On Tue, May 28, 2002 at 04:50:05PM -0400, Ramin Alidousti wrote: > On Tue, May 28, 2002 at 01:17:32PM -0700, Stewart Thompson wrote: > > > Thanks for the excellent description Evan. > > Yes. Truely, a very good explanation.
Seconded. > But I have one question: > > You say, the default policy "DROP" does not catch this situation > because dhcpd uses the raw socket, bypassing netfilter. > > But, why is netfilter then able to filter the DHCP packets if > you explicitly specify the rule, like: > > $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP Does this work with the *particular* DHCP software mentioned? > What is the difference between a default DROP and an explicit DROP > with regards to a raw socket? If this is a problem, then that means you could bypass netfilter / iptables by using raw sockets, so you could get traffic into or out of a supposedly protected box. What else uses raw sockets, anything I could test with? How about all the other protocols, like BGP ( and ICMP? ), don't they use a similar method to get in and out of a linux host. -- FunkyJesus System Administration Team
