Odd Firewall Problem
Jonathan Hutchins, Rune Webmaster
hutchins at therune.com
Mon May 14 21:31:45 CDT 2001
From: "Monty Harder" <kclug at ware.cx>
> Actually, this is =not= Microsoft's problem at all. DHCP requests are
broadcast, so the default
> configuration of a router is to NOT propagate them to the next subnet.
This is why there's supposed to be
> either a DHCP server or relay agent on each subnet. It is possible to
configure a Linux router to =be= the
> relay agent, of course.
In most cases where a local net's behind a firewall/router, you don't want
to relay the DHCP request to an outside server - it needs to be served
within the local net and IP range rather than request a "legitimate"
individual address from the outside net. An outside address probably
wouldn't be passed through the firewall correctly anyway.
kc.rr.address.range<===><FIREWALL><===><local.network.address.range>
62.41.294.dhcp<===><FIREWALL><===><192.168.123.dhcp>
Something like that...
But the problem here is passing DNS server info to the internal clients, or
more likely passing the DNS traffic through the firewall correctly.
What I've done is set up the firewall/router to run DNS for the internal
network, then pass requests to whatever DNS servers the ISP's DHCP server
wants to use this week. I also have the firewall configure the internal
clients via DHCP, so if I want to disable the local DNS and use the ISP's
DNS, I can change the server and let it propagate. "No DNS? Try
restarting..." There doesn't seem to be an obvious way to pass a variable
DNS configuration through the DHCP server to the clients, but I'm sure it
could be done with a script.
Of course, local DNS means I can eliminate local "hosts" files and configure
all the addressing for new machines in one place.
More information about the Kclug
mailing list