firewall

 

If you’re a system administrator of some big local network, and if there is not-authorised DHCP-servers in it, it can become the big problem.

For example, there is several thousands PC’s in your network. Suppose, all network is divided on subnets (in example, /23 netmask).

IP-addresses are given on DHCP. Allright. And here, in the network there is a problem – PCs of your subscribers receive any “strange” IPs (not which you’ve attended to them) and does not work.

As a rule, the reason of similar problems is misconfigured WiFi-routers. By default the DHCP-server is switched on in them. As the result, through such piece of iron your network joins in someone’s home network, and DHCP server on that wifi-router begins to distribute IPs to others. Naturally, your network begins to work incorrectly and your subscribers doesn’t recieve services.

One of ways of the decision – is to block the DHCP-traffic from a DHCP-servers on switch ports where such traffic should not be. We will assume, that the network is constructed on managed D-Links, and each building is switched to separate port.

In that case it is possible to compose idle time firewall:

create access_profile ip udp src_port_mask 0xFFFF profile_id 6
config access_profile profile_id 6 add access_id 1 ip udp src_port 67 port 25 permit
config access_profile profile_id 6 add access_id 2 ip udp src_port 67 port 1-24,26-28 deny

In such example the traffic from port 25 (it is ours uplink to our server) is accepted, and on other ports the DHCP-traffic from illegal DHCP-servers will be blocked. Thus, excesses by incorrectly adjusted wifi-routers will be localised within one house (port).





Опубликовать в twitter.com