run DHCP on the same box?
>
> The only thing that should be running on the firewall box is the
> firewall. If someone makes it through the firewall your DHCP service
> will provide them with a valid IP on your network - do you really think
> that's a good idea?
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Relevant Pages

  • [opensuse] sorting firewall utility
    ... I'm on the way of configuring a hosted server and wonder why I should setup a firewall. ... secure an internal network, ... none of these goals are relevant for a single host. ... If I understand well the Linux network way of life, no application is listening a port if not instructed to do so, so there is no reason to forgive a port access on a one root user host. ...
    (SuSE)
  • Re: Port 6655
    ... This is a Windows XP box and Windows Firewall is DISABLED (as a rule on all ... My Internal Network Definition on the ISA is configured as follows: ... enabled port 6655 every way I know how and it's still not working. ... firewall" running on this box, get rid of it or disable it, getting rid of ...
    (microsoft.public.isa)
  • Re: [fw-wiz] Permissive Firewall Policy
    ... policy, web caching servers, and removed the internet firewall as the ... machines on the internal network attempting to DOS external victims ... Any port can be a "bad" port ...
    (Firewall-Wizards)
  • Re: Need https,portscan help
    ... > The IT dept gave me an external IP and http requests to that ip (port ... I have NO TROUBLE using https within the internal network, ... > just fron outside the firewall. ...
    (alt.computer.security)
  • Re: DNS + DHCP
    ... I just quit the Firewall / ICS service in my 2003 Server and ... allow trough the Win Firewall, for the DHCP Service to work ... Having the DHCP service OK I can send parameters using it, ... Any help would be appreciated in the DHCP port or parameter to change ...
    (microsoft.public.windows.server.dns)