Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 May 1998 20:46:37 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        capriotti@geocities.com (Capriotti)
Cc:        hackers@FreeBSD.ORG
Subject:   Re: DHCP
Message-ID:  <199805172046.NAA29488@usr05.primenet.com>
In-Reply-To: <3.0.32.19980517093559.00934e90@pop.mpc.com.br> from "Capriotti" at May 17, 98 09:46:37 am

next in thread | previous in thread | raw e-mail | index | archive | help
> I am sorry for posting this question here, but it seems that -questions and
> our local FBSD folks don't know the answer, so, -hackers are the last
> resource.
> 
> I am attempting to make a FBSD gateway to the internet work in a NT based
> network, which uses DHCP to assing addresses to clients.
> 
> The question is: I have to filter who will have access to what service. 
> 
> I couldn't find anything about dhcp and firewalling.

That's because they are programatically unrelated.  8-).


> Could you help me ?

DHCP assigns addresses and various other options (SLP service group,
default gateway, netmask, LDAP directory location, and so on).

DHCP does *not* manipulate firewall rules.


There are really two questions here:

1)	How do I identify a host computer by its DHCP request?

2)	How do I automatically install firewall rules as a result of
	that identification.

The first is hard, because you don't have any authentication information
associated with the machine.  You do, however, have a weak identifier
(the name the machine requests to be assigned) and a strong identifier
(the MAC address of the machine's ethernet interface).

There are hooks in the bootp portion of the DHCP server for using
the strong identifier (since the MAC address is how bootp maps to
a machine name).  There are hooks in the Dynamic DNS portion of the
DHCP server for the weak identifier.

In general, the strong identifier can be compromised with the correct
hardware.  Basically, any Sun or DEC machine, and any LANCE based
ethernet adapter can change its hardware address, so the strong
identifier will not stop a determined person from usurping the MAC
address of a priviledged machine.

So you should probably just "punt" on using the strong identifier,
and thus reduce the problem complexity.


For the weak identifier, there are already hooks for dynamic DNS,
and you could easily overload those hooks to install a list of weak
identifier indexed firewall rules for the requesting machine.

For Windows95/98, the requested machine name will be the registered
(in the Registry) name of the machine.

By default, you will want to disable all ports (ports map to services),
and enable ports on a case-by-case basis, per machine.

You will need similar processing for lease expiration, and you should
use relatively short-lived leases to prevent someone usurping an IP
with priviledges they are not entitled to have.

One potential problem will be that priviledges are granted by machine
name, not by user, so if you have a machine used by multiple people,
they should have the same priviledges.


The above all presumes, of course, that you are running the DHCP server
on the FreeBSD box, and NOT on the NT box.  If you need to run the DHCP
server on the NT box, then you will be forced to buy a third party
firewall package from someone who has probably paid a *LOT* of money
to license NT source code, and wants to make that money back.  Given
NT source license fees, I'd expect the price to be in the tens of
thousands of dollars.

Note: there is Samba code that allows a FreeBSD box to act as an NT
domain controller, so if the reason you have to use NT is because of
domain controller services, then you don't have to use NT like you
thought you did.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805172046.NAA29488>