Limit DHCP requests with iptables - problem: Router
Mr Dash Four
mr.dash.four at googlemail.com
Sun Sep 9 13:54:37 UTC 2012
> Do you mean client, or do you mean server ?
Both. I have tested this on both ends.
> If you do mean client, then your suggestion is of no help to the OP as
> it involves modifying the client - and if you re-read his problem
> these clients include embedded ones in (eg) printers and so on.
Hence my caveat - *if* SELinux is deployed and it is in "enforce" mode,
otherwise the whole exercise becomes a bit pointless.
> If you mean server, then you need to explain just how this solution
> helps - since it would appear to force conditions on the server
> designed to prevent some of it's functions working. The people who
> wrote the software didn't use raw sockets for fun - they used them
> because it's required in order to send/receive certain packets
> **required** for the DHCP protocol to work.
The solution is quite simple - it prevents the creation of raw socket
connections by either the client or the server. I, as a network
administrator, have a responsibility to secure the network I am
responsible for, and since these dhcp negotiations are seemingly going
beyond the control of netfilter, that issue is forced upon me, hence the
steps I take to secure that network. If you know of a better way how to
secure and control raw socket connections - either by using netfilter or
by any other means - then I am all ears!
It does the trick, so whatever dhcp functionality was "restricted" in
the process, it doesn't seem that important. Besides, there are other
dhcp servers/clients out there which do not rely on/use raw socket
connections and they function quite well.
More information about the dhcp-users