On 9/6/12 4:10 PM, Mr Dash Four wrote: > The more I look into this, the more convinced I get that the 'dhcp' > option should be deprecated and confined to history, without > introducing any new options at all. > > Even if you somehow add the 2 new options, that still won't secure > the firewall as much as a rules statement will (owner id as well as > secmark can't be specified to start with, which means that the > firewall still won't be fully secured). I am guessing that you > originally introduced this option to allow dhcp traffic even when the > firewall was closed/stopped, but shorewall these days is much more > flexible and dhcp traffic rules can now be defined in "rules" as well > as the new "stoppedrules" files - with all bells and whistles > attached. > > Having written all that, yesterday I found something extremely > annoying - even if I design the most beautifully crafted iptables > rules and "restrict" DHCP traffic to/from the firewall, this, as it > turns out, is completely *futile* as the DHCP client I am using - ISC > DHCP - uses raw sockets, which means that the whole netfilter > malarkey is completely bypassed [1] and the client goes trough my > firewall like the proverbial knife through butter! > > I've personally tested this today and saw it with my own eyes! So, > any suggestions on how to restore control over my DHCP traffic is > mostly welcome. Whoever invented DHCP should be rounded up and > dragged back to the asylum s/he came from or shot on site! > > [1] - Why DHCP uses raw sockets: > https://deepthought.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html >
At least some DHCP clients use regular datagram sockets for lease renewal. So your rules may not be totally wasted. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
