enquiry on validation of dhcp offered addres

[Glenn Satchell]

On 04/24/12 22:00, ching wrote:
> On Tuesday, April 24, 2012 02:16 PM, dhcp-users-request at lists.isc.org
> wrote:
>>> I will look for other way to prevent routing intranet traffic to
>>> outside.
>>>
>>>> Hang on ... you never said anything about that before !
>>>>
>>>> If all you are interested in is preventing routing certain traffic
>>>> outside of your network then just apply a few firewall rules to block
>>>> it. That too is nothing to do with DHCP.
>>>>
>>> This partially solve the problem as dropping internal traffic can result
>>> in a denial of service attack.
>> You could add firewall rules to block outbound traffic on your WAN
>> interface to addresses that match your internal network. This is called
>> anti-spoofing, and is (or used to be) common practise when setting up a
>> firewall. So, if someone outside your LAN pretends to have an internal
>> IP you ignore that. That's not denial of service, since it's only going
>> to block invalid IP destinations.
>>
>
> if internal server's ip is 192.168.2.2/255.255.255.0 and the invalid wan
> address 192.168.2.1/255.255.255.128
>
> if firewall is not blocking, then a faked server may be waiting at the
> WAN interface, ready to receive confidential information.
> if firewall is blocking, then the real server may have a downtime (all
> 192.168.2.2 traffic are routed to WAN interface and then dropped),
> resulting in a denial of service.
>

So the traffic would be blocked to the fake external server. That's what 
you want isn't it?

If your WAN interface is re-configured with 192.168.2.1 then unless the 
whole ISP network routing changes then no traffic will be able to get 
out to the Internet anyway.

You could also add outbound firewall rules blocking NFS, Microsoft SMB 
ports and the like, which should never need to go outside your network.

But this is straying far from the topic of the DHCP list I think.

regards,
-glenn