Try this Replace dhcp-rep-localmodule in rule 5 by bootp remove rule 6 since I would suggest to try replace it with rule 4
Jochen ----- Original Message ----- From: "CAMUNAS,MARIO (HP-Spain,ex1)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 12, 2002 10:51 PM Subject: [FW-1] Firewall-1 and DHCP > Hello all: > > We are having problems with FW-1 and DHCP. We have a dhcp server and > a fw-1 module in the same system. Our rules are the following: > > 4 Any broadcast Any bootp accept Log Policy Targets Any > 5 firewall broadcast Any dhcp-rep-localmo accept Log Policy Targets Any > 6 Any broadcast Any dhcp-req-localmo accept Log Policy Targets Any > 10 Any Any Any Any drop Log Policy Targets Any > > > Tcpdump shows the following: > > 21:26:34.197340 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x3e60fb22 > flags:0 > x8000 [|bootp] > 21:26:34.198027 192.168.1.75.bootps > 255.255.255.255.bootpc: > xid:0x3e60fb22 fl > ags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36 [|bootp] > (DF) > 21:26:38.199985 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x3e60fb22 > secs:64 > 394 flags:0x8000 [|bootp] > 21:26:38.200673 192.168.1.75.bootps > 255.255.255.255.bootpc: > xid:0x3e60fb22 se > cs:64394 flags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36 > [|boo > tp] (DF) > 21:26:45.200256 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x3e60fb22 > secs:64 > 394 flags:0x8000 [|bootp] > 21:26:45.200955 192.168.1.75.bootps > 255.255.255.255.bootpc: > xid:0x3e60fb22 se > cs:64394 flags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36 > [|boo > tp] (DF) > 21:27:01.203678 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x3e60fb22 > secs:64 > 394 flags:0x8000 [|bootp] > 21:27:01.204354 192.168.1.75.bootps > 255.255.255.255.bootpc: > xid:0x3e60fb22 se > cs:64394 flags:0x8000 Y:192.168.1.90 S:192.168.1.75 ether 0:10:a4:ec:41:36 > [|boo > tp] (DF) > > So the server is receiving the request but the client isn�t > receiving the answer. > > In the log file appears an entry with the format > > from firewall to 255.255.255.255 dropped due to anti-spoofing. > > I don�t think anti-spoofing is the cause of this problem because I > have disabled it in the problematic interface(I think this message is > caused by the other interface) > > Apart from this, if I configure the next rule > > Any 255.255.255.255 any accept > > The client can obtain his ip address so I think I am making a > mistake, any idea? > > Best regards, > Mario. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
