09-18-2010
ipfw and dhcp
Hello,
I have a little problem with my server configuration.
So: I have two PC's with DHCP enable and both of them have two NIC's.
PC1 - le0 ADSL
PC1 - le1 192.168.10.1
PC2 - le0 192.168.10.10
PC2 - le1 192.168.20.1
One NIC on PC1 is connected to ADSL, another one have IP address 192.168.10.1
PC2 have 192.168.10.10 on the 1st NIC, and 192.168.20.1 on the 2nd.
When someone want to connect and his MAC is not configured in PC1 ( to take IP from 192.168.10.0 network ) he take IP address from DHCP from PC2 - 192.168.20.2.
The problem is that, when I type: /release /renew somethimes PC take IP address from ADSL - 192.168.1.17 How can I restrict/deny this range - 192.168.1.0?I don't wana my PC's to take IP's from there.
I try with: ipfw add 2 deny all from 192.168.1.0/24 to any;ipfw add 3 deny all from any to 192.168.1.0/24;ipfw add 4 deny all from any to 192.168.1.1 and many, many, but nothing works
And the second question is: when I ping from 192.168.10.1 to 192.168.10.10 ( another PC ), ping is < 1ms, but when I ping 192.168.20.1 ( another interface ), ping is too high ( like 2ms,8ms, 20ms and etc. ).It's not hardware problem in lan card, becouse interfaces are virtual.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
i am running nat on my freeBSD and web/ftp server.
The rule allow ip from any to any must always be? or how? if i accept all packets to go on my ep0 which diverts all to my intranet it doesnt help, must the rule allow ip from any to any always be ?
even if many rules are between divert rule and... (3 Replies)
Discussion started by: hachik
3 Replies
2. Cybersecurity
Is there a general rule I can apply when examining/editing ipfw entries?
Also, does each new entry have to have a unique rule number?
And, I think I can write a script to block code red infected machines (though I'm not sure it would do more than slim down my web server error message log),... (0 Replies)
Discussion started by: [MA]Flying_Meat
0 Replies
3. BSD
just as the title says.
thanks.
#General Rule Sets
/sbin/ipfw add 0300 check-state
/sbin/ipfw add 0301 deny tcp from any to any in established
/sbin/ipfw add 0302 pass tcp from any to any out setup keep-state
/sbin/ipfw add 0303 pass udp from any to any out
#SSH FTP
/sbin/ipfw add 0400... (11 Replies)
Discussion started by: dwildgoose
11 Replies
4. UNIX for Dummies Questions & Answers
Hi folks,
I am a Mac User, and have little knowledge on IPFW.
I have a set up at home where my computer (with 2 ethernet cards and static IP adresses) serves Internet to my family's computers.
I have already a script that will run automatically at login and called from Cron at certain... (2 Replies)
Discussion started by: fundidor
2 Replies
5. Cybersecurity
Hello.
I hope you can help me please.
We are about to bring a few servers online which will be hosting different things...
For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have?
To ensure the right interfaces etc, here's a copy of... (1 Reply)
Discussion started by: DanUK
1 Replies
6. BSD
Hi!
I've already posted this on the freebsd-questions mailing list, but I thought I could try it here too.
I'm using FreeBSD 7.0 with IPFW DUMMYNET enabled.
I've got a problem with creating a ruleset, which allows me to limit the overall bandwidth of a link and afterwards pass the packets... (0 Replies)
Discussion started by: xenator
0 Replies
7. Cybersecurity
Hello, excuse my English. Please could tell me how I can pass this syntax for iptables to ipfw.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m recent
--set --name thor --rdest -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flag RST RST -m state --state
ESTABLISHED -m recent... (0 Replies)
Discussion started by: dot357
0 Replies
8. Shell Programming and Scripting
Hello,
This is an SSH Block hammer script using ipfw, that I have modified for my own use. It is for a freenas 7.2 box which is FreeBSD based.
The script works, but if there is more then one hammer attack per day, my issue is the script reads the first five instances of refused or invalid... (2 Replies)
Discussion started by: dpreviti
2 Replies
9. IP Networking
Hi All ,
please view the set up below:
-------------------------------------------------------------------
| DHCP Server |-----------| ROUTER & |-----------| Clients |
| 192.168.99.1 | - -<eth1>| DHCP-RELAY|<eth2>-- | 192.168.88.X |
... (2 Replies)
Discussion started by: gdangoor
2 Replies
10. OS X (Apple)
Under Mountain Lion, I want logs from ipfw sent to ipfw.log instead of dumped in system.log I've tried to figure out how OSX handles logs, but... after going back and forth between a syslog.conf which does little if anything, a newsyslog.conf that seems to only handle rotation, an asl.conf that... (3 Replies)
Discussion started by: jnojr
3 Replies
LEARN ABOUT DEBIAN
dhcping
dhcping(8) General Commands Manual dhcping(8)
NAME
dhcping - send a DHCP request to DHCP server to see if it's up and running
SYNOPSIS
dhcping [-v] [-q] [-i] [-r] -t maxwait -c client-IP-address -s server-IP-address -h client-hardware-address [-g gateway-IP-address]
DESCRIPTION
This command allows the system administrator to check if a remote DHCP server is still functioning.
Options are:
-v Verbose, print some information.
-V Very verbose, print a lot of information.
-i Use DHCPINFORM packets.
-r Use DHCPREQUEST packets (default behaviour).
-q Quiet, print nothing on the screen.
-t maxwait
Maximum time to wait for an answer from the server in seconds. Default is 3 seconds.
-c client-IP-address
Request this IP address. Note that this is also the IP address the answer will be sent to.
-s server-IP-address
Send the DHCP packet to this IP address.
-h client-hardware-address
Use this hardware-address in the DHCP request. It can be up to sixteen octets separated by colons (i.e. 01:02:03:04)
-g gateway-IP-address
Use this IP address for the gateway IP address in the DHCP packet. This option is currently broken.
RETURN VALUES
If everything goes okay, it returns 0. If there went something wrong, it returns 1.
SETUP
This program should be installed setuid root or ran by root only. See SECURITY for more information.
On your DHCP server, add these lines to the dhcpd.conf:
host <your monitoring host FQDN> {
hardware ethernet <your monitor host mac address>;
fixed-address <your monitoring host IP address>;
}
Then try it:
$ dhcping -c your monitoring host IP address
-s your DHCP server IP address
-h your monitor host mac address
It will either respond with "no answer" or "Got answer from: your DHCP server IP address"
The DHCP server logfile will give:
DHCPREQUEST for 192.168.1.1 from 00:20:18:56:29:8f via ed0
DHCPACK on 192.168.1.1 to 00:20:18:56:29:8f via ed0
DHCPRELEASE of 192.168.1.1 from 00:20:18:56:29:8f via ed0 (found)
Running in DHCPINFORM mode with -i:
If you see "DHCPINFORM from 192.168.1.1 via xl0: not authoritative for subnet 192.168.1.0", you should add the authoritative statement to
the subnet, See dhcpd.conf(5) for details.
When running in very verbose mode, dhcping tries to dump all data of the send and received DHCP packets. It will first dump the packet in
hex-format, then decodes the header and finally the options.
HOW IT WORKS
The client either sends a DHCPREQUEST or DHCPINFORM packet to the server and waits for an answer. Then, if a DHCPREQUEST was send, it will
send a DHCPRELEASE back to the server.
SECURITY
This program is installed setuid root as it requires the privileges to bind itself to port 68 (bootpc). Root privileges are dropped as soon
as the program has bound itself to that port.
BUGS
Currently (this may, or may not, change in the future) the ISC DHCP daemon does not write leases with a fixed IP address in the
dhcpd.leases file.
DHCPINFORM packets can only be used on subnets the server is authoritative for. If the monitoring script runs on a subnet the server isn't
authoritative for, it should use the DHCPREQUEST packets. I also experienced some problems with ISC DHCPD v2 servers, but that is also in
the README of it.
The -V option is still working, but shouldn't be used for debugging of the packets. Better use dhcpdump(8) for that, which is available on
my website. I wanted to remove it, but decided only to do it from the documentation, not from the code. Maybe I'll need it one day for
debugging.
AUTHOR
Edwin Groothuis, edwin@mavetju.org (http://www.mavetju.org)
SEE ALSO
dhcpd(8), dhclient(8), dhcpd.conf(5), dhcpdump(8)
3rd Berkeley Distribution January 27, 2002 dhcping(8)