Date: Sun, 17 May 1998 20:46:37 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: capriotti@geocities.com (Capriotti) Cc: hackers@FreeBSD.ORG Subject: Re: DHCP Message-ID: <199805172046.NAA29488@usr05.primenet.com> In-Reply-To: <3.0.32.19980517093559.00934e90@pop.mpc.com.br> from "Capriotti" at May 17, 98 09:46:37 am
next in thread | previous in thread | raw e-mail | index | archive | help
> I am sorry for posting this question here, but it seems that -questions and > our local FBSD folks don't know the answer, so, -hackers are the last > resource. > > I am attempting to make a FBSD gateway to the internet work in a NT based > network, which uses DHCP to assing addresses to clients. > > The question is: I have to filter who will have access to what service. > > I couldn't find anything about dhcp and firewalling. That's because they are programatically unrelated. 8-). > Could you help me ? DHCP assigns addresses and various other options (SLP service group, default gateway, netmask, LDAP directory location, and so on). DHCP does *not* manipulate firewall rules. There are really two questions here: 1) How do I identify a host computer by its DHCP request? 2) How do I automatically install firewall rules as a result of that identification. The first is hard, because you don't have any authentication information associated with the machine. You do, however, have a weak identifier (the name the machine requests to be assigned) and a strong identifier (the MAC address of the machine's ethernet interface). There are hooks in the bootp portion of the DHCP server for using the strong identifier (since the MAC address is how bootp maps to a machine name). There are hooks in the Dynamic DNS portion of the DHCP server for the weak identifier. In general, the strong identifier can be compromised with the correct hardware. Basically, any Sun or DEC machine, and any LANCE based ethernet adapter can change its hardware address, so the strong identifier will not stop a determined person from usurping the MAC address of a priviledged machine. So you should probably just "punt" on using the strong identifier, and thus reduce the problem complexity. For the weak identifier, there are already hooks for dynamic DNS, and you could easily overload those hooks to install a list of weak identifier indexed firewall rules for the requesting machine. For Windows95/98, the requested machine name will be the registered (in the Registry) name of the machine. By default, you will want to disable all ports (ports map to services), and enable ports on a case-by-case basis, per machine. You will need similar processing for lease expiration, and you should use relatively short-lived leases to prevent someone usurping an IP with priviledges they are not entitled to have. One potential problem will be that priviledges are granted by machine name, not by user, so if you have a machine used by multiple people, they should have the same priviledges. The above all presumes, of course, that you are running the DHCP server on the FreeBSD box, and NOT on the NT box. If you need to run the DHCP server on the NT box, then you will be forced to buy a third party firewall package from someone who has probably paid a *LOT* of money to license NT source code, and wants to make that money back. Given NT source license fees, I'd expect the price to be in the tens of thousands of dollars. Note: there is Samba code that allows a FreeBSD box to act as an NT domain controller, so if the reason you have to use NT is because of domain controller services, then you don't have to use NT like you thought you did. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805172046.NAA29488>