Re: [Security Firewall] DHCP rules?

[florin]

hi,

1. you obviously need an extra rule in order to allow the udp rejected requests 
2. DNS is caching only on the mnf and there is no DDNS.

my 2cts,

On 4/15/05, John Locke <mail@freelock.com> wrote:
> Hi, again,
> 
> I have a Windows box that seems to be having trouble getting a DHCP
> address from the MNF. It gets the address, but doesn't confirm it. It
> did start working, but I've found this in /var/log/messages:
> 
> Apr 15 08:38:24 mnf dhcpd: DHCPINFORM from 172.16.0.198 via eth0: not
> authoritative for subnet 172.16.0.0
> Apr 15 08:38:24 mnf dhcpd: If this DHCP server is authoritative for that
> subnet,
> Apr 15 08:38:24 mnf dhcpd: please write an `authoritative;' directive
> either in the
> Apr 15 08:38:24 mnf dhcpd: subnet declaration or in some scope that
> encloses the
> Apr 15 08:38:24 mnf dhcpd: subnet declaration - for example, write it at
> the top
> Apr 15 08:38:24 mnf dhcpd: of the dhcpd.conf file.
> 
> Apr 15 08:47:16 mnf kernel: Shorewall:lan2all:ACCEPT:IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:b0:d0:10:41:df:08:00 SRC=172.16.0.198 DST
> =255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=4526 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Apr 15 08:47:16 mnf dhcpd: DHCPREQUEST for 172.16.0.198 from
> 00:b0:d0:10:41:df (Merlin2) via eth0
> Apr 15 08:47:16 mnf dhcpd: DHCPACK on 172.16.0.198 to 00:b0:d0:10:41:df
> (Merlin2) via eth0
> Apr 15 08:47:16 mnf kernel: Shorewall:fw2all:REJECT:IN= OUT=eth0
> SRC=172.16.0.2 DST=172.16.0.198 LEN=328 TOS=0x00 PREC=0x00 TTL=64 I
> D=2 DF PROTO=UDP SPT=67 DPT=68 LEN=308
> Apr 15 08:47:16 mnf dhcpd: send_packet: Operation not permitted
> Apr 15 08:47:24 mnf kernel: Shorewall:lan2all:ACCEPT:IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:b0:d0:10:41:df:08:00 SRC=172.16.0.198 DST
> =255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=4530 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Apr 15 08:47:24 mnf dhcpd: DHCPREQUEST for 172.16.0.198 from
> 00:b0:d0:10:41:df (Merlin2) via eth0
> Apr 15 08:47:24 mnf dhcpd: DHCPACK on 172.16.0.198 to 00:b0:d0:10:41:df
> (Merlin2) via eth0
> Apr 15 08:47:24 mnf kernel: Shorewall:fw2all:REJECT:IN= OUT=eth0
> SRC=172.16.0.2 DST=172.16.0.198 LEN=328 TOS=0x00 PREC=0x00 TTL=64 I
> D=3 DF PROTO=UDP SPT=67 DPT=68 LEN=308
> Apr 15 08:47:24 mnf dhcpd: send_packet: Operation not permitted
> 
> Is this going to cause problems for other machines down the road? It
> looks like the DHCP response is getting blocked by Shorewall. I don't
> see a shorewall rule allowing this response--should I set one?
> 
> While I'm digging around in the dhcp server stuff, I saw that the page
> for the caching DNS server suggests that it supports doing local DNS.
> But I don't see any options for having dhcpd update the DNS server. I
> know how to configure dhcpd and bind to do dynamic updates--but I see
> that this is all template-driven--is there a place I can configure more
> than just a caching DNS--one that can get dynamic updates from DHCP, and
> have it not get overwritten on updates? Or should I just run Named on an
> internal server and keep it off the firewall?
> 
> --
> John Locke
> "Open Source Solutions for Small Business Problems"
> published by Charles River Media, June 2004
> http://www.freelock.com
> 
> 
> ____________________________________________________
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
> Join the Club : http://www.mandrakeclub.com
> ____________________________________________________
> 
> 
> 


-- 
Florin

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________