Linux Firewall not block dhcp requests
Steve Clark
sclark at netwolves.com
Tue Aug 14 18:38:16 UTC 2012
Thanks,
I don't really want to block it in this case.
Looking at my firewall rules I thought it should be blocked and I am
getting a hit saying it is being blocked - but it seems it is not really being blocked.
So I am just trying to understand what is happening.
On 08/14/2012 02:22 PM, perl-list wrote:
> It is broadcast traffic. In Linux, it is difficult to block broadcast traffic ... I am not aware of how one might block broadcast traffic using iptables, in fact. You might be able to match on a mac address and block certain packets that way....
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> *From: *"Steve Clark" <sclark at netwolves.com>
> *To: *"Users of ISC DHCP" <dhcp-users at lists.isc.org>
> *Sent: *Tuesday, August 14, 2012 2:16:32 PM
> *Subject: *Re: Linux Firewall not block dhcp requests
>
> On 08/14/2012 02:06 PM, Steve Clark wrote:
>
> Hello,
>
> Can someone tell me how DHCP is seeing packets that according to my firewall log are being dropped?
> Does DHCP read the packets before they get to the firewall like tcpdump does?
>
> Chain fDROPnLOG (1 references)
> pkts bytes target prot opt in out source destination
> 143 16366 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 7 prefix `fw (fDROPnLOG) '
> 143 16366 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Aug 14 13:55:58 kernel: fw (fDROPnLOG) IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:26:0a:73:b2:6a:08:00 SRC=10.254.207.66 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=24427 PROTO=UDP SPT=68 DPT=67 LEN=308
>
>
> tcpdump on eth0
> 13:55:58.667982 IP (tos 0x0, ttl 128, id 24427, offset 0, flags [none], proto UDP (17), length 328)
> 10.254.207.66.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 5c:26:0a:73:b2:6a, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
> Client-IP 10.254.207.66
> Client-Ethernet-Address 5c:26:0a:73:b2:6a
> Vendor-rfc1048 Extensions
> Magic Cookie 0x63825363
> DHCP-Message Option 53, length 1: Inform
> Client-ID Option 61, length 7: ether 5c:26:0a:73:b2:6a
> Hostname Option 12, length 12: "7pdawson0412"
> Vendor-Class Option 60, length 8: "MSFT 5.0"
> Parameter-Request Option 55, length 13:
> Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
> Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
> Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
> Option 252
> 13:55:58.668418 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 328)
> 10.254.207.65.67 > 10.254.207.66.68: [bad udp cksum ffd6!] BOOTP/DHCP, Reply, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
> Client-IP 10.254.207.66
> Client-Ethernet-Address 5c:26:0a:73:b2:6a
> Vendor-rfc1048 Extensions
> Magic Cookie 0x63825363
> DHCP-Message Option 53, length 1: ACK
> Server-ID Option 54, length 4: 10.254.23.1
> Subnet-Mask Option 1, length 4: 255.255.255.192
> Default-Gateway Option 3, length 4: 10.254.207.65
> Domain-Name-Server Option 6, length 8: 172.16.11.180,172.16.11.181
>
>
>
>
> Trying to answer my own question - could it be since the destination address is 255.255.255.255 is it hitting
> the loopback interface which in my firewall allows everything to everything and the DHCP server
> is listening on 0.0.0.0:67.
>
>
>
> --
> Stephen Clark
> *NetWolves*
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark at netwolves.com
> http://www.netwolves.com
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120814/d781601e/attachment.html>
More information about the dhcp-users
mailing list