My wife bought herself an Android phone and now I am concerned about the security in our local home IPv4 network. Until now it is setup with a FreeBSD server as the gateway into the internet and the local network is behind a stateful nat'ing firewall by ipfw(8). The iPhones and now the Android connect via WLAN into the local net and receive their local IP's from the DHCPD daemon running on the FreeBSD gateway.
The DHCP range in the local network was set to 192.168.1.64/27, and now I added at the very beginning of my ipfw ruleset the following:
This should allow DNS and DHCP access of anything via the LAN interface, but blocks any other LAN access from the DHCP range via the LAN interface of the gateway. Up to now, my wife did not complain about any faulty network behaviour. I know, this doesn't prevent the Android to directly connect to other clients in the LAN. In the midterm, I need to rearrange the topology for mitigation.
Questions:
The DHCP range in the local network was set to 192.168.1.64/27, and now I added at the very beginning of my ipfw ruleset the following:
Code:
/sbin/ipfw -q add 10 allow ip from 192.168.1.0/24 to me 53,67,547 via $LAN
/sbin/ipfw -q add 20 deny ip from 192.168.1.64/27 to 192.168.1.0/24 via $LAN
/sbin/ipfw -q add 30 allow ip from any to any via $LAN
...
This should allow DNS and DHCP access of anything via the LAN interface, but blocks any other LAN access from the DHCP range via the LAN interface of the gateway. Up to now, my wife did not complain about any faulty network behaviour. I know, this doesn't prevent the Android to directly connect to other clients in the LAN. In the midterm, I need to rearrange the topology for mitigation.
Questions:
- Is 67 and 547 correct for incomming DHCP?
- For the sake of the longevity of the no-complaints situation, would I need to open any other ports into the local network, or is DNS and DHCP sufficient for the basic operation.?