Re: dhcp dhcpd_ifaces question.
Gary Kline wrote: To any network wizards on-list, I'm just tidying up dhcp and namedb files and would like to know what strings to put after this: dhcpd_ifaces= # ethernet interface(s) I'm assuming it should be dc0 dc1 but would like to make sure. If it would be just as well to leave it blank and let dhcpd figure it out, please advise. (In my old config file $IFACES wasn't defined.) I have dhcpd configured; I'm not using named, so I don't know about that. As far as I know, you can use dhcpd_ifaces to limit the DHCP service to only one interface (provided you have more than one interface on your system). I have rl0 and rl1, where rl0 is on the out-side internet, and rl1 on the internal network (with IP 10.0.0.1). I only want DHCP server for internal network: I therefore have in /etc/rc.conf: dhcpd_ifaces=rl1 However, when you look at netstat output, dhcpd is still listening to all interfaces, which may have some security risks. To further limit this, you probably need a extra global line in /usr/local/etc/dhcpd.conf : local-address 10.0.0.1; Then you get a netstat output like this: udp4 0 0 10.0.0.1.bootps*.* Regards, Rob. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhcp dhcpd_ifaces question.
On Mon, May 24, 2004 at 06:34:58AM +0900, Rob wrote: Gary Kline wrote: To any network wizards on-list, I'm just tidying up dhcp and namedb files and would like to know what strings to put after this: dhcpd_ifaces= # ethernet interface(s) I'm assuming it should be dc0 dc1 but would like to make sure. If it would be just as well to leave it blank and let dhcpd figure it out, please advise. (In my old config file $IFACES wasn't defined.) I have dhcpd configured; I'm not using named, so I don't know about that. The reason I broughtup named is that whenever I tried to start|restart dhcp there were a slew of errs from named[`pid`] that showed named failing. By itself, starting or restarting named was *fine*. This is obviously one of those csmic mysteries... As far as I know, you can use dhcpd_ifaces to limit the DHCP service to only one interface (provided you have more than one interface on your system). I have rl0 and rl1, where rl0 is on the out-side internet, and rl1 on the internal network (with IP 10.0.0.1). I only want DHCP server for internal network: I therefore have in /etc/rc.conf: dhcpd_ifaces=rl1 However, when you look at netstat output, dhcpd is still listening to all interfaces, which may have some security risks. To further limit this, you probably need a extra global line in /usr/local/etc/dhcpd.conf : local-address 10.0.0.1; Then you get a netstat output like this: udp4 0 0 10.0.0.1.bootps*.* I understandmost of wshat you're saying. I have the same 10.0.0.N private net as you so I can (thankfully:) just cutpaste. Can you tell me what might happen in I added dc0 to my dhcp_interfaces?? I have no clue how this could pose a security risks but I'm more than ready to take your word for it. --There really are a few sleazeballs out there.-- thank you much, gary -- Gary Kline [EMAIL PROTECTED] www.thought.org Public service Unix ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhcp dhcpd_ifaces question.
Gary Kline wrote: On Mon, May 24, 2004 at 06:34:58AM +0900, Rob wrote: As far as I know, you can use dhcpd_ifaces to limit the DHCP service to only one interface (provided you have more than one interface on your system). I have rl0 and rl1, where rl0 is on the out-side internet, and rl1 on the internal network (with IP 10.0.0.1). I only want DHCP server for internal network: I therefore have in /etc/rc.conf: dhcpd_ifaces=rl1 However, when you look at netstat output, dhcpd is still listening to all interfaces, which may have some security risks. To further limit this, you probably need a extra global line in /usr/local/etc/dhcpd.conf : local-address 10.0.0.1; Then you get a netstat output like this: udp4 0 0 10.0.0.1.bootps*.* I understandmost of wshat you're saying. I have the same 10.0.0.N private net as you so I can (thankfully:) just cutpaste. Can you tell me what might happen in I added dc0 to my dhcp_interfaces?? I have no clue how this could pose a security risks but I'm more than ready to take your word for it. --There really are a few sleazeballs out there.-- Well, I'm not that much of a network expert, but I can imagine that someone can try to compromise your dhcpd server, if that server has a security hole. If dhcpd should serve only your internal network, than it is better to give no access what so ever on the external interface (don't allow people on the 'big-bad-internet' to even try to find security holes in your servers). Having the internal interface in the dhcpd_ifaces seems not to solve that problem completely. You'll need that extra statement in the configuration file. Why that is, I don't know. Cheers, Rob. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]