Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: Re: dhcp altering firewall rules
From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Tue, 8 May 2001 07:32:37 +1000

Firstly: I missed the beginning of this conversation, so may be missing the

I can think of a number of situations in which you might want to be able to
adjust your rules based on a DHCP lease.
1: Your internet connection is ADSL with PPPoE. (i.e. your ISP provides a
DHCP address to the external interface of your home/small office firewall.)

2: You have a small fixed network, and a few laptops which (probably for
ease of system configuration) run with DHCP enabled addapters (especially
true for WinNT laptops). If these DHCP systems need special firewall access,
then I can definately see a need for DHCP updates.

As for solutions, that really depends on your Firewall software.

        [This a a grotty hack, and an ugly kludge.]
        Assumtion: these addresses do not need STATIC NAT.
        Trick: Firewall-1 still refers to 'object groups' even in 
        the penultimate rule files (the .pf files).
          Generate two Fw-1 groups: DHCP_Allowed, and DHCP_denied.
          Whenever a rule is generated that affects these machines, 
          ALWAYS use the group objects.
          All add denied addresses into DHCP_denied, try not to use 
        this group except as a last resort, as it would complicate 
        the text file modifications
          When an address is allocated, modify the contents of the 
        group DHCP_Allowed in $FWDIR/conf/objects.C
          reload the policy file: fw load <policy>.pf

        Similar to the Firewall-1 kludge, but the configuration 
        is stored in /etc/opt/SUNWicg/.... 
        Trick: SunScreen objects can be modified on the command line. 

Gauntlet > 4.0:
        Yuck, sorry, this thing is GUI based, and command line changes
        don't work anymore.

IBM SecureNetGateway:
        Grin - this is a ipfilter table. Need to write some perl, but 
        still, it should not be too difficult. (Could even do it in m4!)

        See SecureNetGateway. Difference is really in the format of each 

Cisco IOS ACLS (IP FeatureSet or Firewall FeatureSet)
        This is dangerous, and not to be tried by the faint hearted.
        Trick 1: tftp is your friend.
        Trick 2: AAA, and user autocommands.
        Trick 3: VERY important: make sure the access list denies access to
        your tftp server!!! Also run tcp_wrappers on your tftp server.
        Method: See SecureNetGateway
Cisco PIX:
        See IOS ACLs, but be careful.

In general, the tricky bit isn't getting the firewall to accept a new set of
rules, the hard part is doing it without adversely affecting system
performance and availability. (No, I am not saying that it is easy, just
that it is not "difficult" ).

BTW: half the problem is fixed by 'atchange'.

        crispin harris

-----Original Message-----
From: Stephan [mailto:chenette () ccs neu edu]
Sent: Sunday, 6 May 2001 12:41 PM

On Fri, 4 May 2001 bgrubin () speakeasy net wrote:

I don't understand why you'd want to modify the filtering rules based on
obtaining a lease from DHCP.  An "intruder" could just as easily obtain a
DHCP address as forge his own, unless you are statically mapping DHCP leases
to specific hardware via MAC address.  If you *are* statically assigning all
DHCP leases, you could just as easily create a big fat static arp table
containing all the legit ones, and block dynamic arp resolution.

to not allow the dhcp clients to bypass dhcp and set their own static ip
address. If they set their own static ip address then they bypass dhcp
registration and get net. We don't want this. Initially all ip address
will not by allowed to pass through the firewall. The dhcp server (which
runs on the same machine) will execute firelwall rules to open ip
addresses as it gives out a lease for a specific ip.

The only usefullness I could see here is some form of rate limiting or
other traffic control based on the number of active DHCP leases.

Maybe I'm confused...  


-- Original Message --

one 'hack' of a solution (not compromise hack, just .. a hack)

use atchange[1] to monitor the dhcp leases file. when it changes, call a
script that will rebuild the ipf.rules file (ie fill in the blank for
$IPADDR) and reload the firewall rules.

another solution is to treat your host as a member of a network, the DHCP
network your provider uses. chances are you wont have problems with
traffic intended for your neighbors, i think.

1. http://www.lecb.ncifcrf.gov/~toms/atchange.html

jose nazario                                               jose () cwru edu
                   PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                     PGP key ID 0xFD37F4E5 (pgp.mit.edu)

firewall-wizards mailing list
firewall-wizards () nfr com

firewall-wizards mailing list
firewall-wizards () nfr com

firewall-wizards mailing list
firewall-wizards () nfr com
firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]