dhcp weirdness with iptables

dhcp weirdness with iptables

[Benoit Steinmetz]

hi

i get my ip address from a dhcp server. i have experienced strange behaviour of
my iptables-firewall:

it seems that the dhcp packets seem to be unaffected by the firewall, because,
no matter how restrictive i setup the firewall, the udp packets coming from
port 67 on the dhcp-server and going to the local port 68 pass through. has this
something to do with the linux socket filter (CONFIG_FILTER in the kernel
configuration), which is needed by dhcp to work correctly?

thanks

benoit steinmetz.

Re: dhcp weirdness with iptables

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1140 bytes --]

On Tue, Sep 23, 2003 at 04:09:33PM +0200, Benoit Steinmetz wrote:
> it seems that the dhcp packets seem to be unaffected by the firewall, because,
> no matter how restrictive i setup the firewall, the udp packets coming from
> port 67 on the dhcp-server and going to the local port 68 pass
> through. has this something to do with the linux socket filter
> (CONFIG_FILTER in the kernel configuration), which is needed by dhcp
> to work correctly?

The question is: How is the dhcp client implemented?

If the DHCP server opens a PF_PACKET socket (like tcpdump does) than
there is no way iptables can filter those packets.  

Only if the process uses the normal IP stack (PF_INET sockets), packet
filtering rules apply.

> thanks
> benoit steinmetz.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]