[lug] securing DHCP

Brian Jarrett celttechie at earthlink.net
Tue Aug 13 16:19:09 MDT 2002 

On Tue, 13 Aug 2002 16:05:34 -0600 "D. Stimits" <stimits at idcomm.com> wrote:

> It looks like DHCP, as used by AT&T cable
> modems, might need both ports 
> 67 and 68, UDP and TCP, available. I am on the
> local network, and seeing 
>   (prior to completed cable modem install, the
> modem is there, but not 
> all parts of it have been activated by AT&T
> yet) DHCP broadcasts from 
> source 0.0.0.0:68 to 255.255.255.255:67. This
> might just be a stupid 
> windows-ism frmo the win2k machine that is
> sitting on the net, or it 
> might be from the AT&T cable modem. Regardless
> of source, does anyone 
> know if the AT&T cable or DSL modems allow
> blocking of all sources 
> except perhaps one DHCP server address? Or am I
> going to have to leave 
> it open in the firewall for source 0.0.0.0 and
> destination 
> 255.255.255.255? I had thought this would be
> something like a 
> nameserver, where I could add a known DHCP
> server address, and not leave 
> it open to 0.0.0.0 broadcasts. Then again,
> 0.0.0.0 is probably not 
> routable, and it probably can be guaranteed to
> come from the cable modem 
> service. Does anyone have any general advice on
> ports and firewalling 
> under DHCP, when there will be different
> windows and different linux 
> machines on the net?
> 
I'm not quite sure I understand the question, but I can tell you with a great
degree of certainty that the packet you describe is coming from a machine
wanting a DHCP address.  If you look at the MAC address of the source you
should be able to pinpoint where the packet is coming from.  DHCP clients
always send a packet out to 255.255.255.255 when negotiating an IP address
with the DHCP server.  Once the Discover, Offer, Reply and Acknowledge packets
are transferred over the net, the client has it's IP address.  

Are you concerned about clients on AT&Ts network trying to get an IP from your
local DHCP server?  I don't have any knowledge of their cable modems, but DHCP
usually doesn't get from one subnet to another without a ProxyDHCP server. 
Hope this helps in some way.

Brian

More information about the LUG mailing list