Passing DHCP through a Hotbrick

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Greetings,

Exactly how do you set up a Hotbrick firewall so that the machines behind it
will be DHCP-served by the campus main DHCP server (out on the WAN) rather
than the Hotbrick?

Thanks!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Fri, 11 Jun 2004 19:29:50 -0400, Michael A. Covington spoketh

>Greetings,
>
>Exactly how do you set up a Hotbrick firewall so that the machines behind it
>will be DHCP-served by the campus main DHCP server (out on the WAN) rather
>than the Hotbrick?
>
>Thanks!
>
>

You can't. As far as I can tell from hotbricks' website, there's no
support for DHCP relay.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:7sgkc0lvu8chj71p4if0or81c5guu0j1tu@4ax.com...
> On Fri, 11 Jun 2004 19:29:50 -0400, Michael A. Covington spoketh
>
> >Greetings,
> >
> >Exactly how do you set up a Hotbrick firewall so that the machines behind
it
> >will be DHCP-served by the campus main DHCP server (out on the WAN)
rather
> >than the Hotbrick?
> >
> >Thanks!
> >
> >
>
> You can't. As far as I can tell from hotbricks' website, there's no
> support for DHCP relay.


That is very sad news, if true. I was mis-advised and may end up swapping
this firewall to a department that can use it.

Opening up UDP ports 67 and 68 won't do it? Admittedly I was unsuccessful
with that, but I thought I had left out some detail.

Also, Hotbrick *does* allow me to stop the firewall from being a DHCP
server. I suppose I could hard-code the IP addresses into all the
computers... but that would deprive us of the benefits of the campus DHCP
server, such as its ability to update the list of nameservers dynamically.

 

[Alec]

Archived from groups: comp.security.firewalls (More info?)

"Michael A. Covington" <look@www.covingtoninnovations.com.for.address> wrote
in message news:GoSdnUWuZZ15_1fdRVn-vw@speedfactory.net...
>
> "Lars M. Hansen" <badnews@hansenonline.net> wrote in message
> news:7sgkc0lvu8chj71p4if0or81c5guu0j1tu@4ax.com...
> > On Fri, 11 Jun 2004 19:29:50 -0400, Michael A. Covington spoketh
> >
> > >Greetings,
> > >
> > >Exactly how do you set up a Hotbrick firewall so that the machines
behind
> it
> > >will be DHCP-served by the campus main DHCP server (out on the WAN)
> rather
> > >than the Hotbrick?
> > >
> > >Thanks!
> > >
> > >
> >
> > You can't. As far as I can tell from hotbricks' website, there's no
> > support for DHCP relay.
>
>
> That is very sad news, if true. I was mis-advised and may end up swapping
> this firewall to a department that can use it.
>
> Opening up UDP ports 67 and 68 won't do it? Admittedly I was unsuccessful
> with that, but I thought I had left out some detail.
>
> Also, Hotbrick *does* allow me to stop the firewall from being a DHCP
> server. I suppose I could hard-code the IP addresses into all the
> computers... but that would deprive us of the benefits of the campus DHCP
> server, such as its ability to update the list of nameservers dynamically.
>

Nope. The DHCP and BOOTP protocols are not layer 3, routable protocols.
Since the whole point is that the booting device does not have an IP
address, it must send out a layer 2 broadcast packet out on to the subnet to
ask for help from a DHCP server that is listening for such broadcasts.
Routers and firewalls do not generally pass layer 2 broadcast packets.
Therefore, you need a BOOTP/DHCP Relay Agent (RFC 1542) to listen for these
special broadcast packets and forward them on. Some routers and firewalls
have such functionality built-in and some do not. I do not know specifically
about the Hotbrick.

Alec

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Michael A. Covington" <look@www.covingtoninnovations.com.for.address> wrote
in message news:GoSdnUWuZZ15_1fdRVn-vw@speedfactory.net...
>
> "Lars M. Hansen" <badnews@hansenonline.net> wrote in message
> news:7sgkc0lvu8chj71p4if0or81c5guu0j1tu@4ax.com...
> > On Fri, 11 Jun 2004 19:29:50 -0400, Michael A. Covington spoketh
> >
> > >Greetings,
> > >
> > >Exactly how do you set up a Hotbrick firewall so that the machines
behind
> it
> > >will be DHCP-served by the campus main DHCP server (out on the WAN)
> rather
> > >than the Hotbrick?
> > >
> > >Thanks!
> > >
> > >
> >
> > You can't. As far as I can tell from hotbricks' website, there's no
> > support for DHCP relay.
>
>
> That is very sad news, if true. I was mis-advised and may end up swapping
> this firewall to a department that can use it.
>
> Opening up UDP ports 67 and 68 won't do it? Admittedly I was unsuccessful
> with that, but I thought I had left out some detail.
>
> Also, Hotbrick *does* allow me to stop the firewall from being a DHCP
> server. I suppose I could hard-code the IP addresses into all the
> computers... but that would deprive us of the benefits of the campus DHCP
> server, such as its ability to update the list of nameservers dynamically.
>
>
Bridged networks are not much fun in a large installation. Just wait till
somebody turns up a rogue DHCP server!
Or steals IP addresses!
Good luck!
J--
Check my web site for tips on insuring safe computing in wired and wireless
homenetworking environments!
www.pccitizen.com
You spend your whole life figuring out what you should have done with it,
let alone what it was all about. And then your children get to do it all
over again.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"John D Loop" <jdloop@remove.bellsouth.net> wrote in message
news:Vb2zc.2454$lr2.269@bignews2.bellsouth.net...
>
>
>
> "Michael A. Covington" <look@www.covingtoninnovations.com.for.address>
wrote
> in message news:GoSdnUWuZZ15_1fdRVn-vw@speedfactory.net...
> >
> > "Lars M. Hansen" <badnews@hansenonline.net> wrote in message
> > news:7sgkc0lvu8chj71p4if0or81c5guu0j1tu@4ax.com...
> > > On Fri, 11 Jun 2004 19:29:50 -0400, Michael A. Covington spoketh
> > >
> > > >Greetings,
> > > >
> > > >Exactly how do you set up a Hotbrick firewall so that the machines
> behind
> > it
> > > >will be DHCP-served by the campus main DHCP server (out on the WAN)
> > rather
> > > >than the Hotbrick?
> > > >
> > > >Thanks!
> > > >
> > > >
> > >
> > > You can't. As far as I can tell from hotbricks' website, there's no
> > > support for DHCP relay.
> >
> >
> > That is very sad news, if true. I was mis-advised and may end up
swapping
> > this firewall to a department that can use it.
> >
> > Opening up UDP ports 67 and 68 won't do it? Admittedly I was
unsuccessful
> > with that, but I thought I had left out some detail.
> >
> > Also, Hotbrick *does* allow me to stop the firewall from being a DHCP
> > server. I suppose I could hard-code the IP addresses into all the
> > computers... but that would deprive us of the benefits of the campus
DHCP
> > server, such as its ability to update the list of nameservers
dynamically.
> >
> >
> Bridged networks are not much fun in a large installation. Just wait till
> somebody turns up a rogue DHCP server!
> Or steals IP addresses!
> Good luck!

Understood. We are being told to use our campus DHCP server. Myself, I can
see a strong place for using the Hotbrick as intended (NATting the entire
network).

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <v6KdnebYDfBwXFHdRVn-uA@speedfactory.net>,
look@www.covingtoninnovations.com.for.address says...
>
> "John D Loop" <jdloop@remove.bellsouth.net> wrote in message
> news:Vb2zc.2454$lr2.269@bignews2.bellsouth.net...
[snip]
> > Bridged networks are not much fun in a large installation. Just wait till
> > somebody turns up a rogue DHCP server!
> > Or steals IP addresses!
> > Good luck!
>
> Understood. We are being told to use our campus DHCP server. Myself, I can
> see a strong place for using the Hotbrick as intended (NATting the entire
> network).

Have your HB get it's address from the campus DHCP server, NAT
everything behind it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b36c8436db3deec98a61d@news-server.columbus.rr.com...
> In article <v6KdnebYDfBwXFHdRVn-uA@speedfactory.net>,
> look@www.covingtoninnovations.com.for.address says...
> >
> > "John D Loop" <jdloop@remove.bellsouth.net> wrote in message
> > news:Vb2zc.2454$lr2.269@bignews2.bellsouth.net...
> [snip]
> > > Bridged networks are not much fun in a large installation. Just wait
till
> > > somebody turns up a rogue DHCP server!
> > > Or steals IP addresses!
> > > Good luck!
> >
> > Understood. We are being told to use our campus DHCP server. Myself, I
can
> > see a strong place for using the Hotbrick as intended (NATting the
entire
> > network).
>
> Have your HB get it's address from the campus DHCP server, NAT
> everything behind it.

That is easy to set up and is exactly what I meant by NATting everything.

In our lab, I think we have very little risk of malice within the lab,
because the machines are used by a select group. But we get a lot of
attacks from outside.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <bPedneY6nfH-iFDdRVn-vg@speedfactory.net>,
look@www.covingtoninnovations.com.for.address says...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b36c8436db3deec98a61d@news-server.columbus.rr.com...
> > In article <v6KdnebYDfBwXFHdRVn-uA@speedfactory.net>,
> > look@www.covingtoninnovations.com.for.address says...
> > >
> > > "John D Loop" <jdloop@remove.bellsouth.net> wrote in message
> > > news:Vb2zc.2454$lr2.269@bignews2.bellsouth.net...
> > [snip]
> > > > Bridged networks are not much fun in a large installation. Just wait
> till
> > > > somebody turns up a rogue DHCP server!
> > > > Or steals IP addresses!
> > > > Good luck!
> > >
> > > Understood. We are being told to use our campus DHCP server. Myself, I
> can
> > > see a strong place for using the Hotbrick as intended (NATting the
> entire
> > > network).
> >
> > Have your HB get it's address from the campus DHCP server, NAT
> > everything behind it.
>
> That is easy to set up and is exactly what I meant by NATting everything.
>
> In our lab, I think we have very little risk of malice within the lab,
> because the machines are used by a select group. But we get a lot of
> attacks from outside.

We setup our development labs with multiple routers (NAT) to isolate the
project teams from each other in case one clashes with the other. Each
team is assigned 1 or more public IP (depending on the router used) or
one or more LAN IP in the development network and then NAT's it for
their group - each project group uses a different subnet on their
project than the other groups.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Ending this long thread...

Hotbrick Tech Support confirms that DHCP packets cannot pass through a
Hotbrick from an external DHCP server, except in the special situation that
the DHCP server's gateway is the Hotbrick.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Alec wrote:


>
> Nope. The DHCP and BOOTP protocols are not layer 3, routable protocols.
> Since the whole point is that the booting device does not have an IP
> address, it must send out a layer 2 broadcast packet out on to the subnet to
> ask for help from a DHCP server that is listening for such broadcasts.
> Routers and firewalls do not generally pass layer 2 broadcast packets.
> Therefore, you need a BOOTP/DHCP Relay Agent (RFC 1542) to listen for these
> special broadcast packets and forward them on. Some routers and firewalls
> have such functionality built-in and some do not. I do not know specifically
> about the Hotbrick.
>
> Alec

Um, bootp and dhcp requests are layer 3 udp broadcasts. (bootp generally
uses the 0.0.0.0 and dhcp the 255.255.255.255 broadcast addresses,
respectively) they set both source and destination address to broadcast.





--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Michael A. Covington wrote:

> Greetings,
>
> Exactly how do you set up a Hotbrick firewall so that the machines behind it
> will be DHCP-served by the campus main DHCP server (out on the WAN) rather
> than the Hotbrick?
>
> Thanks!
>
>
>

Disable DHCP on the hotbrick and set up a dhcp forwarder box - (I use an
old desktop and load some flavor of windoze NT server when I need to do
this, but most good OS'es have some sort of dhcp forwarder available)

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> wrote in message
news:10cs4g2k57n8869@corp.supernews.com...
> Michael A. Covington wrote:
>
> > Greetings,
> >
> > Exactly how do you set up a Hotbrick firewall so that the machines
behind it
> > will be DHCP-served by the campus main DHCP server (out on the WAN)
rather
> > than the Hotbrick?
> >
> > Thanks!
> >
> >
> >
>
> Disable DHCP on the hotbrick and set up a dhcp forwarder box - (I use an
> old desktop and load some flavor of windoze NT server when I need to do
> this, but most good OS'es have some sort of dhcp forwarder available)

Can you elaborate? You're referring to setting up a computer with 2 network
cards?

 

[Alec]

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> wrote in message
news:10cs2m3aikqp6a6@corp.supernews.com...
> Alec wrote:
>
>
> >
> > Nope. The DHCP and BOOTP protocols are not layer 3, routable protocols.
> > Since the whole point is that the booting device does not have an IP
> > address, it must send out a layer 2 broadcast packet out on to the
subnet to
> > ask for help from a DHCP server that is listening for such broadcasts.
> > Routers and firewalls do not generally pass layer 2 broadcast packets.
> > Therefore, you need a BOOTP/DHCP Relay Agent (RFC 1542) to listen for
these
> > special broadcast packets and forward them on. Some routers and
firewalls
> > have such functionality built-in and some do not. I do not know
specifically
> > about the Hotbrick.
> >
> > Alec
>
> Um, bootp and dhcp requests are layer 3 udp broadcasts. (bootp generally
> uses the 0.0.0.0 and dhcp the 255.255.255.255 broadcast addresses,
> respectively) they set both source and destination address to broadcast.
>

Yes, my mistake. You are quite correct. They are layer 3 protocols, however,
they still make use of the broadcast addresses, as you mentioned, which are
not normally forwarded by firewalls and routers. The relevant point, if I'm
not mistaken, is that these routers and firewalls have to explicitly support
the DHCP/BOOTP RELAY functionality. It is not something simply opening up
port 67 will resolve.

Alec

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Alec wrote:

>
> Yes, my mistake. You are quite correct. They are layer 3 protocols, however,
> they still make use of the broadcast addresses, as you mentioned, which are
> not normally forwarded by firewalls and routers. The relevant point, if I'm
> not mistaken, is that these routers and firewalls have to explicitly support
> the DHCP/BOOTP RELAY functionality. It is not something simply opening up
> port 67 will resolve.
>
> Alec
>
>
Right you are.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Michael A. Covington wrote:

>
> Can you elaborate? You're referring to setting up a computer with 2 network
> cards?
>
>
>

No. 1 computer with 1 network card will do. The dhcp forwarder software
gets set up so that it knows the actual IP address of the DHCP server
you want to use (can be several hops away)

It listens for broadcasts bound for the DHCP/BOOTP port, and then
forwards all such packets on to the IP address of the DHCP server.

ALL vertsions of windoze NT (from at least 3.51 on) to my knowledge come
with a DHCP forwarder (part of the optional networking components install)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> wrote in message
news:10curu9dbp08u84@corp.supernews.com...
> Michael A. Covington wrote:
>
> >
> > Can you elaborate? You're referring to setting up a computer with 2
network
> > cards?
>
> No. 1 computer with 1 network card will do. The dhcp forwarder software
> gets set up so that it knows the actual IP address of the DHCP server
> you want to use (can be several hops away)
>
> It listens for broadcasts bound for the DHCP/BOOTP port, and then
> forwards all such packets on to the IP address of the DHCP server.
>
> ALL vertsions of windoze NT (from at least 3.51 on) to my knowledge come
> with a DHCP forwarder (part of the optional networking components install)

Ah. And this is behind the firewall? And does it need any special ports
opened up on the firewall?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Michael A. Covington wrote:
> "T. Sean Weintz" <sean@snerts-r-us.org> wrote in message
> news:10curu9dbp08u84@corp.supernews.com...
>
>>Michael A. Covington wrote:
>>
>>
>>>Can you elaborate? You're referring to setting up a computer with 2
>
> network
>
>>>cards?
>>
>>No. 1 computer with 1 network card will do. The dhcp forwarder software
>>gets set up so that it knows the actual IP address of the DHCP server
>>you want to use (can be several hops away)
>>
>>It listens for broadcasts bound for the DHCP/BOOTP port, and then
>>forwards all such packets on to the IP address of the DHCP server.
>>
>>ALL vertsions of windoze NT (from at least 3.51 on) to my knowledge come
>>with a DHCP forwarder (part of the optional networking components install)
>
>
> Ah. And this is behind the firewall? And does it need any special ports
> opened up on the firewall?
>
>
make sure port 67 and 68 are open for UDP. One needs to be outgoing, one
incoming. Can't remember which is which - simplest to just open both
ports for traffic both ways.



--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz