[Bug 730] DHCP request (and other?) traffic bypasses iptables/netfilter

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Jul 27 20:13:10 CEST 2011


http://bugzilla.netfilter.org/show_bug.cgi?id=730


Robert Lange <rcl24 at drexel.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




--- Comment #4 from Robert Lange <rcl24 at drexel.edu>  2011-07-27 20:13:10 ---
Per Mark Andrews of isc.org:

"DHCP uses packet filters and these tie into the IP stack before the
firewall."

A different topic, but the explanation is also relevant here:

https://lists.isc.org/pipermail/dhcp-users/2010-January/010723.html

Apparently dhcpd uses raw sockets to maximize its robustness and reliability in
dealing with DHCP.  Also, it uses as a fallback a UDP socket, and it was the
packets to this fallback that iptables was dropping.

So, if your DHCP server operates on the same machine as your firewall, don't
expect your firewall to stop traffic to it.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.



More information about the netfilter-buglog mailing list