Linux Firewall not block dhcp requests

Michael Hoskins (michoski) michoski at cisco.com
Tue Aug 14 19:31:34 UTC 2012


Stupid question, are your systems running dhclient or something that's
generating request traffic?  That would cause the responses to be allowed
on a stateful firewall.


If you're not just getting responses, have done the usual iptables -A
INPUT -i interface -dport 67:68 -sport 67:68 -j DROP dance, and still see
traffic making it through -- considering your tcpdump shows client and
server on the same LAN, you likely need MAC address filtering (L2 vs L3
issue).

http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html

PS: Wikipedia actually has a fairly detailed explanation of the technical
details that might help:

http://en.wikipedia.org/wiki/Dhcp

-----Original Message-----
From: Steve Clark <sclark at netwolves.com>
Reply-To: Users of ISC DHCP <dhcp-users at lists.isc.org>
Date: Tuesday, August 14, 2012 12:13 PM
To: Users of ISC DHCP <dhcp-users at lists.isc.org>
Subject: Re: Linux Firewall not block dhcp requests

>Doing some more research it looks like DHCP uses raw sockets which get
>the packet before it hits netfilter.
>From the README from 4.1.1
>
>We have noticed that on some systems where we are using a packet
>filter, if you set up a firewall that blocks UDP port 67 and 68
>entirely, packets sent through the packet filter will not be blocked.
>However, unicast packets will be blocked.
>
>On 08/14/2012 03:06 PM, perl-list wrote:
>
>
>That question I don't think I can answer.
>
>
>I have had some experience with iptables and noticing that it doesn't
>block broadcast traffic.  But then again, your box has to have some
>service listening for broadcast traffic, which dhcpd does.
>
>________________________________________
>
>From: "Steve Clark"
><sclark at netwolves.com> <mailto:sclark at netwolves.com>
>To: "Users of ISC DHCP"
><dhcp-users at lists.isc.org> <mailto:dhcp-users at lists.isc.org>
>Cc: "perl-list" 
><perl-list at network1.net> <mailto:perl-list at network1.net>
>Sent: Tuesday, August 14, 2012 2:38:16 PM
>Subject: Re: Linux Firewall not block dhcp requests
>
>Thanks,
>
>I don't really want to block it in this case.
>
>Looking at my firewall rules I thought it should be blocked and I am
>getting a hit saying it is being blocked - but it seems it is not really
>being blocked.
>So I am just trying to understand what is happening.
>
>On 08/14/2012 02:22 PM, perl-list wrote:
>
>It is broadcast traffic.  In Linux, it is difficult to block broadcast
>traffic ... I am not aware of how one might block broadcast traffic using
>iptables, in fact.  You might be able to match on a mac address and
> block certain packets that way....
>
>
>
>________________________________________
>
>From: "Steve Clark"
><sclark at netwolves.com> <mailto:sclark at netwolves.com>
>To: "Users of ISC DHCP"
><dhcp-users at lists.isc.org> <mailto:dhcp-users at lists.isc.org>
>Sent: Tuesday, August 14, 2012 2:16:32 PM
>Subject: Re: Linux Firewall not block dhcp requests
>
>On 08/14/2012 02:06 PM, Steve Clark wrote:
>
>Hello,
>
>Can someone tell me how DHCP is seeing packets that according to my
>firewall log are being dropped?
>Does DHCP read the packets before they get to the firewall like tcpdump
>does?
>
>Chain fDROPnLOG (1 references)
>  pkts bytes target     prot opt in     out source
>destination
>   143 16366 LOG        all  --  *      * 0.0.0.0/0            0.0.0.0/0
>         limit: avg 30/min burst 5 LOG flags 0 level 7 prefix `fw
>(fDROPnLOG) '
>   143 16366 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0
>
>Aug 14 13:55:58 kernel: fw (fDROPnLOG) IN=eth0 OUT=
>MAC=ff:ff:ff:ff:ff:ff:5c:26:0a:73:b2:6a:08:00 SRC=10.254.207.66
>DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=24427 PROTO=UDP
>SPT=68 DPT=67 LEN=308
>
>
>tcpdump on eth0
>13:55:58.667982 IP (tos 0x0, ttl 128, id 24427, offset 0, flags [none],
>proto UDP (17), length 328)
>     10.254.207.66.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP,
>Request from 5c:26:0a:73:b2:6a, length 300, xid 0xc5a1ea3f, Flags
>[Broadcast] (0x8000)
>           Client-IP 10.254.207.66
>           Client-Ethernet-Address 5c:26:0a:73:b2:6a
>           Vendor-rfc1048 Extensions
>             Magic Cookie 0x63825363
>             DHCP-Message Option 53, length 1: Inform
>             Client-ID Option 61, length 7: ether 5c:26:0a:73:b2:6a
>             Hostname Option 12, length 12: "7pdawson0412"
>             Vendor-Class Option 60, length 8: "MSFT 5.0"
>             Parameter-Request Option 55, length 13:
>               Subnet-Mask, Domain-Name, Default-Gateway,
>Domain-Name-Server
>               Netbios-Name-Server, Netbios-Node, Netbios-Scope,
>Router-Discovery
>               Static-Route, Classless-Static-Route,
>Classless-Static-Route-Microsoft, Vendor-Option
>               Option 252
>13:55:58.668418 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
>UDP (17), length 328)
>     10.254.207.65.67 > 10.254.207.66.68: [bad udp cksum ffd6!]
>BOOTP/DHCP, Reply, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
>           Client-IP 10.254.207.66
>           Client-Ethernet-Address 5c:26:0a:73:b2:6a
>           Vendor-rfc1048 Extensions
>             Magic Cookie 0x63825363
>             DHCP-Message Option 53, length 1: ACK
>             Server-ID Option 54, length 4: 10.254.23.1
>             Subnet-Mask Option 1, length 4: 255.255.255.192
>             Default-Gateway Option 3, length 4: 10.254.207.65
>             Domain-Name-Server Option 6, length 8:
>172.16.11.180,172.16.11.181
>
>
>
>
>
>
>Trying to answer my own question - could it be since the destination
>address is 255.255.255.255 is it hitting
>the loopback interface which in my firewall allows everything to
>everything and the DHCP server
>is listening on 0.0.0.0:67.
>
>
>
>-- 
>Stephen Clark
>NetWolves
>Director of Technology
>Phone: 813-579-3200
>Fax: 813-882-0209
>Email: steve.clark at netwolves.com
>http://www.netwolves.com
>
>
>_______________________________________________
>dhcp-users mailing list
>dhcp-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>
> 
>_______________________________________________
>dhcp-users mailing list
>dhcp-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>-- 
>Stephen Clark
>NetWolves
>Director of Technology
>Phone: 813-579-3200
>Fax: 813-882-0209
>Email: steve.clark at netwolves.com
>http://www.netwolves.com
>
>
>
>
>
>
> 
>_______________________________________________
>dhcp-users mailing list
>dhcp-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>-- 
>Stephen Clark
>NetWolves
>Director of Technology
>Phone: 813-579-3200
>Fax: 813-882-0209
>Email: steve.clark at netwolves.com
>http://www.netwolves.com
>



More information about the dhcp-users mailing list