Already present on the bridge. # cat bridgename.bridge0 add sis0 add sis1 blocknonip sis0 blocknonip sis1 up
I thought dhcp used ip to handshake. So I assume from this on a corporate network each routed segment would need its own dhcp server or have the router act as an relay. Ok, now I understand but this would imply that this would only be needed when segments are separated by a router which eliminates ether cross talk between the segments it separates. correct? with the bridge, it should be different as all ether packets received on one bridge interface are present on the other. After all a bridge is just a really expensive patch cable. So I could assume from your explanation that if I removed the blocknonip from the bridge interfaces it would allow the dhcp ether handshake, but of course this is probably dangerous to allow. What a dilemma. So basically in a network, such as cable modem where addresses are dynamically provided, the nat/router, or some addressable unit, has to be first then the bridge but this really undermines the reason I wanted a bridge to begin with as I wanted my first connection to the hostile internet to be non addressable and be able to filter layer3 packets to and from my given isp ip on the nat/router in total undetectable stealth mode. I am still researching but I assume even a relay would have to be before the bridge. There has to be a way to have the bridge first and make this work. Is there any way to modify the dhclient.conf or other file and make it request its lease from a specific server ex. 12.34.12.1 instead of broadcasting via ether frames trying to discover a dhcp server? That would allow the use of ip because it already knows its target and does not have to rely on broadcasting discover packets. Thanks for all the advise, I am really learning a great amount about bridging. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of James A. Robbins Sent: Monday, August 12, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: Re: cant get dhcp to pass through bridge. ! please help ----- Original Message ----- From: "taproot420" <[EMAIL PROTECTED]> To: "'Darren Reed'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, August 12, 2002 2:16 PM Subject: RE: cant get dhcp to pass through bridge. ! please help > > > -----Original Message----- > From: Darren Reed [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 12, 2002 8:06 AM > To: taproot420 > Cc: [EMAIL PROTECTED] > Subject: Re: cant get dhcp to pass through bridge. ! please help > > > You need to use a specific dhcp relay to make this work. > > Darren > > > I really don't understand what you are saying but if you are saying to > allow communication with the dhcp server, I have. DHCP uses Ethernet broadcasts for the initial handshake between the client and the server. These broadcasts are not IP (and therefor not filterable by ipf) and have to be passed by your interfaces (in bridgename.bridge0 set -blocknonip sis0 and -blocknonip sis1). > The way I had it set > up was any packets coming from the inside "LAN" which is "IN on the sis0 > inf." Was passed out with options keep state. I was assuming that since > the device requesting an offer was coming from the inside it would be > passed out and allowed back in. The only issue with that is once the > lease is up the server from the outside cant give it a new lease because > the communication originated outside. As for getting a initial offer > when the request is initiated from the inside it should have worked from > what I read as dhcp is only ip traffic and I explicitly allow all > tcd,udp traffic from inside out with the keep state flag... I would > think it would take care of it. I have fixed the rules to allow my isp > dhcp server to communicate when ever it needs to renew a lease as you > will see is one of the first rules in my modified set. As I mentioned if > I plug the device requesting dhcp configuration directly into the cable > modem, "taking the bdrg out of the picture", it gets the info just fine > from my ips's dhcp server and then I can disconnect, reconnect the bdrg > to the modem and then the device using dhcp back to the bdrg and > everything works fine. > > So exactly what do I need to do? > > > (ISP)---CABLEMODEM--SIS1(BDRG)SIS0---NAT/RTR USING DHCP > > > #####ipf -Fa -f /etc/ipf.rules##### ###Loads Rules### > # > # > # > ###Interfaces:(lo0="Loop-Back", sis0="Filtered-Inet", > sis1="Dirty-INET",### > # > # > # > ###LOOP-BACK### ##needs to be unrestricted for apps to run smoothly > pass out quick on lo0 all > pass in quick on lo0 all > # > # > # > ###DIRTY-INET & Intrusion Detection ###don't filter if you want IDS to > catch all Intrusion attempts### > pass in quick on sis1 all > pass out quick on sis1 all > # > ################FILTERED-INET############ > #Allow DHCP Renews# > pass out quick on sis0 proto udp from 12.242.18.34/32 port = 67 to any > port = 68 keep state > > AS YOU CAN SEE ABOVE I ADDED THIS FOR THE FUTURE RENEWS,BUT I STILL CANT > GET THE BRIDGE TO PASS A BOOTP REQUEST. > ##############Block, Default Deny######### > # > block out on sis0 all > # > ##############BLOCKING NON-ROUTABLES (RFC-1918 & MISC.) *SPOOF > PROTECTION*############ > # > ###Block Out### ###out=data from INET### > # > block out quick on sis0 from any to 192.168.0.0/16 > block out quick on sis0 from any to 172.16.0.0/12 > block out quick on sis0 from any to 127.0.0.0/8 > block out quick on sis0 from any to 10.0.0.0/8 > block out quick on sis0 from any to 0.0.0.0/8 > block out quick on sis0 from any to 0.0.0.0/7 > block out quick on sis0 from any to 169.254.0.0/16 > block out quick on sis0 from any to 192.0.2.0/24 > block out quick on sis0 from any to 204.152.64.0/23 > block out quick on sis0 from any to 224.0.0.0/3 > block out quick on sis0 from any to 20.20.20.0/32 > block out quick on sis0 from any to 20.20.20.255/32 > block out quick on sis0 from 192.168.0.0/16 to any > block out quick on sis0 from 172.16.0.0/12 to any > block out quick on sis0 from 10.0.0.0/8 to any > block out quick on sis0 from 127.0.0.0/8 to any > block out quick on sis0 from 0.0.0.0/8 to any > block out quick on sis0 from 0.0.0.0/7 to any > block out quick on sis0 from 169.254.0.0/16 to any > block out quick on sis0 from 192.0.2.0/24 to any > block out quick on sis0 from 204.152.64.0/23 to any > block out quick on sis0 from 224.0.0.0/3 to any > block out quick on sis0 from 20.20.20.0/24 to any > block out quick on sis0 from 20.20.20.0/32 to any > block out quick on sis0 from 20.20.20.255/32 to any > # > ###Block In### ###In=data from LAN### > # > block in quick on sis0 from 192.168.0.0/16 to any > block in quick on sis0 from 172.16.0.0/12 to any > block in quick on sis0 from 10.0.0.0/8 to any > block in quick on sis0 from 127.0.0.0/8 to any > block in quick on sis0 from 0.0.0.0/8 to any > block in quick on sis0 from 0.0.0.0/7 to any > block in quick on sis0 from 169.254.0.0/16 to any > block in quick on sis0 from 192.0.2.0/24 to any > block in quick on sis0 from 204.152.64.0/23 to any > block in quick on sis0 from 224.0.0.0/3 to any > block in quick on sis0 from 20.20.20.0/24 to any > block in quick on sis0 from any to 20.20.20.0/32 > block in quick on sis0 from any to 20.20.20.255/32 > block in quick on sis0 from any to 192.168.0.0/16 > block in quick on sis0 from any to 172.16.0.0/12 > block in quick on sis0 from any to 127.0.0.0/8 > block in quick on sis0 from any to 10.0.0.0/8 > block in quick on sis0 from any to 0.0.0.0/8 > block in quick on sis0 from any to 0.0.0.0/7 > block in quick on sis0 from any to 169.254.0.0/16 > block in quick on sis0 from any to 192.0.2.0/24 > block in quick on sis0 from any to 204.152.64.0/23 > block in quick on sis0 from any to 224.0.0.0/3 > # > # > ############Block Malformed packets and OS Fingerprinting############ > # > ###Block Malformed packets### > #OUT# > block out quick on sis0 all with short > block out quick on sis0 all with opt lsrr > block out quick on sis0 all with opt ssrr > block out quick on sis0 all with ipopts > block out quick on sis0 all with frags > block out quick on sis0 proto icmp from any to any icmp-type redir > > #IN# > block in quick on sis0 all with short > block in quick on sis0 all with opt lsrr > block in quick on sis0 all with opt ssrr > block in quick on sis0 all with ipopts > block in quick on sis0 all with frags > # > ###Block OS Fingerprinting### > # > #################################################################### > #NMAP > ##################################################################### > block out quick on sis0 proto tcp from any to any flags FUP > block out quick on sis0 proto tcp from any to any flags SF/SFRA > block out quick on sis0 proto tcp from any to any flags /SFRA > # > ################################################################ > # > ##############Standard Filters################# > # > ###Pass OUT### ###note: Pass OUT is incoming from INET on this brdg### > # > ###Pass IN### ###note: pass IN is incoming from INTERNAL "LAN" on this > brdg### > # > pass in quick on sis0 proto tcp from any to any flags S keep state > pass in quick on sis0 proto udp from any to any keep state > pass in quick on sis0 proto icmp from any to any keep state > block in on sis0 all > # > ###Block Specific### > block out quick on sis0 proto tcp from any to any port = 22 > block out quick on sis0 proto tcp from any to any port = 23 > > >
