Re: rules for dhcp server

[Askar <askarali@gmail.com>]

Thanks, your reply really helps..

On 9/20/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> 
> On Tuesday 20 September 2005 07:36, Askar wrote:
> > I'm configuring a firewall on dhcp server, i'm a bit confuse which
> > port to allow on INPUT that users (clients) get IP from the server
> >
> > from /etc/sevices...
> >
> > bootps 67/tcp dhcps #Bootstrap Protocol Server
> > bootps 67/udp dhcps #Bootstrap Protocol Server
> > bootpc 68/tcp dhcpc #Bootstrap Protocol Client
> > bootpc 68/udp dhcpc #Bootstrap Protocol Client
> 
> The server binds 67/udp, client binds 68/udp. TCP is not used.
> 
> > dhcpv6-client 546/tcp #DHCPv6 Client
> > dhcpv6-client 546/udp #DHCPv6 Client
> > dhcpv6-server 547/tcp #DHCPv6 Server
> > dhcpv6-server 547/udp #DHCPv6 Server
> 
> I don't know about this but I bet it's also UDP-only. If you're not
> using IPv6 addressing then you do not care.
> 
> > lot of other services do runnig on this machine, however i'm very
> > clear about all other services, ie which port to allow etc
> 
> On the server machine you must allow connections to your 67/udp from
> 68/udp. Some of these (renewals) will come addressed to the IP of your
> dhcpd; others (broadcasts) will come to 255.255.255.255<http://255.255.255.255>. 
> The origin
> IP's for such broadcasts are 0.0.0.0 <http://0.0.0.0>.
> 
> DHCP service is generally a good thing to keep behind a firewall, IMO.
> Mine at home is running on a server which gets pass-through DNAT from
> the external router, so I had to be tricky about this. If the source
> address is not in my LAN segment I handle it as an external packet, but
> that was a problem for DHCP. I simply accept all from 255.255.255.255<http://255.255.255.255>
> (those won't pass through the external router anyway), but if you want
> to tighten it up you could try this:
> 
> iptables -A INPUT -s 0.0.0.0 <http://0.0.0.0> -d 255.255.255.255<http://255.255.255.255>\
> -p udp --sport 68 --dport 67 -j ACCEPT


however running tcpdump -n -i eth0 upd port 67 give me....
09:21:55.685883 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, 
Request from 00:07:e9:60:a8:db, length: 300

its a client requesting an IP from dhcp server, 0.0.0.0:bootpc. greping 
bootpc from /etc/services gives..
bootps 67/tcp dhcps #Bootstrap Protocol Server
bootps 67/udp dhcps #Bootstrap Protocol Server

but not --sport 68, it mean client request also coming from --sport 67. 
therefore i thinks i must go with ..
iptables -A INPUT -s 0.0.0.0 <http://0.0.0.0> -d
255.255.255.255<http://255.255.255.255>\ -p udp --dport 67 -j ACCEPT

without specifying a --sport things

Thanks and regards

Askar

09:21:56.000922 IP 192.168.1.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, 
Reply, length: 300


> All the client machines are running MS. Therefore any other good
> > suggestion will be appreciated to machine the network efficient.
> 
> Get rid of all the MS machines. :)


We are trying but it will takes time :)


Only bind your DHCP service to the interface[s] where you intend to
> offer DHCP.
> --
> mail to this address is discarded unless "/dev/rob0"
> or "not-spam" is in Subject: header
> 
> 


-- 
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)