Thread: Getting PXEBoot (ADS) to work through the firewall
View Single Post
  #4 (permalink)  
Old 2006-06-27
munrog munrog is offline
Member
  
Join Date: 2006-06-27
Location: United Kingdom
Posts: 73
Rep Power: 3
munrog has an average reputation (10+)
Send a message via MSN to munrog Send a message via Skype™ to munrog
Default Re: Getting PXEBoot (ADS) to work through the firewall
I had heaps of troubles with this, but now have it working.

DHCRelay out of the box on R60 doesnt work so well. In particular it tries to reply to the client with a random source port (but with the correct destination port) and in the case of Windows clients, it doesnt honor the Unicast flag of the DHCP request.

Basically you need to be running either R61 or call Check Point and ask for the latest kernel and DHCRelay.

Your rulebase should include rules as follows:
>>DHCP sends packets to Broadcast (DHCPDiscover).
Src-> Any, Dst->Broadcast (255.255.255.255), Svc->Bootp (UDP/67), Accept

>>FW receives Broadcast (BootP) and responds with DHCPDiscover. Client sends DHCPrequest (BootP) and FW Relays to DHCP Server which responds with DHCPOffer (BootPS) which FW relays to client.
Src-> Firewall, Dst->Any, Svc->Bootp (UDP/67), Bootps (UDP/68), Accept

>>Depending upon your DHCP server and PXE boot server you may need to allow bootps, bootp and icmp-echo to your client subnets.
Src->dns1,dhcp1,pxe1, dst->ClientNetworks, Svc->Bootp,Bootps,echo-request

>>PXE Boot
Src-> ClientNetworks, Dst->PXE Boot Servers, Svc->PXEBootUDP (UDP/4011) and tftp(UDP/69) , Accept
>>We also have a reverse of this rule, but I'm not sure it if is actually needed.

Cheers
Greg
Reply With Quote