Roar Bjørgum Rotvik <[EMAIL PROTECTED]> writes:
> In this scenario, the policy DROP exists before DHCP client starts up, but
> still the DHCP client manages to assign a new IP-address.
>
> ifconfig shows shows that eth0 has been assigned new IP-address. ping or
> any network traffic after that d
fup. I don't have an
> explanation for it. Time for the Guruz to chime in.
>
> Stu..
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik
> Sent: May 27, 2002 11:58 PM
> To: [EMAIL PROT
On Tue, May 28, 2002 at 10:52:41PM +0100, Nick Drage wrote:
> > But I have one question:
> >
> > You say, the default policy "DROP" does not catch this situation
> > because dhcpd uses the raw socket, bypassing netfilter.
> >
> > But, why is netfilter then able to filter the DHCP packets if
> >
On Tue, May 28, 2002 at 04:50:05PM -0400, Ramin Alidousti wrote:
> On Tue, May 28, 2002 at 01:17:32PM -0700, Stewart Thompson wrote:
>
> > Thanks for the excellent description Evan.
>
> Yes. Truely, a very good explanation.
Seconded.
> But I have one question:
>
> You say, the default policy
---Original Message-
> From: Evan Cofsky [mailto:[EMAIL PROTECTED]]
> Sent: May 28, 2002 9:34 AM
> To: Stewart Thompson; [EMAIL PROTECTED]
> Subject: Re: Can't block DHCP with iptables?
>
> Derrik Pates touched on this earlier in the thread, but I'll try and
&
Thanks for the excellent description Evan.
-Original Message-
From: Evan Cofsky [mailto:[EMAIL PROTECTED]]
Sent: May 28, 2002 9:34 AM
To: Stewart Thompson; [EMAIL PROTECTED]
Subject: Re: Can't block DHCP with iptables?
Derrik Pates touched on this earlier in the thread, but I'
: May 28, 2002 10:21 AM
To: Stewart Thompson
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Can't block DHCP with iptables?
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote:
> Roar:
>
> You are absolutely right. I just tried on one of my machines.
> I
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote:
>> I'm on a local machine with interface eth0 down. I manually enter the
>> iptables policy DROP for all three "normal" chains, and then start up
>> interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and
>> ONBOOT=n).
>>
..
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bj?rgum Rotvik
> Sent: May 27, 2002 11:58 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Can't block DHCP with iptables?
>
> On Mon, 27 May 2002, Stewart T
D]]On Behalf Of Roar Bjørgum Rotvik
Sent: May 27, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: RE: Can't block DHCP with iptables?
On Mon, 27 May 2002, Stewart Thompson wrote:
> Normally the iptables script runs after the interfaces have been
brought up
> by the system.
> By that ti
On Mon, 27 May 2002, Stewart Thompson wrote:
> Normally the iptables script runs after the interfaces have been brought up
> by the system.
> By that time blocking DHCP is kind of irrelevant. A default policy of drop
> should block everything
> all right, but it is kind of closing the barn
"Stewart Thompson" wrote:
> Normally the iptables script runs after the interfaces have been
brought up
> by the system.
>From a security point of view, I'd suggest starting iptables _before_
networking comes up...
Adam
Roar:
Normally the iptables script runs after the interfaces have been brought up
by the system.
By that time blocking DHCP is kind of irrelevant. A default policy of drop
should block everything
all right, but it is kind of closing the barn door after the horse has left.
Why not just set
On Mon, May 27, 2002 at 10:13:11AM +0200, Roar Bj?rgum Rotvik wrote:
> I have a problem blocking DHCP request/response with iptables.
>
> Am I wrong to assume that setting default policy for INPUT/OUTPUT/FORWARD
> to DROP would block any traffic on any interface?
>
> The problem is that 'ifup et
14 matches
Mail list logo
