IPFW What ports for LAN access must not be blocked for Android clients?

O

obsigna

Profile disabled
My wife bought herself an Android phone and now I am concerned about the security in our local home IPv4 network. Until now it is setup with a FreeBSD server as the gateway into the internet and the local network is behind a stateful nat'ing firewall by ipfw(8). The iPhones and now the Android connect via WLAN into the local net and receive their local IP's from the DHCPD daemon running on the FreeBSD gateway.

The DHCP range in the local network was set to 192.168.1.64/27, and now I added at the very beginning of my ipfw ruleset the following:
Code: 
/sbin/ipfw -q add 10 allow ip from 192.168.1.0/24 to me 53,67,547 via $LAN
/sbin/ipfw -q add 20 deny  ip from 192.168.1.64/27 to 192.168.1.0/24 via $LAN
/sbin/ipfw -q add 30 allow ip from any to any via $LAN
...

This should allow DNS and DHCP access of anything via the LAN interface, but blocks any other LAN access from the DHCP range via the LAN interface of the gateway. Up to now, my wife did not complain about any faulty network behaviour. I know, this doesn't prevent the Android to directly connect to other clients in the LAN. In the midterm, I need to rearrange the topology for mitigation.

Questions:
  • Is 67 and 547 correct for incomming DHCP?

  • For the sake of the longevity of the no-complaints situation, would I need to open any other ports into the local network, or is DNS and DHCP sufficient for the basic operation.?
Many thanks in advance.
 
First.. am I right to assume that your server only uses one NIC or did you only share the firewall rules which were related to all this? Reason I ask is because if you are using one NIC then I don't see the added value of those firewall entries, especially id 20. It's a bit hard to comment though because your post doesn't really show us your network topology.

Alas:

obsigna said:
  • Is 67 and 547 correct for incomming DHCP?
Click to expand...
When in doubt check /etc/services. If you're only going to use IPv4 you could even consider skipping 547. But yeah, this should be enough.

obsigna said:
  • For sake of the longevity of the no-complaints situation, would I need to open any other ports into the local network, or is DNS and DHCP sufficient for the basic operation.?
Click to expand...
Depends on what you'd consider basic operations. Theoretically this should be enough for them to obtain an IP address and then do lookups I suppose, but it depends on what the DHCP server sets them up with.
 
The gateway got a WAN (on a public IP) and LAN (on a private IP) network card, so LAN traffic is linked via the respective interface and ipfw can distinguish this. The NAT rules involving the WAN interface come later in the ruleset and do not matter in the given respect.

cat /usr/local/etc/dhcpd.conf
Code: 
default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0
{
    range 192.168.1.64 192.168.1.95;
    option subnet-mask 255.255.255.0;
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
    option domain-search "example.com";
}
 
You must log in or register to reply here.
Back
Top