Le mer 23/04/2003 à 18:58, Carsten Maass a écrit : > which discards them, why am I unable to apply a rule which redirects > them to another subnets interface? Shouldn't the DNAT thingy take care > of the new destination address? Because after DNAT, it won't be broadcast anymore. > Yes, a DHCP relay would be a solution, but I opted against it. I am > trying to keep the router/firewall as (c)lean as possible: just routing, > firewall and ssh stuff. I understand this point, and, as I said below, this would be a bad idea. > Right you are. But our setup was a compromise between money and > security: Another server is just not affordable at the moment. You can just use an existing server to provide this service as it is very light, even consider having it run on your firewall's internal interface only waiting for a dedicated box. > But you make me considering if it wouldn't be better to convince our > Windows admin to let go his DHCP idea. The administrative overhead of a > static client setup might be a better price to pay, pondering the > security impact of the current setup. DHCP is a good thing, to save time. But I don't like the idea of dynamic IPs. So I configure my DHCPd to give addresses on MAC address, so I have static IPs, but DHCP distributed. > On the other hand I am also eager > to find out, why this doesn't work out as expected. Just because DHCP cannot be NATed. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
