From owner-freebsd-questions@FreeBSD.ORG Thu Feb 26 12:12:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2FC416A4CE for ; Thu, 26 Feb 2004 12:12:43 -0800 (PST) Received: from out8.mx.nwbl.wi.voyager.net (out8.mx.nwbl.wi.voyager.net [169.207.3.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8236E43D2D for ; Thu, 26 Feb 2004 12:12:43 -0800 (PST) (envelope-from dragoncrest@voyager.net) Received: from mail0.mx.voyager.net (mail0.mx.voyager.net [216.93.66.205]) by out8.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id E31F142F01 for ; Thu, 26 Feb 2004 14:12:42 -0600 (CST) Received: from localhost.localdomain (nm5.mx.lnng.mi.voyager.net [216.93.38.231]) by mail0.mx.voyager.net (8.12.9/8.10.2) with ESMTP id i1QKCgqn039337 for ; Thu, 26 Feb 2004 15:12:42 -0500 (EST) Message-Id: <200402262012.i1QKCgqn039337@mail0.mx.voyager.net> From: "Dragoncrest" To: questions@freebsd.org X-Mailer: CoreCommMail X-IPAddress: 209.153.128.248 Date: Thu, 26 Feb 2004 15:12:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Is it feisable to do a Firewall'ed DHCP server? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 20:12:43 -0000 I'm looking to take an old P120 with 128m of ram and turn it into a lan DHCP server. The thing is, the guys who will be pulling DHCP addresses are cream of the crop computer users who really know their way around. So I plan to have all network services (minus DHCP of course) turned off and I will have IPFW running as well to protect the box from most hack attempts. The network itself with be a 300+ person gaming lan broken down into 24 person Vlan's for added security. The box in question will only be console accessible to the average user. AKA, you ain't at the console, you don't get in as I plan to turn off sendmail, ssh, everything except DHCP and IPFW. So, how feisable is it to actually run a system like this? I realize I gotta open up certain ports in the firewall rules to allow DHCP. I'll figure those out later. I'm more curious if these steps to protect the security of the box are doable and if so, would they be practical? I'm just thinking ahead like this because I don't want the box to get hacked and used to bring down the network. I'm also looking to set the firewall to log ALL packets so that if we have a problem user, we can use the firewall logs to identify said user. I'd be looking for things like port scanning and other hacking/virus like activity. We had our network brought down once by same said virus and hacking activity but never found who did it. So this is our new plan to prevent that from happening and detect and remove said individuals who are causing said issues. It's hard enough running a 300 person gaming lan. We want to be sure that we don't have it brought to its knees like last time.