From owner-freebsd-questions@FreeBSD.ORG Fri Feb 27 15:07:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C043D16A4CE for ; Fri, 27 Feb 2004 15:07:33 -0800 (PST) Received: from mx1.heronetwork.com (mail.heronetwork.com [216.254.62.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ED2743D1D for ; Fri, 27 Feb 2004 15:07:33 -0800 (PST) (envelope-from sandshrimp@comcast.net) Received: by mx1.heronetwork.com (Postfix, from userid 1003) id 53BF0A6A02; Fri, 27 Feb 2004 15:07:33 -0800 (PST) Received: from comcast.net (c-24-19-3-98.client.comcast.net [24.19.3.98]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.heronetwork.com (Postfix) with ESMTP id 8122EA6A0F; Fri, 27 Feb 2004 15:07:31 -0800 (PST) Message-ID: <403FCDB2.2080709@comcast.net> Date: Fri, 27 Feb 2004 15:07:30 -0800 From: Ryan Merrick User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031218 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dragoncrest References: <200402262012.i1QKCgqn039337@mail0.mx.voyager.net> In-Reply-To: <200402262012.i1QKCgqn039337@mail0.mx.voyager.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on nott.heronetwork.com X-Spam-Status: No, hits=0.3 required=8.0 tests=AWL,J_CHICKENPOX_82 autolearn=no version=2.63 cc: questions@freebsd.org Subject: Re: Is it feisable to do a Firewall'ed DHCP server? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 23:07:33 -0000 Dragoncrest wrote: > I'm looking to take an old P120 with 128m of ram and turn it into a lan > DHCP server. The thing is, the guys who will be pulling DHCP addresses > are cream of the crop computer users who really know their way around. > So I plan to have all network services (minus DHCP of course) turned off > and I will have IPFW running as well to protect the box from most hack > attempts. > > The network itself with be a 300+ person gaming lan broken down into 24 > person Vlan's for added security. The box in question will only be > console accessible to the average user. AKA, you ain't at the console, > you don't get in as I plan to turn off sendmail, ssh, everything except > DHCP and IPFW. So, how feisable is it to actually run a system like > this? I realize I gotta open up certain ports in the firewall rules to > allow DHCP. I'll figure those out later. I'm more curious if these > steps to protect the security of the box are doable and if so, would > they be practical? I'm just thinking ahead like this because I don't > want the box to get hacked and used to bring down the network. > > I'm also looking to set the firewall to log ALL packets so that if we > have a problem user, we can use the firewall logs to identify said user. > I'd be looking for things like port scanning and other hacking/virus > like activity. We had our network brought down once by same said virus > and hacking activity but never found who did it. So this is our new > plan to prevent that from happening and detect and remove said > individuals who are causing said issues. > > It's hard enough running a 300 person gaming lan. We want to be sure > that we don't have it brought to its knees like last time. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Hi, Take a look at netreg for the user and dhcp management. http://www.netreg.org/ -- -Ryan Merrick sandshrimp@comcast.net