Linux Firewall not block dhcp requests

perl-list perl-list at network1.net
Tue Aug 14 18:22:26 UTC 2012 

It is broadcast traffic. In Linux, it is difficult to block broadcast traffic ... I am not aware of how one might block broadcast traffic using iptables, in fact. You might be able to match on a mac address and block certain packets that way.... 

----- Original Message -----

> From: "Steve Clark" <sclark at netwolves.com>
> To: "Users of ISC DHCP" <dhcp-users at lists.isc.org>
> Sent: Tuesday, August 14, 2012 2:16:32 PM
> Subject: Re: Linux Firewall not block dhcp requests

> On 08/14/2012 02:06 PM, Steve Clark wrote:

> > Hello,
> 

> > Can someone tell me how DHCP is seeing packets that according to my
> > firewall log are being dropped?
> 
> > Does DHCP read the packets before they get to the firewall like
> > tcpdump does?
> 

> > Chain fDROPnLOG (1 references)
> 
> > pkts bytes target     prot opt in     out source
> >               destination
> 
> > 143 16366 LOG        all  --  *      * 0.0.0.0/0
> >            0.0.0.0/0
> >           limit: avg 30/min burst 5 LOG flags 0 level 7 prefix `fw
> > (fDROPnLOG) '
> 
> > 143 16366 DROP       all  --  *      * 0.0.0.0/0
> >            0.0.0.0/0
> 

> > Aug 14 13:55:58 kernel: fw (fDROPnLOG) IN=eth0 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:5c:26:0a:73:b2:6a:08:00 SRC=10.254.207.66
> > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=24427
> > PROTO=UDP SPT=68 DPT=67 LEN=308
> 

> > tcpdump on eth0
> 
> > 13:55:58.667982 IP (tos 0x0, ttl 128, id 24427, offset 0, flags
> > [none], proto UDP (17), length 328)
> 
> > 10.254.207.66.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP,
> > Request from 5c:26:0a:73:b2:6a, length 300, xid 0xc5a1ea3f, Flags
> > [Broadcast] (0x8000)
> 
> > Client-IP 10.254.207.66
> 
> > Client-Ethernet-Address 5c:26:0a:73:b2:6a
> 
> > Vendor-rfc1048 Extensions
> 
> > Magic Cookie 0x63825363
> 
> > DHCP-Message Option 53, length 1: Inform
> 
> > Client-ID Option 61, length 7: ether 5c:26:0a:73:b2:6a
> 
> > Hostname Option 12, length 12: "7pdawson0412"
> 
> > Vendor-Class Option 60, length 8: "MSFT 5.0"
> 
> > Parameter-Request Option 55, length 13:
> 
> > Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
> 
> > Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
> 
> > Static-Route, Classless-Static-Route,
> > Classless-Static-Route-Microsoft, Vendor-Option
> 
> > Option 252
> 
> > 13:55:58.668418 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
> > proto UDP (17), length 328)
> 
> > 10.254.207.65.67 > 10.254.207.66.68: [bad udp cksum ffd6!]
> > BOOTP/DHCP, Reply, length 300, xid 0xc5a1ea3f, Flags [Broadcast]
> > (0x8000)
> 
> > Client-IP 10.254.207.66
> 
> > Client-Ethernet-Address 5c:26:0a:73:b2:6a
> 
> > Vendor-rfc1048 Extensions
> 
> > Magic Cookie 0x63825363
> 
> > DHCP-Message Option 53, length 1: ACK
> 
> > Server-ID Option 54, length 4: 10.254.23.1
> 
> > Subnet-Mask Option 1, length 4: 255.255.255.192
> 
> > Default-Gateway Option 3, length 4: 10.254.207.65
> 
> > Domain-Name-Server Option 6, length 8: 172.16.11.180,172.16.11.181
> 
> Trying to answer my own question - could it be since the destination
> address is 255.255.255.255 is it hitting
> the loopback interface which in my firewall allows everything to
> everything and the DHCP server
> is listening on 0.0.0.0:67.

> --
> Stephen Clark
> NetWolves
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark at netwolves.com
> http://www.netwolves.com

> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120814/a2f26832/attachment-0001.html>

More information about the dhcp-users mailing list