rules for dhcp server

rules for dhcp server

[Askar]

hi list

I'm configuring a firewall on dhcp server, i'm a bit confuse which port to 
allow on INPUT that users (clients) get IP from the server

from /etc/sevices... 

bootps 67/tcp dhcps #Bootstrap Protocol Server
bootps 67/udp dhcps #Bootstrap Protocol Server
bootpc 68/tcp dhcpc #Bootstrap Protocol Client
bootpc 68/udp dhcpc #Bootstrap Protocol Client
dhcpv6-client 546/tcp #DHCPv6 Client
dhcpv6-client 546/udp #DHCPv6 Client
dhcpv6-server 547/tcp #DHCPv6 Server
dhcpv6-server 547/udp #DHCPv6 Server

lot of other services do runnig on this machine, however i'm very clear 
about all other services, ie which port to allow etc
All the client machines are running MS. Therefore any other good suggestion 
will be appreciated to machine the network efficient.

regards

Askar
-- 
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: rules for dhcp server

[Edmundo Carmona]

check with netstat to see what port dhcpd is listening to.

something like 

netstat -lutpn | grep dhcp

will do.

On 9/20/05, Askar <askarali@gmail.com> wrote:
> hi list
> 
> I'm configuring a firewall on dhcp server, i'm a bit confuse which port to
> allow on INPUT that users (clients) get IP from the server
> 
> from /etc/sevices...
> 
> bootps 67/tcp dhcps #Bootstrap Protocol Server
> bootps 67/udp dhcps #Bootstrap Protocol Server
> bootpc 68/tcp dhcpc #Bootstrap Protocol Client
> bootpc 68/udp dhcpc #Bootstrap Protocol Client
> dhcpv6-client 546/tcp #DHCPv6 Client
> dhcpv6-client 546/udp #DHCPv6 Client
> dhcpv6-server 547/tcp #DHCPv6 Server
> dhcpv6-server 547/udp #DHCPv6 Server
> 
> lot of other services do runnig on this machine, however i'm very clear
> about all other services, ie which port to allow etc
> All the client machines are running MS. Therefore any other good suggestion
> will be appreciated to machine the network efficient.
> 
> regards
> 
> Askar
> --
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)
>

Re: rules for dhcp server

[/dev/rob0]

On Tuesday 20 September 2005 07:36, Askar wrote:
> I'm configuring a firewall on dhcp server, i'm a bit confuse which
> port to allow on INPUT that users (clients) get IP from the server
>
> from /etc/sevices...
>
> bootps 67/tcp dhcps #Bootstrap Protocol Server
> bootps 67/udp dhcps #Bootstrap Protocol Server
> bootpc 68/tcp dhcpc #Bootstrap Protocol Client
> bootpc 68/udp dhcpc #Bootstrap Protocol Client

The server binds 67/udp, client binds 68/udp. TCP is not used.

> dhcpv6-client 546/tcp #DHCPv6 Client
> dhcpv6-client 546/udp #DHCPv6 Client
> dhcpv6-server 547/tcp #DHCPv6 Server
> dhcpv6-server 547/udp #DHCPv6 Server

I don't know about this but I bet it's also UDP-only. If you're not 
using IPv6 addressing then you do not care.

> lot of other services do runnig on this machine, however i'm very
> clear about all other services, ie which port to allow etc

On the server machine you must allow connections to your 67/udp from 
68/udp. Some of these (renewals) will come addressed to the IP of your 
dhcpd; others (broadcasts) will come to 255.255.255.255. The origin 
IP's for such broadcasts are 0.0.0.0.

DHCP service is generally a good thing to keep behind a firewall, IMO. 
Mine at home is running on a server which gets pass-through DNAT from 
the external router, so I had to be tricky about this. If the source 
address is not in my LAN segment I handle it as an external packet, but 
that was a problem for DHCP. I simply accept all from 255.255.255.255 
(those won't pass through the external router anyway), but if you want 
to tighten it up you could try this:

iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 \
    -p udp --sport 68 --dport 67 -j ACCEPT


> All the client machines are running MS. Therefore any other good
> suggestion will be appreciated to machine the network efficient.

Get rid of all the MS machines. :)

Only bind your DHCP service to the interface[s] where you intend to 
offer DHCP.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: rules for dhcp server

[Askar]

Thanks, your reply really helps..

On 9/20/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> 
> On Tuesday 20 September 2005 07:36, Askar wrote:
> > I'm configuring a firewall on dhcp server, i'm a bit confuse which
> > port to allow on INPUT that users (clients) get IP from the server
> >
> > from /etc/sevices...
> >
> > bootps 67/tcp dhcps #Bootstrap Protocol Server
> > bootps 67/udp dhcps #Bootstrap Protocol Server
> > bootpc 68/tcp dhcpc #Bootstrap Protocol Client
> > bootpc 68/udp dhcpc #Bootstrap Protocol Client
> 
> The server binds 67/udp, client binds 68/udp. TCP is not used.
> 
> > dhcpv6-client 546/tcp #DHCPv6 Client
> > dhcpv6-client 546/udp #DHCPv6 Client
> > dhcpv6-server 547/tcp #DHCPv6 Server
> > dhcpv6-server 547/udp #DHCPv6 Server
> 
> I don't know about this but I bet it's also UDP-only. If you're not
> using IPv6 addressing then you do not care.
> 
> > lot of other services do runnig on this machine, however i'm very
> > clear about all other services, ie which port to allow etc
> 
> On the server machine you must allow connections to your 67/udp from
> 68/udp. Some of these (renewals) will come addressed to the IP of your
> dhcpd; others (broadcasts) will come to 255.255.255.255<http://255.255.255.255>. 
> The origin
> IP's for such broadcasts are 0.0.0.0 <http://0.0.0.0>.
> 
> DHCP service is generally a good thing to keep behind a firewall, IMO.
> Mine at home is running on a server which gets pass-through DNAT from
> the external router, so I had to be tricky about this. If the source
> address is not in my LAN segment I handle it as an external packet, but
> that was a problem for DHCP. I simply accept all from 255.255.255.255<http://255.255.255.255>
> (those won't pass through the external router anyway), but if you want
> to tighten it up you could try this:
> 
> iptables -A INPUT -s 0.0.0.0 <http://0.0.0.0> -d 255.255.255.255<http://255.255.255.255>\
> -p udp --sport 68 --dport 67 -j ACCEPT


however running tcpdump -n -i eth0 upd port 67 give me....
09:21:55.685883 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, 
Request from 00:07:e9:60:a8:db, length: 300

its a client requesting an IP from dhcp server, 0.0.0.0:bootpc. greping 
bootpc from /etc/services gives..
bootps 67/tcp dhcps #Bootstrap Protocol Server
bootps 67/udp dhcps #Bootstrap Protocol Server

but not --sport 68, it mean client request also coming from --sport 67. 
therefore i thinks i must go with ..
iptables -A INPUT -s 0.0.0.0 <http://0.0.0.0> -d
255.255.255.255<http://255.255.255.255>\ -p udp --dport 67 -j ACCEPT

without specifying a --sport things

Thanks and regards

Askar

09:21:56.000922 IP 192.168.1.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, 
Reply, length: 300


> All the client machines are running MS. Therefore any other good
> > suggestion will be appreciated to machine the network efficient.
> 
> Get rid of all the MS machines. :)


We are trying but it will takes time :)


Only bind your DHCP service to the interface[s] where you intend to
> offer DHCP.
> --
> mail to this address is discarded unless "/dev/rob0"
> or "not-spam" is in Subject: header
> 
> 


-- 
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)