[FW1] Seeing bootp/dhcp requests and snmp broadcasts from Internet-based addresses

["Young, Roger" <youngr@erinet.com>]

In one case the FW-1 firewall logs periodic bootp/dhcp requests using a
limited broadcast 255.255.255.255 and what proves out to be an Internet IP
address traced to a local ISP.

This firewall is an extranet firewall between 2 business partners. Our
external interface (to this partner) picks up this dhcp request and we
simply drop it. Curious if this happens to be the other guy's workstation
on the same ethernet segment as the external side of our firewall
periodically using a modem to dial up an ISP (and getting a DHCP lease)?
Upon dial-up connection, the workstation sends out a broadcast for a DHCP
discovery and sends it out both the PPP link and the ethernet card? Yes/No?

This would not bother me so much, but we periodically see other
Internet-based IP addresses (traced to yet another ISP) broadcasting snmp
packets also on the network where our external interface sits. The firewall
drops these snmp broadcasts, but some of our gear at this partner site
appears to be responding to the snmp packets.  Could the snmp sources also
be workstations with modems or could the source IP's be coming into our
partner's network from a central Internet connection, then several routers
deep? and broadcasting snmp packets to see who responds on a particular
subnet? 

This could be the partner's support guy doing this for all we know, but
would you normally run snmp discovery over the Internet from home through
your own Internet connection?

Thanks for your thoughts, Roger



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================