CHX and DHCP

Discussion in 'other firewalls' started by delerious, Apr 28, 2007.

Thread Status:
Not open for further replies.
  1. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    I am running CHX-I on Windows 2000. On a few occasions (like if the power has gone out) I have had my cable modem, router, and computer all turned off for several hours. When I turn everything back on, then I cannot access the internet. However, if I reboot, then everything works fine.

    It happened again earlier today where after I turned everything back on, I couldn't access the internet. I rebooted, and internet access worked fine. But I want to get the problem fixed so that I don't need to reboot at all.

    The CHX log says that 3 UDP packets were sent from my router's port 67 to 192.168.1.33 (my computer's IP address) port 68. Then the router sent 4 UDP packets from port 67 to 255.255.255.255 port 68. All 7 packets were rejected by CHX because they were "Unsolicited UDP".

    I have a couple questions:

    1) I already have a filter to allow incoming UDP, but I also have UDP stateful inspection turned on. So I guess that means I need a Force Allow filter for the DHCP packets. I want to make my filter as tight as possible and still allow everything to work, so can I set the Destination MAC to be just my computer's MAC? Or do I need to set the Destination MAC to be both my computer's MAC and also FF-FF-FF-FF-FF-FF (because of the last 4 UDP packets)?

    2) Actually, I'm not sure why I'm experiencing the problem the way things are set up right now. Those UDP packets were sent after I turned my computer back on, so my computer must have sent some sort of DHCP request to the router. So then why is CHX saying that those packets were "Unsolicited UDP"? Wouldn't they have been solicited? I don't understand that.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    I need a little info first, so please assist.
    As you are on DHCP, then I presume you have placed all CHX rules onto the NIC? As if you have place rules onto an IP, which may change (due to DHCP), then problems will arrise.

    We can go through your settings in CHX, and also your setup in windows.

    Could you post your ruleset? So that I can see if any problems may exist, and possible fix
     
  3. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    My rules are global (apply to all NICs).

    Here are my rules:
    - allow incoming ARP
    - allow incoming ICMP (type: 3, code: any)
    - allow incoming ICMP (type: 0, code: 0)
    - allow incoming ICMP (type: 11, code: 0)
    - allow incoming TCP without SYN flag
    - allow incoming UDP
    - deny incoming UDP from non-router addresses to 192.168.1.255 on ports 137/138
    - deny incoming UDP from the router address to 192.168.1.255 on port 520
    - deny outgoing ICMP (type: any, code: any)
    - force allow outgoing ICMP (type: 8, code: 0)
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello delerious,

    OK, I have set up (W2K) and recreated your problem. (by booting both router and PC at the same time), there is also another possible problem if the router is booted after the PC, so I have created rules to allow for this possible problem.
    Right first, (I have made the rules tight)
    Force allow inbound for DHCP_boot

    IN DHCP.JPG

    You will note that I have used a MAC list. This is 2 MAC addresses:-
    1. PC MAC (connected to router)
    2. FF:FF:FF:FF:FF:FF (broadcast)


    Now the other rule. I found a need for this after starting the router after the PC, so thought I should post this so that you would not have this possible problem

    OUT DHCP.JPG

    I have made a number of re-boots (both for PC/router) in various order. I have not seen any problem with DHCP with these rules in place.
     
  5. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Stem, thank you for taking the time to answer my questions. Hope you don't mind a few follow-up questions.

    - Since you have 255.255.255.255 as the Destination IP for the "Allow DHCP" rule, then doesn't that mean you only need to specify FF-FF-FF-FF-FF-FF for the Destination MAC? Because if the Destination MAC is my computer's MAC, then the Destination IP cannot be 255.255.255.255.

    - What would happen if another computer on my network boots up and the router sends a DHCP packet to the broadcast address? Will my W2K computer respond at all, or will it not do anything?

    - Can you explain why the "Out DHCP broadcast" rule is necessary? I'm pretty sure that based on my rules, all outgoing UDP packets are already allowed.

    Thanks!
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi delerious,
    Sorry, I was in a rush and added the second rule without fully noting your direction of filter. So please ignore the second rule for your setup.

    I added both the specific hardware mac and broadcast address to the rule to stop any possible problem.

    The PC will respond to the broadcast.
    It is only due to your problem that you need to add this rule. As with my own setup, I just allow outbound boot DHCP to the router(when I have this service enabled), as the router is booted before the PC (actually, the router is never turned off in my setup)

    You could simply fix the IP your PC is using, you would then not need the DHCP rule at all.
     
  7. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    OK, I think I will also add a condition to the rule so that it only allows the packet if there had been an outgoing DHCP request. That way it will not allow DHCP responses that are meant for other computers.

    Fix the IP from within Windows, or from within the router?

    I also think I know why CHX is calling those packets "Unsolicited UDP". Because my computer must have sent the requests to 255.255.255.255, and then the responses came back from 192.168.1.1, so CHX thinks they are unsolicited.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello delerious,
    Please be careful when placing conditions within a DHCP rule, certainly within a home LAN, unless this is untrusted, then such may be needed.

    We should really think of your current problem, which is basically the fact that you boot both router and PC at the same time. From many tests with CHX, I find that if the DHCP server is active(as with the router being booted first), then there is only a need to allow outbound bootdhcp (reply allowed due to spi).

    Fixing an IP to PC is done within the PC, on an home LAN this is not a problem, If on a shared LAN then conflicts can/do happen (another PC may have that IP)

    DHCP replies, I have not (over home LAN) seen these directed at specific IP) as the IP as yet to be resolved.
     
Thread Status:
Not open for further replies.