<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Doing some more research it looks like
DHCP uses raw sockets which get the packet before it hits
netfilter.<br>
From the README from 4.1.1<br>
<br>
We have noticed that on some systems where we are using a packet<br>
filter, if you set up a firewall that blocks UDP port 67 and 68<br>
entirely, packets sent through the packet filter will not be
blocked.<br>
However, unicast packets will be blocked.<br>
<br>
On 08/14/2012 03:06 PM, perl-list wrote:<br>
</div>
<blockquote
cite="mid:1857761833.120458.1344971167487.JavaMail.root@network1.net"
type="cite">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: arial,helvetica,sans-serif; font-size:
10pt; color: #000000">That question I don't think I can answer.<br>
<div id="e0348634-667e-4419-a4bb-c159618b4b92"><br>
</div>
<div id="e0348634-667e-4419-a4bb-c159618b4b92">I have had some
experience with iptables and noticing that it doesn't block
broadcast traffic. But then again, your box has to have some
service listening for broadcast traffic, which dhcpd does.</div>
<br>
<hr id="zwchr">
<blockquote style="border-left:2px solid rgb(16, 16,
255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Steve Clark" <a class="moz-txt-link-rfc2396E" href="mailto:sclark@netwolves.com"><sclark@netwolves.com></a><br>
<b>To: </b>"Users of ISC DHCP"
<a class="moz-txt-link-rfc2396E" href="mailto:dhcp-users@lists.isc.org"><dhcp-users@lists.isc.org></a><br>
<b>Cc: </b>"perl-list" <a class="moz-txt-link-rfc2396E" href="mailto:perl-list@network1.net"><perl-list@network1.net></a><br>
<b>Sent: </b>Tuesday, August 14, 2012 2:38:16 PM<br>
<b>Subject: </b>Re: Linux Firewall not block dhcp requests<br>
<br>
<div class="moz-cite-prefix">Thanks,<br>
<br>
I don't really want to block it in this case. <br>
<br>
Looking at my firewall rules I thought it should be blocked
and I am<br>
getting a hit saying it is being blocked - but it seems it
is not really being blocked.<br>
So I am just trying to understand what is happening.<br>
<br>
On 08/14/2012 02:22 PM, perl-list wrote:<br>
</div>
<blockquote
cite="mid:875723053.120248.1344968546053.JavaMail.root@network1.net">
<style>p { margin: 0; }</style>
<div style="font-family: arial,helvetica,sans-serif;
font-size: 10pt; color: #000000">
<div id="e0348634-667e-4419-a4bb-c159618b4b92">It is
broadcast traffic. In Linux, it is difficult to block
broadcast traffic ... I am not aware of how one might
block broadcast traffic using iptables, in fact. You
might be able to match on a mac address and block
certain packets that way....</div>
<div id="e0348634-667e-4419-a4bb-c159618b4b92"><br>
</div>
<br>
<hr id="zwchr">
<blockquote style="border-left:2px solid rgb(16, 16,
255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Steve Clark" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:sclark@netwolves.com" target="_blank"><sclark@netwolves.com></a><br>
<b>To: </b>"Users of ISC DHCP" <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:dhcp-users@lists.isc.org" target="_blank"><dhcp-users@lists.isc.org></a><br>
<b>Sent: </b>Tuesday, August 14, 2012 2:16:32 PM<br>
<b>Subject: </b>Re: Linux Firewall not block dhcp
requests<br>
<br>
<div class="moz-cite-prefix">On 08/14/2012 02:06 PM,
Steve Clark wrote:<br>
</div>
<blockquote cite="mid:502A93B3.6050400@netwolves.com">
<pre>Hello,
Can someone tell me how DHCP is seeing packets that according to my firewall log are being dropped?
Does DHCP read the packets before they get to the firewall like tcpdump does?
Chain fDROPnLOG (1 references)
pkts bytes target prot opt in out source destination
143 16366 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 7 prefix `fw (fDROPnLOG) '
143 16366 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Aug 14 13:55:58 kernel: fw (fDROPnLOG) IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:26:0a:73:b2:6a:08:00 SRC=10.254.207.66 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=24427 PROTO=UDP SPT=68 DPT=67 LEN=308
tcpdump on eth0
13:55:58.667982 IP (tos 0x0, ttl 128, id 24427, offset 0, flags [none], proto UDP (17), length 328)
10.254.207.66.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 5c:26:0a:73:b2:6a, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
Client-IP 10.254.207.66
Client-Ethernet-Address 5c:26:0a:73:b2:6a
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Inform
Client-ID Option 61, length 7: ether 5c:26:0a:73:b2:6a
Hostname Option 12, length 12: "7pdawson0412"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
Option 252
13:55:58.668418 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 328)
10.254.207.65.67 > 10.254.207.66.68: [bad udp cksum ffd6!] BOOTP/DHCP, Reply, length 300, xid 0xc5a1ea3f, Flags [Broadcast] (0x8000)
Client-IP 10.254.207.66
Client-Ethernet-Address 5c:26:0a:73:b2:6a
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.254.23.1
Subnet-Mask Option 1, length 4: 255.255.255.192
Default-Gateway Option 3, length 4: 10.254.207.65
Domain-Name-Server Option 6, length 8: 172.16.11.180,172.16.11.181
</pre>
</blockquote>
<font face="sans-serif">Trying to answer my own question
- could it be since the destination address is
255.255.255.255 is it hitting<br>
the loopback interface which in my firewall allows
everything to everything and the DHCP server<br>
is listening on 0.0.0.0:67.<br>
<br>
<br>
</font><br>
<div class="moz-signature">-- <br>
Stephen Clark<br>
<b>NetWolves</b><br>
Director of Technology<br>
Phone: 813-579-3200<br>
Fax: 813-882-0209<br>
Email: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:steve.clark@netwolves.com"
target="_blank">steve.clark@netwolves.com</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.netwolves.com" target="_blank">http://www.netwolves.com</a><br>
</div>
<br>
_______________________________________________<br>
dhcp-users mailing list<br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dhcp-users@lists.isc.org" target="_blank">dhcp-users@lists.isc.org</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a></blockquote>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
dhcp-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org" target="_blank">dhcp-users@lists.isc.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a></pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
Stephen Clark<br>
<b>NetWolves</b><br>
Director of Technology<br>
Phone: 813-579-3200<br>
Fax: 813-882-0209<br>
Email: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:steve.clark@netwolves.com" target="_blank">steve.clark@netwolves.com</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.netwolves.com" target="_blank">http://www.netwolves.com</a><br>
</div>
</blockquote>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
dhcp-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a></pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
Stephen Clark<br>
<b>NetWolves</b><br>
Director of Technology<br>
Phone: 813-579-3200<br>
Fax: 813-882-0209<br>
Email: <a class="moz-txt-link-abbreviated" href="mailto:steve.clark@netwolves.com">steve.clark@netwolves.com</a><br>
<a class="moz-txt-link-freetext" href="http://www.netwolves.com">http://www.netwolves.com</a><br>
</div>
</body>
</html>