Re: DHCP Server
 

Hmmmm. When it comes to firewall rules there seems to be two camps: those who create rules such as "allow TCP traffic from my pc on port b to server x on port y" and those who put a server in the trusted zone and just allow any traffic to and from it. I don't see any benefit in doing the former - very controlling behaviour ;) Also very inflexible. I do the latter - all my mail servers, proxy server, DNS, DHCP, NNP, NTP, UBR, SETI, various FTP servers, and the CM subnet are in the trusted zone along with localhost.

Re: DHCP Server
 

I try to be generic, for things which ARE, and tight, for things which can be tightened without having to specify a new rule every time you do something.

DHCP can be used to misdirect your traffic - and why would somene attack YOU in that way? - well, generally, someone is attacking everyone. DNS is also restricted.

Put simply - I generally don't allow anything which is unexpected, but whwnever a new rule is required, I make it generic enough to cover all expected situations - if you HAVE a decent rules based firewall, no point setting it up like Zonealarm free (and any application needs MASSIVE justification before I'll give it anything that constitutes "Allow Server" - I have thrown "all ports outgoing" at some when anything else is just too much hassle - NEVER, except for testing and if totally desperate, would I EVER give an application "Trusted" status).