dhclient and pf/ipf/ipfw
Nikos Ntarmos
ntarmos at cs.uoi.gr
Wed Dec 16 17:43:55 UTC 2009
Hi all.
I recently turned net.inet.udp.log_in_vain on on some of my boxen and
have been seeing UDP connection attempts to port 67 on the local host.
This initially seemed odd, as the target ip addres was indeed that of a
DHCP-configured interface and the source address was that of my DHCP
server. However, it turns out this is totally valid, as dhclient(8) does
not bind(2) on the bootpc port but rather uses bpf(4) to intercept
incoming (e.g. DHCPACK) packets destined to the local machine. Nothing
wrong with this (other than the occasional log entries), but it got me
thinking that there is no need for a firewall rule to allow this sort of
traffic on the ingress path on single-host configurations. Moreover,
even if there is an inbound deny rule, dhclient(8) will still be able to
"receive" those DHCP reply packages (outbound broadcast packets (e.g.
DHCPDISCOVER) will also go out just fine but we still need an outbound
allow rule to let unicast messages leave the local host). Should we
update the relevant pf/ipf/ipfw/dhclient manpages, handbook sections,
and example configurations (at least those that have a rule to allow
incoming dhcp traffic)? Along the same lines, should udp.log_in_vain be
somehow informed to ignore connections to local port 67 from (a possible
list of) dhcp servers or even have dhclient(8) bind(2) on UDP port 67
and ignore any incoming messages?
Cheers.
\n\n
PS: Sorry if this has come up again in the past; some google'ing through
mailing list archives didn't turn up anything related.
More information about the freebsd-security
mailing list