-----Original Message-----
From: Darren Reed [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 12, 2002 8:06 AM
To: taproot420
Cc: [EMAIL PROTECTED]
Subject: Re: cant get dhcp to pass through bridge. ! please help
You need to use a specific dhcp relay to make this work.
Darren
I really don't understand what you are saying but if you are saying to
allow communication with the dhcp server, I have. The way I had it set
up was any packets coming from the inside "LAN" which is "IN on the sis0
inf." Was passed out with options keep state. I was assuming that since
the device requesting an offer was coming from the inside it would be
passed out and allowed back in. The only issue with that is once the
lease is up the server from the outside cant give it a new lease because
the communication originated outside. As for getting a initial offer
when the request is initiated from the inside it should have worked from
what I read as dhcp is only ip traffic and I explicitly allow all
tcd,udp traffic from inside out with the keep state flag... I would
think it would take care of it. I have fixed the rules to allow my isp
dhcp server to communicate when ever it needs to renew a lease as you
will see is one of the first rules in my modified set. As I mentioned if
I plug the device requesting dhcp configuration directly into the cable
modem, "taking the bdrg out of the picture", it gets the info just fine
from my ips's dhcp server and then I can disconnect, reconnect the bdrg
to the modem and then the device using dhcp back to the bdrg and
everything works fine.
So exactly what do I need to do?
(ISP)---CABLEMODEM--SIS1(BDRG)SIS0---NAT/RTR USING DHCP
#####ipf -Fa -f /etc/ipf.rules##### ###Loads Rules###
#
#
#
###Interfaces:(lo0="Loop-Back", sis0="Filtered-Inet",
sis1="Dirty-INET",###
#
#
#
###LOOP-BACK### ##needs to be unrestricted for apps to run smoothly
pass out quick on lo0 all
pass in quick on lo0 all
#
#
#
###DIRTY-INET & Intrusion Detection ###don't filter if you want IDS to
catch all Intrusion attempts###
pass in quick on sis1 all
pass out quick on sis1 all
#
################FILTERED-INET############
#Allow DHCP Renews#
pass out quick on sis0 proto udp from 12.242.18.34/32 port = 67 to any
port = 68 keep state
AS YOU CAN SEE ABOVE I ADDED THIS FOR THE FUTURE RENEWS,BUT I STILL CANT
GET THE BRIDGE TO PASS A BOOTP REQUEST.
##############Block, Default Deny#########
#
block out on sis0 all
#
##############BLOCKING NON-ROUTABLES (RFC-1918 & MISC.) *SPOOF
PROTECTION*############
#
###Block Out### ###out=data from INET###
#
block out quick on sis0 from any to 192.168.0.0/16
block out quick on sis0 from any to 172.16.0.0/12
block out quick on sis0 from any to 127.0.0.0/8
block out quick on sis0 from any to 10.0.0.0/8
block out quick on sis0 from any to 0.0.0.0/8
block out quick on sis0 from any to 0.0.0.0/7
block out quick on sis0 from any to 169.254.0.0/16
block out quick on sis0 from any to 192.0.2.0/24
block out quick on sis0 from any to 204.152.64.0/23
block out quick on sis0 from any to 224.0.0.0/3
block out quick on sis0 from any to 20.20.20.0/32
block out quick on sis0 from any to 20.20.20.255/32
block out quick on sis0 from 192.168.0.0/16 to any
block out quick on sis0 from 172.16.0.0/12 to any
block out quick on sis0 from 10.0.0.0/8 to any
block out quick on sis0 from 127.0.0.0/8 to any
block out quick on sis0 from 0.0.0.0/8 to any
block out quick on sis0 from 0.0.0.0/7 to any
block out quick on sis0 from 169.254.0.0/16 to any
block out quick on sis0 from 192.0.2.0/24 to any
block out quick on sis0 from 204.152.64.0/23 to any
block out quick on sis0 from 224.0.0.0/3 to any
block out quick on sis0 from 20.20.20.0/24 to any
block out quick on sis0 from 20.20.20.0/32 to any
block out quick on sis0 from 20.20.20.255/32 to any
#
###Block In### ###In=data from LAN###
#
block in quick on sis0 from 192.168.0.0/16 to any
block in quick on sis0 from 172.16.0.0/12 to any
block in quick on sis0 from 10.0.0.0/8 to any
block in quick on sis0 from 127.0.0.0/8 to any
block in quick on sis0 from 0.0.0.0/8 to any
block in quick on sis0 from 0.0.0.0/7 to any
block in quick on sis0 from 169.254.0.0/16 to any
block in quick on sis0 from 192.0.2.0/24 to any
block in quick on sis0 from 204.152.64.0/23 to any
block in quick on sis0 from 224.0.0.0/3 to any
block in quick on sis0 from 20.20.20.0/24 to any
block in quick on sis0 from any to 20.20.20.0/32
block in quick on sis0 from any to 20.20.20.255/32
block in quick on sis0 from any to 192.168.0.0/16
block in quick on sis0 from any to 172.16.0.0/12
block in quick on sis0 from any to 127.0.0.0/8
block in quick on sis0 from any to 10.0.0.0/8
block in quick on sis0 from any to 0.0.0.0/8
block in quick on sis0 from any to 0.0.0.0/7
block in quick on sis0 from any to 169.254.0.0/16
block in quick on sis0 from any to 192.0.2.0/24
block in quick on sis0 from any to 204.152.64.0/23
block in quick on sis0 from any to 224.0.0.0/3
#
#
############Block Malformed packets and OS Fingerprinting############
#
###Block Malformed packets###
#OUT#
block out quick on sis0 all with short
block out quick on sis0 all with opt lsrr
block out quick on sis0 all with opt ssrr
block out quick on sis0 all with ipopts
block out quick on sis0 all with frags
block out quick on sis0 proto icmp from any to any icmp-type redir
#IN#
block in quick on sis0 all with short
block in quick on sis0 all with opt lsrr
block in quick on sis0 all with opt ssrr
block in quick on sis0 all with ipopts
block in quick on sis0 all with frags
#
###Block OS Fingerprinting###
#
####################################################################
#NMAP
#####################################################################
block out quick on sis0 proto tcp from any to any flags FUP
block out quick on sis0 proto tcp from any to any flags SF/SFRA
block out quick on sis0 proto tcp from any to any flags /SFRA
#
################################################################
#
##############Standard Filters#################
#
###Pass OUT### ###note: Pass OUT is incoming from INET on this brdg###
#
###Pass IN### ###note: pass IN is incoming from INTERNAL "LAN" on this
brdg###
#
pass in quick on sis0 proto tcp from any to any flags S keep state
pass in quick on sis0 proto udp from any to any keep state
pass in quick on sis0 proto icmp from any to any keep state
block in on sis0 all
#
###Block Specific###
block out quick on sis0 proto tcp from any to any port = 22
block out quick on sis0 proto tcp from any to any port = 23
