14.2.20. Using a Firewall as the DHCP and DNS Server for the Local Net

It is often convenient to use a firewall as a DHCP and DNS server for the local net, especially in small installations like that in a home office. It is not really difficult, but building rules properly requires understanding of how DHCP and DNS work.

The following combination of rules permits machines on the local net to use the firewall as DHCP server:

Figure 14.61. Rules with DHCP

Rules with DHCP

The first rule permits two types of DHCP requests: the initial discovery request that is sent to the broadcast address and the renewal request that is sent to the firewall's address. The address range object "broadcast" can be found in the Standard objects tree, under Objects/Address Ranges; this object defines broadcast address The second rule in the pair permits DHCP replies sent by the firewall. The Service object "DHCP" can be found in the "Standard" objects tree, under Services/Groups.

We could make these rules more narrow if we used the internal interface of the firewall in place of the firewall object. Assuming interface eth0 is connected to the internal net, the rules would look like this:

Figure 14.62. Rules with DHCP Using a Firewall Interface

Rules with DHCP Using a Firewall Interface

To permit the local network to use the firewall as a DNS server, we need to permit DNS queries directed to the firewall, DNS replies sent by the firewall, DNS queries sent by the firewall to servers on the Internet and replies sent back to it. The following pair of rules does just that:

Figure 14.63. Rules with DNS

Rules with DNS

The service object group object DNS can be found in the "Standard" objects tree, under Services/Groups. This group consists of both the UDP object domain and TCP object domain. Both objects define destination port 53 and ignore source port. Since we do not specify the source port, these objects match both queries sent by the domain name server (source port is 53) and the resolver on the workstations on the local net (source port is >1024). We need to use objects representing both UDP and TCP protocols because DNS falls back to TCP if the answer for the query is too big and won't fit in the standard UDP datagram. DNS zone transfers also use the TCP protocol.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.