Ok I finally got it working thanks for everyone's help! Here are the steps I
took:
1. Added a DHCP_Source workstation with IP 0.0.0.0
2. Created a DHCP_Destination workstation with IP 255.255.255.255
3. Added the DHCP_Source workstation into the AntiSpoofing group for
internal interface
on the firewall workstation (make sure Local_Net allows broadcasts)
4. Created a rule which says:
Any DHCP_Destination BOOTP, BOOTTP(port 68) Accept Log Long
It works! Thanks again to everyone who helped.
Does anyone see any security concerns with this setup?
-----Original Message-----
From: Volker Tanger [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 12:39 PM
To: Brooks Carlson
Cc: Christian Gresser (E-mail); 'Firewalls (E-mail)
Subject: Re: DHCP problem with Checkpoint Firewall-1
Brooks Carlson schrieb:
> I have specified under Valid Addresses: Others.
>
> This group contains Internal_Net (with broadcast allowed),
> InternalDHCPServer
> with IP 255.255.255.255, and ExternalIPs (for NAT translation back to
> internet).
>
> It still doesn't work. Rule 0 is still blocking. Please note that
> DHCP is NOT running on the firewall, separate machine with 10.0.0.4
address.
So the DHCP server is on a DIFFERENT interface than the clients trying to
obtain
an IP address?!??
> It seems like maybe
> this is not working because it is basing the spoofing on the source
address
> which is nothing, instead of the destination address 255.255.255.255.
Yes, you are right - I just was not sure about the source when doing DHCP
resp.
BOOTP.
Change that to 0.0.0.0 for anti-spoofing.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
