On Tue, May 28, 2002 at 10:52:41PM +0100, Nick Drage wrote: > > But I have one question: > > > > You say, the default policy "DROP" does not catch this situation > > because dhcpd uses the raw socket, bypassing netfilter. > > > > But, why is netfilter then able to filter the DHCP packets if > > you explicitly specify the rule, like: > > > > $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP > > Does this work with the *particular* DHCP software mentioned?
I know of only one dhcpd which is from isc. > > What is the difference between a default DROP and an explicit DROP > > with regards to a raw socket? > > If this is a problem, then that means you could bypass netfilter / iptables > by using raw sockets, so you could get traffic into or out of a supposedly > protected box. If anyone can grab a raw socket on your box you're toast anyways ;-) > What else uses raw sockets, anything I could test with? How about all the > other protocols, like BGP ( and ICMP? ), don't they use a similar method to > get in and out of a linux host. ICMP, yes but BGP uses plain TCP. OSPF uses its own protocol (I believe 89) which needs raw socket. Ramin > -- > FunkyJesus System Administration Team
