In some situations it is necessary to run a DHCP server on the firewall, but it should be avoided when ever possible. As has been mentioned, you probably shouldn't be running a DHCP server on
your firewall. Your firewall should be your firewall, and little or nothing else.
That said, the only reason FW-1 should interfere with DHCP is if you have rules preventing the traffic. You'll need to allow UDP/67 *to* the FW, and UDP/68 *from* the FW, both on the
interfaces that you wish to provide BOOTP/DHCP services to. Note that your normal stealth rule will prevent any such traffic, and the rules to allow the DHCP traffic will need to be in front of the stealth rule.
On Nokia firewalls you have a DHCP relay capacity that allows you to have access to a DHCP server and that you have to pass through the firewall. Off the main config menu, BOOTP Relay, is what you want.
You will also need to add to your rulebase something to the effect of:
DHCP_Servers Firewalls BOOTP ACCEPT
your firewall. Your firewall should be your firewall, and little or nothing else.
That said, the only reason FW-1 should interfere with DHCP is if you have rules preventing the traffic. You'll need to allow UDP/67 *to* the FW, and UDP/68 *from* the FW, both on the
interfaces that you wish to provide BOOTP/DHCP services to. Note that your normal stealth rule will prevent any such traffic, and the rules to allow the DHCP traffic will need to be in front of the stealth rule.
On Nokia firewalls you have a DHCP relay capacity that allows you to have access to a DHCP server and that you have to pass through the firewall. Off the main config menu, BOOTP Relay, is what you want.
You will also need to add to your rulebase something to the effect of:
DHCP_Servers Firewalls BOOTP ACCEPT
No comments:
Post a Comment