Hi,
You presumed right!
DHCP client to server uses 67 UDP
DHCP server to client uses 68 UDP
same thing for bootp.
cheers!
-----Original Message-----
From: Ben Nagy [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, May 25, 1999 8:36 PM
To: 'Tally'; [EMAIL PROTECTED]
Subject: RE: which ports to allow PDC login ?
Wow, how can one person be SO wrong?
DHCP is an extension of BOOTP, so presumably uses the same ports. Both use a
limited local broadcast (255.255.255.255) via UDP to ask for config
information, using a null IP address (0.0.0.0). The DHCP server then
responds either with a unicast packet (sent to the MAC address, obviously -
the server has to pre-alter its ARP table) or another local b/cast packet.
Since it's a UDP broadcast, you only need to configure your router (the
firewall in your case) to forward UDP local broadcasts - Ciscos can do this
with what they call a "helper address". In other words, you need to make
sure that anytime the firewall sees a local UDP broadcast it forwards it to
a unicast address you specify on the other side of the firewall (the DHCP
server would be the best choice).
I have no idea if the firewall you're using can do this.
My apologies for the blatantly incorrect info.
Cheers!
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 26, 1999 9:06 AM
To: 'Tally'; [EMAIL PROTECTED]
Subject: RE: which ports to allow PDC login ?
I think you may be in some trouble. MS NETLOGON and most versions of NAT
Don't Get Along (covered this month - thread "RE: "). And, as a few people
covered, most firewalls use some kind of NAT to separate the internal and
external networks... You have the ports right though. 137-139, and NETLOGON
is tcp (can't remember the exact port, off the top of my head).
And yeah, a DHCP request looks like a MAC address with an IP address of
0.0.0.0 and it's an Ethernet broadcast - I don't think there are any ports
involved. You'd need a firewall that forwarded these broadcasts somehow -
ick.
I really think you'd be better of re-working your architecture so that
people didn't log in from the outside of the firewall to the inside. Apart
from the technical problems in making it work, you'll have a raft of
security issues due to the traffic you'll have to allow through the
firewall. Maybe you can use a VPN type connection?
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Tally [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 26, 1999 5:29 AM
To: [EMAIL PROTECTED]
Subject: which ports to allow PDC login ?
**********************************************************
To allow a firewall logins by member NT servers
into
the PDC on the other side of the firewall, is it
sufficient to allow only NetBIOS service ports ?
are
there any other ports that need to be opened up to
allow the logins of member NT servers into the NT
PDC ?
NT member ------FIREWALL ------ PDC
server
********************************************************
second what are the ports to allow DHCP requests
through.
is it just bootp ports or do we need any other
rules as
well. because (i guess) dhcp requests (at first)
are made
at a MAC level(as the client still does not have IP
address!)
NT client-------FIREWALL -------DHCP server
please email me asap.
thanks
tally
********************************************************
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
