Re: iptables not logging or dhcp-client lying?

To: Gabor Kovacs <koga@webigen.com>
Cc: debian-security@lists.debian.org
Subject: Re: iptables not logging or dhcp-client lying?
From: Olaf Meeuwissen <olaf@epkowa.co.jp>
Date: 11 Apr 2002 16:01:04 +0900
Message-id: <[🔎] 874riin2hb.fsf@frodo.epkowa.co.jp>
In-reply-to: <[🔎] 87d6x9hbf8.fsf@frodo.epkowa.co.jp>
References: <[🔎] 87g02dnzmr.fsf@frodo.epkowa.co.jp> <[🔎] 3CAB3689.915414A6@webigen.com> <[🔎] 87d6x9hbf8.fsf@frodo.epkowa.co.jp>

Olaf Meeuwissen <olaf@epkowa.co.jp> writes:

> Gabor Kovacs <koga@webigen.com> writes:
> 
> > Olaf Meeuwissen wrote:
> > 
> > > Basically, I'd like to keep the setup as closed as possible so I make
> > > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> > > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> > > this one step at a time ;-).  At least, that's what I thought I should
> > > do, but I noticed that packets are not logged!
> > 
> > I think (but not sure) DHCP client is using (so called) raw sockets
> > which are below the layer where iptables is in the kernel. That's why
> > iptables is unable to see the packets.
> 
> Looks like you are right.  I set all built-in chains to LOG and a DROP
> policy (no other rules) and my interface configures fine.  Once it is
> up there's an incessant stream of logged packets (mainly win-DoS hosts
> letting everyone know who and where they are by shouting all over the
> subnet and, occasionally, beyond).
> 
> Oh well, I guess I can forget about making and plugging holes for the
> DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies.
> That makes my job easier, but I guess the docs then need a fix ;-)

I gotta set myself straight here.  The DHCPDISCOVER does not need a
hole to make it past the packet filtering layer, but the DHCPREQUEST
does.  And from experience, it seems that dhclient starts requesting
without going through the /etc/dhclient-script.  Bummer, 'cause that
means you don't get the chance to open up a hole for the request and
close it once your lease has been renewed.  Oh well, I guess I have to
leave a hole open permanently for the requests to and replies from the
dhcp-server-identifier ...
-- 
Olaf Meeuwissen                            Epson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- iptables not logging or dhcp-client lying?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: iptables not logging or dhcp-client lying?
  - From: Gabor Kovacs <koga@webigen.com>
- Re: iptables not logging or dhcp-client lying?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>

Prev by Date: Re: security updates for hppa
Next by Date: subscribe
Previous by thread: Re: iptables not logging or dhcp-client lying?
Next by thread: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Index(es):
- Date
- Thread