Chris Knipe wrote:
>
> > On thing: I'll surely have to continue running dhcrelay on the
> > firewall, but I know nothing about possible security holes with
> > dhcrelay.
>
> As far as I understand (I am talking under correction), the only
> implication this would have is that your broadcasted data (not only DHCP
> requests), will be broadcasted to both segments.
I can/may see a (security) problem with broadcasts spilling out over
multiple segments, but since in time there will be a need for maybe 4-5
internal segments here, all with a need for dhcp, I'm left with few
other possibillities, at least for now.
The 255.255.255.255 routes, combined with dhcrelay, seemed to work over
multiple segments. Of course, I still have to do the drill of running
dhcpd from the (more protected) serversegment; will try that next week.
> In some revere cases, this may cause some confusion with some
> applications and routing from a client side. I am not to sure however.
Hmm, lack of insight prevents me from seeing a problem here.
Are you thinking of apps, that should not be able to 'see' across
different segments, courtesy of firewallrules, but may be able to do so
due to the broadcasts allowed by dhcrelay?
The latter should AFAIK broadcast only dhcp-stuff.
Anyway, I made some tcpdumps of dhcptraffic, perhaps there is a more
direct (firewall rule) oiented way of getting those dhcp
requests/answers routed.
Thanks for all the leads here so far. -And isn't it just nice with a
customer, who don't mind a little extra time spend trying to set it all
up the right way, AFAIAC, anyway...
--
Regards,
Mogens Valentin
Networking - Security - Programming
Linux configuration and troubleshooting
http://www.danbbs.dk/~monz - monz@danbbs.dk
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
