Linux Firewall not block dhcp requests

Steve Clark sclark at netwolves.com
Tue Aug 14 18:38:16 UTC 2012 

Thanks,

I don't really want to block it in this case.

Looking at my firewall rules I thought it should be blocked and I am
getting a hit saying it is being blocked - but it seems it is not really being blocked.
So I am just trying to understand what is happening.

On 08/14/2012 02:22 PM, perl-list wrote:
> It is broadcast traffic.  In Linux, it is difficult to block broadcast traffic ... I am not aware of how one might block broadcast traffic using iptables, in fact.  You might be able to match on a mac address and block certain packets that way....
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>     *From: *"Steve Clark" <sclark at netwolves.com>
>     *To: *"Users of ISC DHCP" <dhcp-users at lists.isc.org>
>     *Sent: *Tuesday, August 14, 2012 2:16:32 PM
>     *Subject: *Re: Linux Firewall not block dhcp requests
>
>     On 08/14/2012 02:06 PM, Steve Clark wrote:
>
>         Hello,
>
>         Can someone tell me how DHCP is seeing packets that according to my firewall log are being dropped?
>         Does DHCP read the packets before they get to the firewall like tcpdump does?
>
>         Chain fDROPnLOG (1 references)
>            pkts bytes target     prot opt in     out source               destination
>             143 16366 LOG        all  --  *      * 0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 7 prefix `fw (fDROPnLOG) '
>             143 16366 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0
>
>         Aug 14 13:55:58 kernel: fw (fDROPnLOG) IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:26:0a:73:b2:6a:08:00 SRC=10.254.207.66 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=24427 PROTO=UDP SPT=68 DPT=67 LEN=308
>
>
>         tcpdump on eth0
>         13:55:58.667982 IP (tos 0x0, ttl 128, id 24427, offset 0, flags [none], proto UDP (17), length 328)
>               10.254.207.66.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 5c:26:0a:73:b2:6a, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
>                     Client-IP 10.254.207.66
>                     Client-Ethernet-Address 5c:26:0a:73:b2:6a
>                     Vendor-rfc1048 Extensions
>                       Magic Cookie 0x63825363
>                       DHCP-Message Option 53, length 1: Inform
>                       Client-ID Option 61, length 7: ether 5c:26:0a:73:b2:6a
>                       Hostname Option 12, length 12: "7pdawson0412"
>                       Vendor-Class Option 60, length 8: "MSFT 5.0"
>                       Parameter-Request Option 55, length 13:
>                         Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
>                         Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
>                         Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
>                         Option 252
>         13:55:58.668418 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 328)
>               10.254.207.65.67 > 10.254.207.66.68: [bad udp cksum ffd6!] BOOTP/DHCP, Reply, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
>                     Client-IP 10.254.207.66
>                     Client-Ethernet-Address 5c:26:0a:73:b2:6a
>                     Vendor-rfc1048 Extensions
>                       Magic Cookie 0x63825363
>                       DHCP-Message Option 53, length 1: ACK
>                       Server-ID Option 54, length 4: 10.254.23.1
>                       Subnet-Mask Option 1, length 4: 255.255.255.192
>                       Default-Gateway Option 3, length 4: 10.254.207.65
>                       Domain-Name-Server Option 6, length 8: 172.16.11.180,172.16.11.181
>
>
>
>
>     Trying to answer my own question - could it be since the destination address is 255.255.255.255 is it hitting
>     the loopback interface which in my firewall allows everything to everything and the DHCP server
>     is listening on 0.0.0.0:67.
>
>
>
>     -- 
>     Stephen Clark
>     *NetWolves*
>     Director of Technology
>     Phone: 813-579-3200
>     Fax: 813-882-0209
>     Email: steve.clark at netwolves.com
>     http://www.netwolves.com
>
>     _______________________________________________
>     dhcp-users mailing list
>     dhcp-users at lists.isc.org
>     https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users


-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120814/d781601e/attachment.html>

More information about the dhcp-users mailing list