Re: DHCP problem with Checkpoint Firewall-1

Wed, 09 May 2001 08:34:27 -0700 

A dhcp broadcast is udp sourced from 0.0.0.0 to the broadcast address,
255.255.255.255. Perhaps another rule is blocking this type of packet
before it has a chance to make it to your DHCP allow?

It's hard to tell where your DHCP clients are from your email. If I'm way
off, feel free to clarify.

It sounds as if your DHCP requests are coming in from an outside network.
If the clients in the outside network are behind a cisco router (other
brands probably support this too) then what I'd do is turn on the
ip-helper on the router so that these DHCP requests are sourced from a
specific address. Ip-helper essentially acts as a proxy for DHCP requests.
Then you can create a rule allowing just the cisco router's DHCP requests
through the firewall. As it stands now, you're allowing broadcasts
through, which is kind of ugly since someone can decide to just send out
5,000 DHCP broadcasts and get 5,000 leases. :) Granted, this isn't likely.

On Wed, 9 May 2001, Brooks Carlson wrote:

> I apologize if this has been asked before, I searched the archives for the
> last few months and
> found nothing.  I also searched www.google.com and found some articles, but
> none that answered
> my particular question.
>
> We are running Checkpoint Firewall-1 4.1 SP2 on an NT 4.0 SP6a machine with
> all extra services
> disabled.  There is an internal network (10.0.0.0/8) with an internal DNS
> server.  Recently, I took over
> the firewall and hardened the outgoing packets (before everything was
> allowed).  I restricted outgoing to
> HTTP, HTTPS, FTP, and SMTP/POP3 for the email server.  I allowed UDP DNS and
> TCP DNS to DNS
> servers.
>
> Now, the firewall is blocking DHCP attempts.  I see in the log:
>
> Alert  Drop  (no source)  255.255.255.255 udp rule0 sourceport68
>
> I created a rule that says:
>
> Any  DHCPServer   bootp (67/68)  accept  log long
>
> But it still rejects.  The curious thing is that Rule 0 is rejecting.  I
> went through and elimited extra services
> as listed at Phoneboy (How Can I Disable Everything in the Rule Base).  Is
> something that I unchecked
> in the rules now blocking this traffic?
>
> Is this securely possible with Checkpoint-1?  We are not using SecuRemote.
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to