Re: bootpc

[Pascal Italiaander <pc-secure@home.nl>]

Op donderdag 5 juni 2003 13:53, schreef Matthew Pocock:
> Hi,
>
> I've set up my bridge+firewall, and everything is hunkeydory. I am doing
> statefull filtering. I let all traffic out, and all related/established
> traffic in. Then, I only allow new icmp & tcp:ssh connections in.
>
> To get windows 95 & 98 PCs on the inside to boot & join the network, I
> had to open up udp ports bootps & bootpc for new connections
> orriginating from the outside. I don't know the finer details about how
> these protocols work, but presumably they are connecting to the booting
> PC in response to some DHCP request it has made. Is there some module I
> should have loaded that would flag these connections as RELATED to some
> outgoing connection? Have I done something silly? Is this even possible?
>
> Thanks,
>
> Matthew

I'ts possible ,but a connection orriginating from the outside to boot internal 
your PC , no way. ??  Request for a DHCP should be orriginating from the 
inside. (your win95 +98). and reply should come from the outside.

No, you don't have to load a module.

but your very warm, there should be a rule to track these connections.
example:

DHCP_SERVER"211.124.45.2"

${IPTABLES} -A OUTPUT  -p udp -s 0/0 -d ${DHCP_SERVER} --sport 68 --dport 67 \ 
-m state --state NEW -j ACCEPT

${IPTABLES} -A INPUT  -p udp -s 0/0 -s ${DHCP_SERVER} --sport 67 --dport 68  \ 
-m state --state ESTABLISHED,RELATED -j ACCEPT

hmm.. silly NO , silly are the people who don't ask , but just do.

Pascal