Linux Firewall not block dhcp requests

perl-list perl-list at network1.net
Tue Aug 14 19:06:07 UTC 2012 

That question I don't think I can answer. 

I have had some experience with iptables and noticing that it doesn't block broadcast traffic. But then again, your box has to have some service listening for broadcast traffic, which dhcpd does. 
----- Original Message -----

> From: "Steve Clark" <sclark at netwolves.com>
> To: "Users of ISC DHCP" <dhcp-users at lists.isc.org>
> Cc: "perl-list" <perl-list at network1.net>
> Sent: Tuesday, August 14, 2012 2:38:16 PM
> Subject: Re: Linux Firewall not block dhcp requests

> Thanks,

> I don't really want to block it in this case.

> Looking at my firewall rules I thought it should be blocked and I am
> getting a hit saying it is being blocked - but it seems it is not
> really being blocked.
> So I am just trying to understand what is happening.

> On 08/14/2012 02:22 PM, perl-list wrote:

> > It is broadcast traffic. In Linux, it is difficult to block
> > broadcast
> > traffic ... I am not aware of how one might block broadcast traffic
> > using iptables, in fact. You might be able to match on a mac
> > address
> > and block certain packets that way....
> 

> > ----- Original Message -----
> 

> > > From: "Steve Clark" <sclark at netwolves.com>
> > 
> 
> > > To: "Users of ISC DHCP" <dhcp-users at lists.isc.org>
> > 
> 
> > > Sent: Tuesday, August 14, 2012 2:16:32 PM
> > 
> 
> > > Subject: Re: Linux Firewall not block dhcp requests
> > 
> 

> > > On 08/14/2012 02:06 PM, Steve Clark wrote:
> > 
> 

> > > > Hello,
> > > 
> > 
> 

> > > > Can someone tell me how DHCP is seeing packets that according
> > > > to
> > > > my
> > > > firewall log are being dropped?
> > > 
> > 
> 
> > > > Does DHCP read the packets before they get to the firewall like
> > > > tcpdump does?
> > > 
> > 
> 

> > > > Chain fDROPnLOG (1 references)
> > > 
> > 
> 
> > > > pkts bytes target     prot opt in     out source
> > > >               destination
> > > 
> > 
> 
> > > > 143 16366 LOG        all  --  *      * 0.0.0.0/0
> > > >            0.0.0.0/0
> > > >           limit: avg 30/min burst 5 LOG flags 0 level 7 prefix
> > > >           `fw
> > > > (fDROPnLOG) '
> > > 
> > 
> 
> > > > 143 16366 DROP       all  --  *      * 0.0.0.0/0
> > > >            0.0.0.0/0
> > > 
> > 
> 

> > > > Aug 14 13:55:58 kernel: fw (fDROPnLOG) IN=eth0 OUT=
> > > > MAC=ff:ff:ff:ff:ff:ff:5c:26:0a:73:b2:6a:08:00 SRC=10.254.207.66
> > > > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=24427
> > > > PROTO=UDP SPT=68 DPT=67 LEN=308
> > > 
> > 
> 

> > > > tcpdump on eth0
> > > 
> > 
> 
> > > > 13:55:58.667982 IP (tos 0x0, ttl 128, id 24427, offset 0, flags
> > > > [none], proto UDP (17), length 328)
> > > 
> > 
> 
> > > > 10.254.207.66.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP,
> > > > Request from 5c:26:0a:73:b2:6a, length 300, xid 0xc5a1ea3f,
> > > > Flags
> > > > [Broadcast] (0x8000)
> > > 
> > 
> 
> > > > Client-IP 10.254.207.66
> > > 
> > 
> 
> > > > Client-Ethernet-Address 5c:26:0a:73:b2:6a
> > > 
> > 
> 
> > > > Vendor-rfc1048 Extensions
> > > 
> > 
> 
> > > > Magic Cookie 0x63825363
> > > 
> > 
> 
> > > > DHCP-Message Option 53, length 1: Inform
> > > 
> > 
> 
> > > > Client-ID Option 61, length 7: ether 5c:26:0a:73:b2:6a
> > > 
> > 
> 
> > > > Hostname Option 12, length 12: "7pdawson0412"
> > > 
> > 
> 
> > > > Vendor-Class Option 60, length 8: "MSFT 5.0"
> > > 
> > 
> 
> > > > Parameter-Request Option 55, length 13:
> > > 
> > 
> 
> > > > Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
> > > 
> > 
> 
> > > > Netbios-Name-Server, Netbios-Node, Netbios-Scope,
> > > > Router-Discovery
> > > 
> > 
> 
> > > > Static-Route, Classless-Static-Route,
> > > > Classless-Static-Route-Microsoft, Vendor-Option
> > > 
> > 
> 
> > > > Option 252
> > > 
> > 
> 
> > > > 13:55:58.668418 IP (tos 0x0, ttl 64, id 0, offset 0, flags
> > > > [DF],
> > > > proto UDP (17), length 328)
> > > 
> > 
> 
> > > > 10.254.207.65.67 > 10.254.207.66.68: [bad udp cksum ffd6!]
> > > > BOOTP/DHCP, Reply, length 300, xid 0xc5a1ea3f, Flags
> > > > [Broadcast]
> > > > (0x8000)
> > > 
> > 
> 
> > > > Client-IP 10.254.207.66
> > > 
> > 
> 
> > > > Client-Ethernet-Address 5c:26:0a:73:b2:6a
> > > 
> > 
> 
> > > > Vendor-rfc1048 Extensions
> > > 
> > 
> 
> > > > Magic Cookie 0x63825363
> > > 
> > 
> 
> > > > DHCP-Message Option 53, length 1: ACK
> > > 
> > 
> 
> > > > Server-ID Option 54, length 4: 10.254.23.1
> > > 
> > 
> 
> > > > Subnet-Mask Option 1, length 4: 255.255.255.192
> > > 
> > 
> 
> > > > Default-Gateway Option 3, length 4: 10.254.207.65
> > > 
> > 
> 
> > > > Domain-Name-Server Option 6, length 8:
> > > > 172.16.11.180,172.16.11.181
> > > 
> > 
> 
> > > Trying to answer my own question - could it be since the
> > > destination
> > > address is 255.255.255.255 is it hitting
> > 
> 
> > > the loopback interface which in my firewall allows everything to
> > > everything and the DHCP server
> > 
> 
> > > is listening on 0.0.0.0:67.
> > 
> 

> > > --
> > 
> 
> > > Stephen Clark
> > 
> 
> > > NetWolves
> > 
> 
> > > Director of Technology
> > 
> 
> > > Phone: 813-579-3200
> > 
> 
> > > Fax: 813-882-0209
> > 
> 
> > > Email: steve.clark at netwolves.com
> > 
> 
> > > http://www.netwolves.com
> > 
> 

> > > _______________________________________________
> > 
> 
> > > dhcp-users mailing list
> > 
> 
> > > dhcp-users at lists.isc.org
> > 
> 
> > > https://lists.isc.org/mailman/listinfo/dhcp-users
> > 
> 
> > _______________________________________________
> 
> > dhcp-users mailing list dhcp-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/dhcp-users
> 
> --
> Stephen Clark
> NetWolves
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark at netwolves.com
> http://www.netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120814/24ad9dfe/attachment-0001.html>

More information about the dhcp-users mailing list