DHCP problem with Checkpoint Firewall-1

[Brooks Carlson]

I apologize if this has been asked before, I searched the archives for the
last few months and
found nothing. I also searched www.google.com and found some articles, but
none that answered
my particular question.

We are running Checkpoint Firewall-1 4.1 SP2 on an NT 4.0 SP6a machine with
all extra services
disabled. There is an internal network (10.0.0.0/8) with an internal DNS
server. Recently, I took over
the firewall and hardened the outgoing packets (before everything was
allowed). I restricted outgoing to
HTTP, HTTPS, FTP, and SMTP/POP3 for the email server. I allowed UDP DNS and
TCP DNS to DNS
servers.

Now, the firewall is blocking DHCP attempts. I see in the log:

Alert Drop (no source) 255.255.255.255 udp rule0 sourceport68

I created a rule that says:

Any DHCPServer bootp (67/68) accept log long

But it still rejects. The curious thing is that Rule 0 is rejecting. I
went through and elimited extra services
as listed at Phoneboy (How Can I Disable Everything in the Rule Base). Is
something that I unchecked
in the rules now blocking this traffic?

Is this securely possible with Checkpoint-1? We are not using SecuRemote.

-
[To unsubscribe, send mail to majo...@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

[bl...@galaxy.silvren.com]

A dhcp broadcast is udp sourced from 0.0.0.0 to the broadcast address,
255.255.255.255. Perhaps another rule is blocking this type of packet
before it has a chance to make it to your DHCP allow?

It's hard to tell where your DHCP clients are from your email. If I'm way
off, feel free to clarify.

It sounds as if your DHCP requests are coming in from an outside network.
If the clients in the outside network are behind a cisco router (other
brands probably support this too) then what I'd do is turn on the
ip-helper on the router so that these DHCP requests are sourced from a
specific address. Ip-helper essentially acts as a proxy for DHCP requests.
Then you can create a rule allowing just the cisco router's DHCP requests
through the firewall. As it stands now, you're allowing broadcasts
through, which is kind of ugly since someone can decide to just send out
5,000 DHCP broadcasts and get 5,000 leases. :) Granted, this isn't likely.

[Volker Tanger]

Brooks Carlson schrieb:

> Now, the firewall is blocking DHCP attempts. I see in the log:

It should. You do not have a DHCP service running on a firewall machine, don't
you?!
And routing DHCP into a different network is ...tricky, best.

> Alert Drop (no source) 255.255.255.255 udp rule0 sourceport68

"Rule 0" is anti-spoofing. You could create a "broadcast" network object with
IP address 255.255.255.255 and add that to the allowed addresses to your inside
interface. Make sure you have checked "broadcast allowed" for that interface,
too.

> I created a rule that says:
>
> Any DHCPServer bootp (67/68) accept log long

should read "broadcast" (see above). Simply look into the log what's needed!

Bye
Volker

--

Volker Tanger <volker...@detewe.de>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/

[Brooks Carlson]

Yes that's right Rule 0 is AntiSpoofing, I totally forgot. Brilliant!
I checked the antispoofing rules under the internal firewall interface.
I have specified under Valid Addresses: Others.

This group contains Internal_Net (with broadcast allowed),
InternalDHCPServer
with IP 255.255.255.255, and ExternalIPs (for NAT translation back to
internet).

It still doesn't work. Rule 0 is still blocking. Please note that
DHCP is NOT running on the firewall, separate machine with 10.0.0.4 address.
I set up InternalDHCPServer with an IP of 255.255.255.255. It seems like
maybe
this is not working because it is basing the spoofing on the source address
which is nothing, instead of the destination address 255.255.255.255.

Any other ideas?

[Volker Tanger]

Brooks Carlson schrieb:

> I have specified under Valid Addresses: Others.
>
> This group contains Internal_Net (with broadcast allowed),
> InternalDHCPServer
> with IP 255.255.255.255, and ExternalIPs (for NAT translation back to
> internet).
>
> It still doesn't work. Rule 0 is still blocking. Please note that
> DHCP is NOT running on the firewall, separate machine with 10.0.0.4 address.

So the DHCP server is on a DIFFERENT interface than the clients trying to obtain
an IP address?!??

> It seems like maybe
> this is not working because it is basing the spoofing on the source address
> which is nothing, instead of the destination address 255.255.255.255.

Yes, you are right - I just was not sure about the source when doing DHCP resp.
BOOTP.
Change that to 0.0.0.0 for anti-spoofing.

Bye
Volker

--

Volker Tanger <volker...@detewe.de>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/

[Brooks Carlson]

Ok I finally got it working thanks for everyone's help! Here are the steps I
took:

1. Added a DHCP_Source workstation with IP 0.0.0.0
2. Created a DHCP_Destination workstation with IP 255.255.255.255
3. Added the DHCP_Source workstation into the AntiSpoofing group for
internal interface
on the firewall workstation (make sure Local_Net allows broadcasts)
4. Created a rule which says:
Any DHCP_Destination BOOTP, BOOTTP(port 68) Accept Log Long

It works! Thanks again to everyone who helped.

Does anyone see any security concerns with this setup?

[Alex Kvasnytskyy]

Hi,
Rule 0 in this case means Spoof Tracking action for you FW object (FW object
-> Interfaces - > Security).
As you can see from your entry in log file, this box (sometime it show IP
like 0.0.0.0) sent request to everybody (subnet mask 255.255.255.255) and
asking about Who can gave me IP ?
And of course FW get this packet as well and becouse it comes from internal
(I hope) interface on your FW, anti spoffing policy just drop this packet.
It's not mean that your client can't get DHCP IP from your internal DHCP
server, just FW drop this packet, but your DHCP server should accept it and
give IP for this pure box.
Alex Kvasnytskyy
LAN Admin
Digital Security Controls

-----Original Message-----
From: Brooks Carlson [mailto:bcar...@thedswgroup.com]
Sent: Wednesday, May 09, 2001 10:56
To: 'Firewalls (E-mail)
Subject: DHCP problem with Checkpoint Firewall-1

I apologize if this has been asked before, I searched the archives for the
last few months and
found nothing. I also searched www.google.com and found some articles, but
none that answered
my particular question.

We are running Checkpoint Firewall-1 4.1 SP2 on an NT 4.0 SP6a machine with
all extra services
disabled. There is an internal network (10.0.0.0/8) with an internal DNS
server. Recently, I took over
the firewall and hardened the outgoing packets (before everything was
allowed). I restricted outgoing to
HTTP, HTTPS, FTP, and SMTP/POP3 for the email server. I allowed UDP DNS and
TCP DNS to DNS
servers.

Now, the firewall is blocking DHCP attempts. I see in the log:

Alert Drop (no source) 255.255.255.255 udp rule0 sourceport68

I created a rule that says:

Any DHCPServer bootp (67/68) accept log long

But it still rejects. The curious thing is that Rule 0 is rejecting. I

went through and elimited extra services
as listed at Phoneboy (How Can I Disable Everything in the Rule Base). Is
something that I unchecked
in the rules now blocking this traffic?

Is this securely possible with Checkpoint-1? We are not using SecuRemote.

[Akbari, Amir]

Alex is right. 

If your DHCP server is internal and the DHCP clients do not need to traverse this firewall to get to it, then you can just drop the packets.

I usually add a rule towards the bottom of the rule base to drop these packets and not log them so my logs are cluttered with these messages.

Regards,
Amir Akbari
SSE/ISE
Thrupoint Inc.