View Full Version : FireWall-1 and DHCP

Barry J. Stiefel
2005-08-13, 13:53
FireWall-1 and DHCP

Background Information

DHCP supports three mechanisms for IP address allocation. In "automatic allocation", DHCP assigns a permanent IP address to a host. In "dynamic allocation", DHCP assigns an IP address to a host for a limited period of time (or until the host explicitly relinquishes the address). In "manual allocation", a host's IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the host. A particular network will use one or more of these mechanisms, depending on the policies of the network administrator.

Dynamic allocation is the only one of the three mechanisms that allows automatic reuse of an address that is no longer needed by the host to which it was assigned. Thus, dynamic allocation is particularly useful for assigning an address to a host that will be connected to the network only temporarily or for sharing a limited pool of IP addresses among a group of hosts that do not need permanent IP addresses. Dynamic allocation may also be a good choice for assigning an IP address to a new host being permanently connected to a network where IP addresses are sufficiently scarce that it is important to reclaim them when old hosts are retired. Manual allocation allows DHCP to be used to eliminate the error-prone process of manually configuring hosts with IP addresses in environments where (for whatever reasons) it is desirable to manage IP address assignment outside of the DHCP mechanisms.

For more information, see RFC1531 (http://www.internic.net/rfc/rfc1531.txt).

So how does FireWall-1 interact with DHCP?

By default, FireWall-1 does not use any information provided by DHCP. The security policy enforced by FireWall-1 is static and it assumes network objects will have a static identity. If you use DHCP to provide users "static" IPs that don't change over a period of time, then FireWall-1 will work with that. If your entire DHCP range is dynamic (meaning machines get different IP addresses every time they load and/or they change frequently), you will only be able to enforce a security policy that applies to your entire DHCP range and not specific machines within it unless you are using MetaIP.

Can FireWall-1 Forward DHCP requests?

Forwarding is a function of the operating system, not FireWall-1. DHCP requests are "broadcast" in nature. As such, they are not usually forwarded. A DHCP "helper" application is needed to forward DHCP requests, which FireWall-1 does not include. IPSO contains a BOOTP/DHCP helper.

Can my firewall obtain it's IP from DHCP?

In NG, it is possible to create firewalls that obtain their IP from DHCP. A special kind of firewall object is needed to support dynamic addresses.

-- PhoneBoy (http://www.phoneboy.com/bin/view.pl/Main/PhoneBoy) - 10 Jan 2004

FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: MiscellaneousFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/MiscellaneousFAQs) FAQs.OS: FAQs.Version: