Archived from groups: comp.security.firewalls (
More info?)
"Michael A. Covington" <look@www.covingtoninnovations.com.for.address> wrote
in message news:GoSdnUWuZZ15_1fdRVn-vw@speedfactory.net...
>
> "Lars M. Hansen" <badnews@hansenonline.net> wrote in message
> news:7sgkc0lvu8chj71p4if0or81c5guu0j1tu@4ax.com...
> > On Fri, 11 Jun 2004 19:29:50 -0400, Michael A. Covington spoketh
> >
> > >Greetings,
> > >
> > >Exactly how do you set up a Hotbrick firewall so that the machines
behind
> it
> > >will be DHCP-served by the campus main DHCP server (out on the WAN)
> rather
> > >than the Hotbrick?
> > >
> > >Thanks!
> > >
> > >
> >
> > You can't. As far as I can tell from hotbricks' website, there's no
> > support for DHCP relay.
>
>
> That is very sad news, if true. I was mis-advised and may end up swapping
> this firewall to a department that can use it.
>
> Opening up UDP ports 67 and 68 won't do it? Admittedly I was unsuccessful
> with that, but I thought I had left out some detail.
>
> Also, Hotbrick *does* allow me to stop the firewall from being a DHCP
> server. I suppose I could hard-code the IP addresses into all the
> computers... but that would deprive us of the benefits of the campus DHCP
> server, such as its ability to update the list of nameservers dynamically.
>
Nope. The DHCP and BOOTP protocols are not layer 3, routable protocols.
Since the whole point is that the booting device does not have an IP
address, it must send out a layer 2 broadcast packet out on to the subnet to
ask for help from a DHCP server that is listening for such broadcasts.
Routers and firewalls do not generally pass layer 2 broadcast packets.
Therefore, you need a BOOTP/DHCP Relay Agent (RFC 1542) to listen for these
special broadcast packets and forward them on. Some routers and firewalls
have such functionality built-in and some do not. I do not know specifically
about the Hotbrick.
Alec