Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

ipchains cannot block dhcp

From: Miyajima Hiroaki <miyajima () np bs1 fc nec co jp>
Date: Fri, 19 May 2000 22:44:31 +0900
Nice to meet you!

In filtering packets by ipchains (LINUX),
dhcpd worked regularly even if all packets were blocked.

I guessed all packets were to be discarded.
So I am wondering why dhcpd could work.

Please let me know the reason.

I explain this more the below:
--
[My environment]
Lan: 100base ethernet
Server (linux)
  IP: 133.203.205.200/24 (single home)
  kernel: 2.2.15-5
  ipchains: 1.3.9, 17-Mar-1999
  dhcpd: ISC DHCP Server 2.0
Client (win95)
  mac: 00:00:4c:53:ca:61
  assigned IP: 133.203.205.173
--
[Points]
(A)In the setting, all input and output packets must be blocked. (DENY)
(B)But dhcpd received a request from a client and responsed it.
     (An ip address was leased.)
(C)And there is a packet log that says it was "DENY"ed packet.
--

And the typescript is the below:

-- begin of typescript --
Script started on Thu May 18 16:49:29 2000
[root@river miya]# uname -a
Linux river.np.bs1.fc.nec.co.jp 2.2.15-5 #1 Mon May 15 12:24:13 JST 2000 i686 unknown
[root@river miya]# ipchains -L
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       all  ----l-  anywhere             anywhere              n/a
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       all  ----l-  anywhere             anywhere              n/a
[root@river miya]# /usr/sbin/dhcpd -d
Internet Software Consortium DHCP Server 2.0
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.

Please contribute if you find this software useful.
For info, please visit http://www.isc.org/dhcp-contrib.html

Listening on LPF/eth0/00:00:4c:59:d8:a4/133.203.205.0
Sending on   LPF/eth0/00:00:4c:59:d8:a4/133.203.205.0
Sending on   Socket/fallback/fallback-net
DHCPREQUEST for 133.203.205.173 from 00:00:4c:53:ca:61 via eth0
DHCPACK on 133.203.205.173 to 00:00:4c:53:ca:61 via eth0

[root@river miya]# grep ":67" /var/log/messages
May 18 16:51:05 river kernel: Packet log: input DENY eth0 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=0 
F=0x0000 T=32 (#1)
[root@river miya]# exit
exit

Script done on Thu May 18 16:52:02 2000
-- end of typescript --


Thank you all.
--
Hiroaki Miyajima (NEC,Tokyo)
Previous By Date Next
Previous By Thread Next

Current thread: