Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 May 2004 08:56:46 +0900
From:      Rob <stopspam@users.sourceforge.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: dhcp "dhcpd_ifaces" question.
Message-ID:  <40B13A3E.30207@users.sourceforge.net>
In-Reply-To: <20040523223033.GA63339@tao.thought.org>
References:  <20040523192644.GA46148@tao.thought.org> <40B11902.8070801@users.sourceforge.net> <20040523223033.GA63339@tao.thought.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Gary Kline wrote:
> On Mon, May 24, 2004 at 06:34:58AM +0900, Rob wrote:
> 
>>As far as I know, you can use dhcpd_ifaces to limit the DHCP service to only
>>one interface (provided you have more than one interface on your system).
>>
>>I have rl0 and rl1, where rl0 is on the out-side internet, and rl1 on the
>>internal network (with IP 10.0.0.1). I only want DHCP server for internal
>>network: I therefore have in /etc/rc.conf:
>>
>>  dhcpd_ifaces="rl1"
>>
>>However, when you look at netstat output, dhcpd is still listening to all
>>interfaces, which may have some security risks. To further limit this, you
>>probably need a extra global line in /usr/local/etc/dhcpd.conf :
>>
>>  local-address 10.0.0.1;
>>
>>Then you get a netstat output like this:
>>
>>  udp4       0      0  10.0.0.1.bootps        *.*
>>
> 
> 
> 	I understandmost of wshat you're saying.  I have the same
> 	10.0.0.N private net as you so I can (thankfully:) just
> 	cut&paste.  Can you tell me what might happen in I added
> 	"dc0" to my dhcp_interfaces??  I have no clue how this 
> 	could pose a security risks but I'm more than ready to
> 	take your word for it.  --There really are a few sleazeballs
> 	out there.--

Well, I'm not that much of a network expert, but I can imagine that
someone can try to compromise your dhcpd server, if that server has
a security hole. If dhcpd should serve only your internal network,
than it is better to give no access what so ever on the external
interface (don't allow people on the 'big-bad-internet' to
even try to find security holes in your servers).
Having the internal interface in the dhcpd_ifaces seems not to solve
that problem completely. You'll need that extra statement in the
configuration file. Why that is, I don't know.

Cheers,
Rob.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40B13A3E.30207>