[Firehol-support] DHCP firewall issue
Daniel Pittman
daniel at rimspace.net
Sun Jun 11 08:10:48 BST 2006
"Carlos Rodrigues" <carlos.efr at mail.telepac.pt> writes:
G'day Carlos.
> I've only briefly glanced through RFC2131(*), but it does seem to
> imply that DHCP should only use UDP (as does BOOTP).
Correct, it does.
> However, a "netstat -ap | grep dhcpd" shows an open "raw" socket. I've
> never tried to firewall dhcpd (but I too noticed that it works even
> with policy drop, no ports open), so I never gave it much thought, but
> if I'd have to guess, I'd say dhcp packets don't go through the IP
> stack (dhcpd decodes UDP/IP on its own, maybe because some IP stacks
> don't do anything until configured, which is a chicken-and-egg
> problem) and, as so, are invisible to netfilter/iptables.
>
> Is this so? I'm rather curious about this myself.
Yes, this is so. The reason for this -- and the ISC developer are a
little bitter about it -- is that around the 2.3 Linux kernel era the
ability to configure a network interface as required for DHCP to operate
was removed from the Linux kernel.[1]
So, to work around that they ISC DHCP system now uses raw sockets on
Linux, where they can craft their own packets. As a result, though, the
iptables rules don't have a great influence on them.
Regards,
Daniel
Footnotes:
[1] Technically, the changes involved making an address of IPv4 0.0.0.0
illegal, and possible some related changes.
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact at digital-infrastructure.com.au
http://digital-infrastructure.com.au/
More information about the Firehol-support
mailing list