Re: Iptables not blocking DHCP/UDP correctly?
--- Bart-Jan Vrielink <bartjan@vrielink.net> wrote:
> On Fri, 2004-10-29 at 00:27 +0200, Bernd Eckenfels wrote:
> > On Thu, Oct 28, 2004 at 11:20:24PM +0200, Bart-Jan Vrielink wrote:
> > > On Thu, 2004-10-28 at 14:15 -0400, Larry Kelly wrote:
> > > > Help! Either iptables is not blocking DHCP requests or my
> understanding of
> > > > how to configure iptables to block is incorrect (probably the
> later).
> > >
> > > > dhcpd installed and running (listening on all interfaces).
> > > > iptables configured to block incoming and outgoing udp traffic.
> >
> > DHCP is not UDP, it is protocol "bootp"
>
> Huh?
> bartjan@trillian:~$ getent protocols|grep -i bootp
> bartjan@trillian:~$ getent services |grep -i bootp
> bootps 67/tcp
> bootps 67/udp
> bootpc 68/tcp
> bootpc 68/udp
>
> And as far as I can tell, it almost always uses udp, not tcp.
>
> > > dhcpd operates directly on the interface, right in front of the
> > > netfilter firewall.
> >
> > Nope.
>
> So it needs CONFIG_PACKET for no apparent reason?
> I lost count on the number of times I had to recompile a kernel because
> I forgot to include this one (and/or CONFIG_FILTER) and dhcp didn't
> work.
>
DHCP protocol is complex in that it uses MAC and IP tricks to work
correctly. I'm sure you could use UDP sockets, but I think the code for
this would be vary messy. Instead the authors of DHCP have decided to
handel the UDP protocol them selfs, I for one respect there discision.
> --
> Tot ziens,
> Bart-Jan Vrielink
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.
http://messenger.yahoo.com
Reply to: