[FW-1] Firewall-1 and DHCP

Tue, 12 Nov 2002 14:37:51 -0800 

Hello all:

        We are having problems with FW-1 and DHCP. We have a dhcp server and
a fw-1 module in the same system. Our rules are the following:

4 Any broadcast Any bootp accept Log Policy Targets Any
5 firewall broadcast Any dhcp-rep-localmo accept Log Policy Targets Any
6 Any broadcast Any dhcp-req-localmo accept Log Policy Targets Any
10 Any Any Any Any drop Log Policy Targets Any


      Tcpdump shows the following:

21:26:34.197340 0.0.0.0.bootpc > 255.255.255.255.bootps:  xid:0x3e60fb22
flags:0
x8000 [|bootp]
21:26:34.198027 192.168.1.75.bootps > 255.255.255.255.bootpc:
xid:0x3e60fb22 fl
ags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36 [|bootp]
(DF)
21:26:38.199985 0.0.0.0.bootpc > 255.255.255.255.bootps:  xid:0x3e60fb22
secs:64
394 flags:0x8000 [|bootp]
21:26:38.200673 192.168.1.75.bootps > 255.255.255.255.bootpc:
xid:0x3e60fb22 se
cs:64394 flags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36
[|boo
tp] (DF)
21:26:45.200256 0.0.0.0.bootpc > 255.255.255.255.bootps:  xid:0x3e60fb22
secs:64
394 flags:0x8000 [|bootp]
21:26:45.200955 192.168.1.75.bootps > 255.255.255.255.bootpc:
xid:0x3e60fb22 se
cs:64394 flags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36
[|boo
tp] (DF)
21:27:01.203678 0.0.0.0.bootpc > 255.255.255.255.bootps:  xid:0x3e60fb22
secs:64
394 flags:0x8000 [|bootp]
21:27:01.204354 192.168.1.75.bootps > 255.255.255.255.bootpc:
xid:0x3e60fb22 se
cs:64394 flags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36
[|boo
tp] (DF)

        So the server is receiving the request but the client isn�t
receiving the answer.

        In the log file appears an entry with the format

        from firewall to 255.255.255.255 dropped due to anti-spoofing.

        I don�t think anti-spoofing is the cause of this problem because I
have disabled it in the problematic interface(I  think this message is
caused by the other interface)

        Apart from this, if I configure the next rule

        Any 255.255.255.255 any accept

        The client can obtain his ip address so I think I am making a
mistake, any idea?

Best regards,
Mario.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to