On Tue, May 28, 2002 at 01:17:32PM -0700, Stewart Thompson wrote: > Thanks for the excellent description Evan.
Yes. Truely, a very good explanation. But I have one question: You say, the default policy "DROP" does not catch this situation because dhcpd uses the raw socket, bypassing netfilter. But, why is netfilter then able to filter the DHCP packets if you explicitly specify the rule, like: $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP What is the difference between a default DROP and an explicit DROP with regards to a raw socket? Ramin > > -----Original Message----- > From: Evan Cofsky [mailto:[EMAIL PROTECTED]] > Sent: May 28, 2002 9:34 AM > To: Stewart Thompson; [EMAIL PROTECTED] > Subject: Re: Can't block DHCP with iptables? > > Derrik Pates touched on this earlier in the thread, but I'll try and > clarify a bit. > > The DNCP server of the ISC (Internet Software Consortium, > http://www.isc.org) uses a different type of network access in Linux, > so to speak. Normally, when programs need network access, they open > up an Internet socket of the correct protocol (TCP/UDP), which gets > any packets destined for it and can send packets after the kernel has > applied all IP Tables rules to them. So if you have a policy of > DROP/REJECT or you have a rule that matches a packet to.from this > socket that DROP/REJECTs it, the socket will not receive or be able to > send that packet. > > However, the ISC DHCP server uses an Internet Socket of protocol Raw > instead of TCP or UDP. This facility, naturally, is only available to > root (uid 0, really), and receives packets before the IP Tables > processing. It also receives all Internet packet headers as well, so > it gets to do additional processing. > > But because Raw sockets get packets before the IP Tables processing, > the ISC DHCP server is able to obtain an IP address through DHCP. > > More information (possibly not in a useful state) can be found in the > man pages for socket, ip, tcp, udp, > http://nodevice.com/sections/ManIndex/man1275.html, and, of course, > the source code.
