bootpc

bootpc

[Matthew Pocock]

Hi,

I've set up my bridge+firewall, and everything is hunkeydory. I am doing 
statefull filtering. I let all traffic out, and all related/established 
traffic in. Then, I only allow new icmp & tcp:ssh connections in.

To get windows 95 & 98 PCs on the inside to boot & join the network, I 
had to open up udp ports bootps & bootpc for new connections 
orriginating from the outside. I don't know the finer details about how 
these protocols work, but presumably they are connecting to the booting 
PC in response to some DHCP request it has made. Is there some module I 
should have loaded that would flag these connections as RELATED to some 
outgoing connection? Have I done something silly? Is this even possible?

Thanks,

Matthew

Re: bootpc

[Pascal Italiaander]

Op donderdag 5 juni 2003 13:53, schreef Matthew Pocock:
> Hi,
>
> I've set up my bridge+firewall, and everything is hunkeydory. I am doing
> statefull filtering. I let all traffic out, and all related/established
> traffic in. Then, I only allow new icmp & tcp:ssh connections in.
>
> To get windows 95 & 98 PCs on the inside to boot & join the network, I
> had to open up udp ports bootps & bootpc for new connections
> orriginating from the outside. I don't know the finer details about how
> these protocols work, but presumably they are connecting to the booting
> PC in response to some DHCP request it has made. Is there some module I
> should have loaded that would flag these connections as RELATED to some
> outgoing connection? Have I done something silly? Is this even possible?
>
> Thanks,
>
> Matthew

I'ts possible ,but a connection orriginating from the outside to boot internal 
your PC , no way. ??  Request for a DHCP should be orriginating from the 
inside. (your win95 +98). and reply should come from the outside.

No, you don't have to load a module.

but your very warm, there should be a rule to track these connections.
example:

DHCP_SERVER"211.124.45.2"

${IPTABLES} -A OUTPUT  -p udp -s 0/0 -d ${DHCP_SERVER} --sport 68 --dport 67 \ 
-m state --state NEW -j ACCEPT

${IPTABLES} -A INPUT  -p udp -s 0/0 -s ${DHCP_SERVER} --sport 67 --dport 68  \ 
-m state --state ESTABLISHED,RELATED -j ACCEPT

hmm.. silly NO , silly are the people who don't ask , but just do.

Pascal

Re: bootpc

[Matthew Pocock]

Thanks Pascal,

I think the PCs here 'discover' the DNS servers. This makes it tricky to 
have a DHCP_SERVER variable in the iptables script. I'm wondering if on 
boot, the pc sends out a broadcast for DHCP servers, and one (or more) 
responds on port 68:69, but that the STATE module doesn't associate the 
response with the broadcast.

Time to read more about dhcp.

Matthew

>I'ts possible ,but a connection orriginating from the outside to boot internal 
>your PC , no way. ??  Request for a DHCP should be orriginating from the 
>inside. (your win95 +98). and reply should come from the outside.
>
>No, you don't have to load a module.
>
>but your very warm, there should be a rule to track these connections.
>example:
>
>DHCP_SERVER"211.124.45.2"
>
>${IPTABLES} -A OUTPUT  -p udp -s 0/0 -d ${DHCP_SERVER} --sport 68 --dport 67 \ 
>-m state --state NEW -j ACCEPT
>
>${IPTABLES} -A INPUT  -p udp -s 0/0 -s ${DHCP_SERVER} --sport 67 --dport 68  \ 
>-m state --state ESTABLISHED,RELATED -j ACCEPT
>
>hmm.. silly NO , silly are the people who don't ask , but just do.
>
>Pascal
>
>
>
>
>
>
>  
>

Re: bootpc

[Pascal Italiaander]

Sorry to disappoint you , but your comment was that you needed to open port 
boops and bootpc , these protocols are only used for dhcp_discover and reply.
That's why I comment that it should be intiated from inside not from outside.

discover inside (win95 +98 )  , and reply back from outside.

Since you use a bridge you, filtering will be done only on  1 interface. 
the rule a made is based on that.

peronaly I use OpenBSD as Bridge and Iptables for a Router/firewall behind it, 
more stable and has better filtering for bridges,but again this is my 
personal flavour.
 
And  'discover'  for DNS-server should be port 53 .

view the /etc/services;      less /etc/services


Pascal

> I think the PCs here 'discover' the DNS servers. This makes it tricky to
> have a DHCP_SERVER variable in the iptables script. I'm wondering if on
> boot, the pc sends out a broadcast for DHCP servers, and one (or more)
> responds on port 68:69, but that the STATE module doesn't associate the
> response with the broadcast.
>
> Time to read more about dhcp.
>
> Matthew
>
> >I'ts possible ,but a connection orriginating from the outside to boot
> > internal your PC , no way. ??  Request for a DHCP should be orriginating
> > from the inside. (your win95 +98). and reply should come from the
> > outside.
> >
> >No, you don't have to load a module.
> >
> >but your very warm, there should be a rule to track these connections.
> >example:
> >
> >DHCP_SERVER"211.124.45.2"
> >
> >${IPTABLES} -A OUTPUT  -p udp -s 0/0 -d ${DHCP_SERVER} --sport 68 --dport
> > 67 \ -m state --state NEW -j ACCEPT
> >
> >${IPTABLES} -A INPUT  -p udp -s 0/0 -s ${DHCP_SERVER} --sport 67 --dport
> > 68  \ -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >hmm.. silly NO , silly are the people who don't ask , but just do.
> >
> >Pascal