Re: Redirect DHCP requests to DMZ?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Arnt Karlsen <arnt@c2i.net>
To: netfilter@lists.netfilter.org
Subject: Re: Redirect DHCP requests to DMZ?
Date: Wed, 23 Apr 2003 18:21:31 +0200	[thread overview]
Message-ID: <20030423182131.67061da5.arnt@c2i.net> (raw)
In-Reply-To: <1051100353.12295.96.camel@elendil.intranet.cartel-securite.net>

On 23 Apr 2003 14:19:13 +0200, 
Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
<1051100353.12295.96.camel@elendil.intranet.cartel-securite.net>:

> Le mer 23/04/2003 à 12:08, Carsten Maass a écrit :
> > Local LAN (192.168.20.*)
> >      |
> >      |
> >    Switch
> >      |
> >      |
> > Router/Firewall ---- DMZ (192.168.21.*)
> >      |
> >      |
> >      |
> >   Internet
> >
> > Everything runs smoothly, except for one thing: I am unable to
> > redirect DHCP request from the clients on the local LAN to the DHCP
> > server inside the DMZ.
> 
> You'll achieve this setting a DHCP Relay up. Due to what they are,
> DHCP packets cannot be routed through different IP networks (mainly
> because of destination addresses that are used).
> 
> But this kind of setup is no secure. If someones breaks into your DMZ,
> he will be able to have your LAN's configuration, and even tamper it,
> acting on DHCP stuff. That's _very bad_. DMZ compromission must not
> endanger rest of network security.
> 

..to put it short: get that dhcp server out of your dmz box 
and into a lan box (or maybe the firewall).  

..the dmz is _only_ for stuff you want me, Saddam, Osama bin Laden, 
Bill Gates, the scriptkiddies and the FBI to see.  Here, I speak 
with authority; Neither of us needs your dhcp server.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

next prev parent reply	other threads:[~2003-04-23 16:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-23 10:08 Redirect DHCP requests to DMZ? Carsten Maass
2003-04-23 12:19 ` Cedric Blancher
2003-04-23 16:21   ` Arnt Karlsen [this message]
2003-04-23 17:47     ` Carsten Maass
2003-04-23 16:58   ` Carsten Maass
2003-04-23 17:58     ` Jesper Lund
2003-04-24  9:00     ` Cedric Blancher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030423182131.67061da5.arnt@c2i.net \
    --to=arnt@c2i.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.