Allowing DHCP from ISP - Looking for a safe firewall rule

Allowing DHCP from ISP - Looking for a safe firewall rule (Full Version)

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure

Message

sander99 -> Allowing DHCP from ISP - Looking for a safe firewall rule (20.Jul.2008 11:37:26 PM)
Hi, I suspect this is another 101 question. I have two NIC's in my box. One going to my ISP. I noticed (the hard way) that I blocked the DHCP renewal formy ISA box from ISP. What would be a good safe firewall rule that would enable that DHCP renewal traffic? I found that I can select the DHCP reply/request protocl. I'm afraid that I opened it up to wide as far as networks. Would Extern to localhost be safe?

paulo.oliveira -> RE: Allowing DHCP from ISP - Looking for a safe firewall rule (21.Jul.2008 9:07:53 AM)
Hi, I think the best way to do it is allowing to/from yours ISP DHCP server address. This makes more sense then selecting the external network object. Regards, Paulo Oliveira.

Budmaas -> RE: Allowing DHCP from ISP - Looking for a safe firewall rule (21.Jul.2008 9:11:18 AM)
External

sander99 -> RE: Allowing DHCP from ISP - Looking for a safe firewall rule (21.Jul.2008 7:18:05 PM)
I'm not sure that I can assume that my ISP's DHCP server stays the same? Will the following rule work and still be safe? From: external To: localhost Protocols: DHCP reply and request What is lcoalhost exactly? I have two NIC's in my box. One going to the ISP, one to the internal network. BTW. I'm also seeing that I'm blocking Netbios name service calls from my box to the ISP. Is this OK?

paulo.oliveira -> RE: Allowing DHCP from ISP - Looking for a safe firewall rule (22.Jul.2008 7:16:07 AM)
Hi, you have to ask your ISP and check if the IP of DHCP server is static. Otherwise, try to get their range IP for the servers, even if they don´t have it, it is much better you put the whole IP range from them. For sure this is more secure versus External network object. LocalHost is the ISA machine itself. Everything that goes to an ISA machine is going to localhost network, regardless if it is internal or external. You should block all unecessary traffic and explicit allow the one you want to. I would not recommend you allow netbios, once this protocol it´s not used on the internet. Regards, Paulo Oliveira.

Page: [1]