Re: Dual-homed firewall with DHCP on one of the interfaces.

[Steve George <stevege () i-way net uk>]

Hi,

Hmm I take it that you mean the external interface gets it's IP via DHCP
from an external DHCP server?  This might happen where the connection is
a dial-up one for example and the ISP is assigning dynamic IP from a
small address range.

The way I have got round this with a dial-up group access server is to
have nearly all the filtering done on the interface and use the 'ip-up'
scripts to tighten the FW afterwards.  These scripts are only run AFTER
the interface is up so it is then safe to refuse further DHCP traffic. 
I think this is only really safe where the DHCP server is on the same
machine as the one your are dialing into as the time interval is tiny
and it should be impossible to hit the machine in the gap.  The only
problem that comes to mind is where one user disconnects from the IP to
be replaced by another,  if you are filtering some 'established'
connections then presumably it might be possible for some traffic to get
through before your 'final' tightening up.

If you want to be more secure and the connection is intermittant then I
would suggest using a fixed IP and slip/spppd.  Realistically if you are
being assigned you 'identity' from an external entity then you are at
the mercy of that entity and the channel between the two of you to a
greater or lesser degree.

HTH,

Steve

Daniel Knighten wrote:
> I have connected a small office to the Internet through a Linux based
> router/firewall.  This machine employs network address translation and
> a combination of packet filtering and proxies to firewall the internal
> network.  The problem I am having is that the external (Internet)
> interface receives it's IP address via DHCP.  When the machine first
> boots the firewall is not initialized till after DHCP has obtained
> it's address.  However once the firewall has been initialized DHCP
> traffic is no longer passed.  I thought I had anticipated the problem
> by creating holes in the firewall for TCP/UDP ports 67-68, but
> nonetheless the problem exist.  My current solution is to simply squat
> on an IP after DHCP has acquired it, however I would like to
> understand the full ramifications. Has anybody encountered this before
> and are there any suggestions?
>
> Thanks,
> Dan
> --
> ____________________________________
>                                     |
> Daniel Knighten                     |
>                                     |
> Quad Group Computer Solutions, Inc. |
> P.O. Box 590                        |
> Dupont, WA 98327-0590               |
>                                     |
> Voice: (360) 507-7842               |
> Fax  : (360) 455-0463               |
>                                     |
> dknighten () qgcs com                  |
> http://www.qgcs.com                 |
> ____________________________________|