Re: Iptables not blocking DHCP/UDP correctly?
--- Bart-Jan Vrielink <email@example.com> wrote:
> On Fri, 2004-10-29 at 00:27 +0200, Bernd Eckenfels wrote:
> > On Thu, Oct 28, 2004 at 11:20:24PM +0200, Bart-Jan Vrielink wrote:
> > > On Thu, 2004-10-28 at 14:15 -0400, Larry Kelly wrote:
> > > > Help! Either iptables is not blocking DHCP requests or my
> understanding of
> > > > how to configure iptables to block is incorrect (probably the
> > >
> > > > dhcpd installed and running (listening on all interfaces).
> > > > iptables configured to block incoming and outgoing udp traffic.
> > DHCP is not UDP, it is protocol "bootp"
> bartjan@trillian:~$ getent protocols|grep -i bootp
> bartjan@trillian:~$ getent services |grep -i bootp
> bootps 67/tcp
> bootps 67/udp
> bootpc 68/tcp
> bootpc 68/udp
> And as far as I can tell, it almost always uses udp, not tcp.
> > > dhcpd operates directly on the interface, right in front of the
> > > netfilter firewall.
> > Nope.
> So it needs CONFIG_PACKET for no apparent reason?
> I lost count on the number of times I had to recompile a kernel because
> I forgot to include this one (and/or CONFIG_FILTER) and dhcp didn't
DHCP protocol is complex in that it uses MAC and IP tricks to work
correctly. I'm sure you could use UDP sockets, but I think the code for
this would be vary messy. Instead the authors of DHCP have decided to
handel the UDP protocol them selfs, I for one respect there discision.
> Tot ziens,
> Bart-Jan Vrielink
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.