enquiry on validation of dhcp offered addres

Glenn Satchell glenn.satchell at uniq.com.au
Mon Apr 23 12:59:14 UTC 2012

On 04/23/12 21:17, ching wrote:
> I will look for other way to prevent routing intranet traffic to outside.
>> Hang on ... you never said anything about that before !
>> If all you are interested in is preventing routing certain traffic
>> outside of your network then just apply a few firewall rules to block
>> it. That too is nothing to do with DHCP.
> This partially solve the problem as dropping internal traffic can result
> in a denial of service attack.

You could add firewall rules to block outbound traffic on your WAN 
interface to addresses that match your internal network. This is called 
anti-spoofing, and is (or used to be) common practise when setting up a 
firewall. So, if someone outside your LAN pretends to have an internal 
IP you ignore that. That's not denial of service, since it's only going 
to block invalid IP destinations.


More information about the dhcp-users mailing list