[Firehol-support] DHCP firewall issue

Daniel Pittman daniel at rimspace.net
Sun Jun 11 08:10:48 BST 2006

"Carlos Rodrigues" <carlos.efr at mail.telepac.pt> writes:

G'day Carlos.

> I've only briefly glanced through RFC2131(*), but it does seem to
> imply that DHCP should only use UDP (as does BOOTP).

Correct, it does.

> However, a "netstat -ap | grep dhcpd" shows an open "raw" socket. I've
> never tried to firewall dhcpd (but I too noticed that it works even
> with policy drop, no ports open), so I never gave it much thought, but
> if I'd have to guess, I'd say dhcp packets don't go through the IP
> stack (dhcpd decodes UDP/IP on its own, maybe because some IP stacks
> don't do anything until configured, which is a chicken-and-egg
> problem) and, as so, are invisible to netfilter/iptables.
> Is this so? I'm rather curious about this myself.

Yes, this is so.  The reason for this -- and the ISC developer are a
little bitter about it -- is that around the 2.3 Linux kernel era the
ability to configure a network interface as required for DHCP to operate
was removed from the Linux kernel.[1]

So, to work around that they ISC DHCP system now uses raw sockets on
Linux, where they can craft their own packets.  As a result, though, the
iptables rules don't have a great influence on them.


[1]  Technically, the changes involved making an address of IPv4 
     illegal, and possible some related changes.

Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au

More information about the Firehol-support mailing list