Re: [SLE] SuSe 9.2 DHCP Server with Firewall

From: Leendert Meyer (leen.meyer_at_home.nl)
Date: 03/21/05

  • Next message: Johannes Meixner: "Re: [SLE] Scanner permisiion" 
    To: suse-linux-e@suse.com
Date: Mon, 21 Mar 2005 10:31:10 +0100

    On Monday 21 March 2005 05:39, Chris Denneen wrote:
    > > Chris Denneen wrote:
    > >>I have setup DHCP Server through YAST properly.
    > >>I have configured Firewall which DHCP Server enabled.

    What firewall?

    > >>When I try to renew a DHCP address with the firewall up it will not let
    > >>me.
    > >>I shut down the firewall and try to renew again and it successfully
    > >> works. So I decided to nmap the ports of the server when the firewall is
    > >> on and when the firewall is off (figuring whatever extra port is showing
    > >> when the firewall is off would be the solution).
    > >>
    > >>TCP 631 is the only additional port available when the firewall is off.
    > >
    > > Open 67 and 68 UDP.
    > > --
    > > Joe Morris
    >
    > This didn't work.
    >
    > I still can't retreive DHCP request from a client when the firewall is
    > running.
    >
    > While firewall running doing "nmap -sU" I see 68/udp only responding but in
    > a "closed" state.
    >
    > 67 doesn't show at all.
    >
    > Either way this isn't working as expected. I would hope that selecting DHCP
    > Server check box the proper ports would be opened instead of this trial and
    > error :(.. maybe I found a bug in the distrobutions' configuration?? Not
    > sure..
    >
    > Any more ideas or help to get this working is much appreciated.

    Check the firewall logs to see what ports are blocked. Enable firewall logging
    if necessary.

    Also, you may want to use dhcpdump in the dhcp-tools package to examine what
    packages are sent/received by the dhcp server (use it on the dhcp server),
    and what packages are received/sent by the client (use it on the client).

    The following scriptlet called dhcp-dump helped me enormously:

    ----<cut>----
    #! /bin/bash

    DEV=${1:-eth0}
    /usr/sbin/tcpdump -i $DEV -lenx -s 1500 port bootps or port bootpc | dhcpdump
    ----<cut>----

    Use it like e.g. 'dhcp-dump eth0' or e.g. 'dhcp-dump eth1'.

    Cheers,

    Leen 

    -- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Johannes Meixner: "Re: [SLE] Scanner permisiion"

    Relevant Pages

    • Re: Blocking Access to web-based email
      ... the way I do it is with one Firewall appliance and different HTTP ... you setup DHCP with reservations for their MAC and their IP is ... But you don't want the NAT device assigning the IP, ...
      (comp.security.firewalls)
    • Re: Blocking Suspicious Outbound Traffic
      ... DHCP IP range as being external to the rest of the library ... since the firewall products I've tried so far are very limited ... >> network for high speed internet access. ... >> started bringing in infected notebooks. ...
      (comp.security.firewalls)
    • Re: [SLE] Help with SuSEfirewall and dhcp server
      ... I have for services allowed on that interface is dhcp, dns, ... >> I've been configuring the firewall through yast although I have also ... I still can't get the dhcp server to work through ... > Eddie. ...
      (SuSE)
    • Re: What are FSMO roles?
      ... Hardware firewall as DHCP ... ... SBS2000 is the DNS server, and of course, the DC. ...
      (microsoft.public.windows.server.sbs)
    • Re: [SLE] Help with SuSEfirewall and dhcp server
      ... > I have set up dhcp server and it works fine when the firewall is deactivated. ... > configuring the SuSEfirewall2 script directly and through yast. ...
      (SuSE)
    Loading