[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DHCP Security

Subject: Re: DHCP Security
From: email@hidden
Date: Tue, 22 Feb 2005 15:35:55 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden
User-agent: Mutt/1.4i

if the dhcp server Can be configured this way it is not obvious.
(nor possible via server admin unless i am on crack)

i have dhcp set up to serve ip/dns/routing info to nodes in a compute cluster.
the nodes are in a private address space as is the interface (en1) that dhcp
is set to listen on.
i once discovered that in spite of the config, dhcp listens
on the public interface (en0) of the head node as well and was happy to 
entertain and service dhcp requests on the public network.
rather than waste time pondering the possibilties of the Why, 
i just blocked any external requests with ipfw.

before i posted this i thought i might look for some evidence to back up 
my claim - and here it is (serveradmin fullstatus dhcp):

dhcp:dhcpLeasesArray:_array_index:1:macAddress = "0:a:95:bc:80:86"
dhcp:dhcpLeasesArray:_array_index:1:computerName = ""
dhcp:dhcpLeasesArray:_array_index:1:timeLeft = -14514506
dhcp:dhcpLeasesArray:_array_index:1:ipAddress = "10.0.0.6"

thats a private ip being assigned to a machine on the public network.
i'd say i have configured dhcp wrong, but i haven't.

the instance of dhcp runs on dual 2gig xserve head with (as of last weak)
panther 10.3.8.

On Wed, Feb 23, 2005 at 07:12:44AM +1100, nigel kersten wrote:
> >You can use the Carnegie-Mellon University version of dhcpd which can 
> >restrict handing out addresses to machines it knows about.  That is, 
> >you list the legit MAC addresses and it won't give an address to a MAC 
> >address it isn't aware of.  Also, you can hand out one set of 
> >addresses to known machines, another set to unknown machines, and then 
> >use access lists to restrict access to valuable servers.
> >
> >We use the CMU version in certain locations to restrict access, though 
> >of course, a savvy user can easily circumvent it.
> 
> The ISC version of dhcpd can also be configured this way.
> 
> I was under the impression you could also do this with the OS X Server 
> dhcpd? set up machines entries and configure it to not hand out to 
> unknown addresses?

-- 
mark garey
dept. of epidemiology and biostatistics
ucsf
500 parnassus ave., MU420 W,
san francisco, ca. 94143
415.502.8870
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

References:
	>DHCP Security (From: Ed Pastore <email@hidden>)
	>Re: DHCP Security (From: John Mundt <email@hidden>)
	>Re: DHCP Security (From: nigel kersten <email@hidden>)

Prev by Date: Re: Password rules not enforced
Next by Date: Re: Server Temperatures
Previous by thread: Re: DHCP Security
Next by thread: Re: DHCP Security
Index(es):
- Date
- Thread

Home