[Firehol-support] DHCP firewall issue
daniel at rimspace.net
Sun Jun 11 08:10:48 BST 2006
"Carlos Rodrigues" <carlos.efr at mail.telepac.pt> writes:
> I've only briefly glanced through RFC2131(*), but it does seem to
> imply that DHCP should only use UDP (as does BOOTP).
Correct, it does.
> However, a "netstat -ap | grep dhcpd" shows an open "raw" socket. I've
> never tried to firewall dhcpd (but I too noticed that it works even
> with policy drop, no ports open), so I never gave it much thought, but
> if I'd have to guess, I'd say dhcp packets don't go through the IP
> stack (dhcpd decodes UDP/IP on its own, maybe because some IP stacks
> don't do anything until configured, which is a chicken-and-egg
> problem) and, as so, are invisible to netfilter/iptables.
> Is this so? I'm rather curious about this myself.
Yes, this is so. The reason for this -- and the ISC developer are a
little bitter about it -- is that around the 2.3 Linux kernel era the
ability to configure a network interface as required for DHCP to operate
was removed from the Linux kernel.
So, to work around that they ISC DHCP system now uses raw sockets on
Linux, where they can craft their own packets. As a result, though, the
iptables rules don't have a great influence on them.
 Technically, the changes involved making an address of IPv4 0.0.0.0
illegal, and possible some related changes.
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact at digital-infrastructure.com.au
More information about the Firehol-support