Firewall Wizards: Re: Re: dhcp altering firewall rules

[Stephan <chenette () ccs neu edu>]

Stephan

"It's been said that a million monkeys banging on a million keyboards
will eventually turn out the works of Shakespeare. Thanks to the Internet
we know this is not true."--Unknown
Random Sig:26

On Fri, 4 May 2001 bgrubin () speakeasy net wrote:

> I don't understand why you'd want to modify the filtering rules based on obtaining a lease from DHCP.  An "intruder" 
> could just as easily obtain a DHCP address as forge his own, unless you are statically mapping DHCP leases to 
> specific hardware via MAC address.  If you *are* statically assigning all DHCP leases, you could just as easily 
> create a big fat static arp table containing all the legit ones, and block dynamic arp resolution.
to not allow the dhcp clients to bypass dhcp and set their own static ip
address. If they set their own static ip address then they bypass dhcp
registration and get net. We don't want this. Initially all ip address
will not by allowed to pass through the firewall. The dhcp server (which
runs on the same machine) will execute firelwall rules to open ip
addresses as it gives out a lease for a specific ip.

> The only usefullness I could see here is some form of rate limiting or other traffic control based on the number of 
> active DHCP leases.
>
> Maybe I'm confused...  
>
> Cheers,
> Ben
>
>
>
> -- Original Message --
>
> one 'hack' of a solution (not compromise hack, just .. a hack)
>
> use atchange[1] to monitor the dhcp leases file. when it changes, call a
> script that will rebuild the ipf.rules file (ie fill in the blank for
> $IPADDR) and reload the firewall rules.
>
> another solution is to treat your host as a member of a network, the DHCP
> network your provider uses. chances are you wont have problems with
> traffic intended for your neighbors, i think.
>
> resources:
> 1. http://www.lecb.ncifcrf.gov/~toms/atchange.html
>
> ____________________________
> jose nazario                                               jose () cwru edu
>                    PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
>                                      PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards