(Probably) it's a bug

(Probably) it's a bug

[Marek Sirdak]

Dear Netfilter developers:

 I'm using iptables to protect my company network. My Kernel version is
2.6.12 and iptables 1.3.2. Today I noticed that iptables cannot control
broadcast traffic. For example I'm using DHCPd (version 3.0.2). 
 Every computer in my network has it own entry in dhcpd.conf. There are no
IP range specified - for security reasons. If I set policy of chains INPUT,
FORWARD and OUTPUT to DROP (table: filter) with no entries in them, traffic
should be completly dropped. But I noticed that if computer from my network
will send DHCP-REQUEST he will recive DHCP-REPLY with address and he receive
his address despite iptables is set to DROP all of the traffic !!! I have
read from DHCPd readme file that on some systems above behaviour is normal,
but i think it isn't normal, because we say: "block all of the traffic" and
all traffic should be dropped. We know that first packets of DHCP requests
are broadcasts and renewal are unicast (unicast packets are dropped).

Please turn attention on it. I'm not an extra developer, but I think that
somebody can write some broadcast request that could violate server
security.

Greetings
Marek Sirdak

Re: (Probably) it's a bug

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 855 bytes --]



On Thu, 21 Jul 2005, Marek Sirdak wrote:

> Dear Netfilter developers:
>
> I'm using iptables to protect my company network. My Kernel version is
> 2.6.12 and iptables 1.3.2. Today I noticed that iptables cannot control
> broadcast traffic. For example I'm using DHCPd (version 3.0.2).

Hm.. isc-dhcpd uses af_packet:

Symbol: PACKET [=y]
  Prompt: Packet socket
    Defined at net/Kconfig:26
    Depends on: NET
    Location:
      -> Device Drivers
        -> Networking support
          -> Networking support (NET [=y])
            -> Networking options

"The Packet protocol is used by applications which communicate
  directly with network devices without an intermediate network
  protocol implemented in the kernel, e.g. tcpdump.  If you want them
  to work, choose Y.

(...)"

Best regards,

 			Krzysztof Olędzki

Re: (Probably) it's a bug

[Jan Engelhardt]

>> Dear Netfilter developers:
>> 
>> I'm using iptables to protect my company network. My Kernel version is
>> 2.6.12 and iptables 1.3.2. Today I noticed that iptables cannot control
>> broadcast traffic. For example I'm using DHCPd (version 3.0.2).
>
> Hm.. isc-dhcpd uses af_packet:
>
> Symbol: PACKET [=y]
> "The Packet protocol is used by applications which communicate
> directly with network devices without an intermediate network
> protocol implemented in the kernel, e.g. tcpdump.  If you want them
> to work, choose Y.

Interesting because I once failed to get DHCP because the Request packets hit 
the default DROP policy...



Jan Engelhardt
-- 

Re: (Probably) it's a bug

[Patrick McHardy]

Jan Engelhardt schrieb:
>>>Dear Netfilter developers:
>>>
>>>I'm using iptables to protect my company network. My Kernel version is
>>>2.6.12 and iptables 1.3.2. Today I noticed that iptables cannot control
>>>broadcast traffic. For example I'm using DHCPd (version 3.0.2).
>>
>>Hm.. isc-dhcpd uses af_packet:
>>
>>Symbol: PACKET [=y]
>>"The Packet protocol is used by applications which communicate
>>directly with network devices without an intermediate network
>>protocol implemented in the kernel, e.g. tcpdump.  If you want them
>>to work, choose Y.
> 
> Interesting because I once failed to get DHCP because the Request packets hit 
> the default DROP policy...

Some clients use AF_PACKET, others use raw sockets, others use regular
UDP sockets. Everything besides AF_PACKET can be filtered by netfilter.