From owner-freebsd-questions@FreeBSD.ORG Sun May 23 16:56:51 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 977CC16A4CE for ; Sun, 23 May 2004 16:56:51 -0700 (PDT) Received: from auk2.snu.ac.kr (auk2.snu.ac.kr [147.46.100.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id C48E443D41 for ; Sun, 23 May 2004 16:56:49 -0700 (PDT) (envelope-from stopspam@users.sourceforge.net) Received: from [147.46.44.181] (stopspam@users.sourceforge.net) by auk2.snu.ac.kr (Terrace Internet Messaging Server) with ESMTP id 2004052408:39:20:420805.13435.2918407088 for ; Mon, 24 May 2004 08:39:20 +0900 (KST) Message-ID: <40B13A3E.30207@users.sourceforge.net> Date: Mon, 24 May 2004 08:56:46 +0900 From: Rob User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20040523192644.GA46148@tao.thought.org> <40B11902.8070801@users.sourceforge.net> <20040523223033.GA63339@tao.thought.org> In-Reply-To: <20040523223033.GA63339@tao.thought.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-TERRACE-SPAMMARK: NO (SR:3.63) (by Terrace) Subject: Re: dhcp "dhcpd_ifaces" question. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 May 2004 23:56:51 -0000 Gary Kline wrote: > On Mon, May 24, 2004 at 06:34:58AM +0900, Rob wrote: > >>As far as I know, you can use dhcpd_ifaces to limit the DHCP service to only >>one interface (provided you have more than one interface on your system). >> >>I have rl0 and rl1, where rl0 is on the out-side internet, and rl1 on the >>internal network (with IP 10.0.0.1). I only want DHCP server for internal >>network: I therefore have in /etc/rc.conf: >> >> dhcpd_ifaces="rl1" >> >>However, when you look at netstat output, dhcpd is still listening to all >>interfaces, which may have some security risks. To further limit this, you >>probably need a extra global line in /usr/local/etc/dhcpd.conf : >> >> local-address 10.0.0.1; >> >>Then you get a netstat output like this: >> >> udp4 0 0 10.0.0.1.bootps *.* >> > > > I understandmost of wshat you're saying. I have the same > 10.0.0.N private net as you so I can (thankfully:) just > cut&paste. Can you tell me what might happen in I added > "dc0" to my dhcp_interfaces?? I have no clue how this > could pose a security risks but I'm more than ready to > take your word for it. --There really are a few sleazeballs > out there.-- Well, I'm not that much of a network expert, but I can imagine that someone can try to compromise your dhcpd server, if that server has a security hole. If dhcpd should serve only your internal network, than it is better to give no access what so ever on the external interface (don't allow people on the 'big-bad-internet' to even try to find security holes in your servers). Having the internal interface in the dhcpd_ifaces seems not to solve that problem completely. You'll need that extra statement in the configuration file. Why that is, I don't know. Cheers, Rob.