Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: None <email@example.com>
From: Bill Squier <firstname.lastname@example.org>
Date: 01/06/2002 02:51:43
On Sat, Jan 05, 2002 at 08:31:08PM -0500, Jim Wise wrote:
> Unfortunately I _am_ (see the rc.conf snippet in the original post).
> dhcpd uses INADDR_ANY (and uses bpf on all interfaces), and then doesn't
> respond on the interfaces it's not configured to serve.
> This means a.) that without ipf, dhcpd is seen by an outside port
> scanner as listening on all interfaces, specified or not, and b.) that
> even with ipf, dhcpd is seen by an outside portscanner on udp port 68.
> It also means that were there (and I don't know of any) a buffer
> overflow or other security problem in dhcpd's internal udp handling, ipf
> could _not_ be used to protect the machine from outside exploitation.
Compile dhcpd to use sockets instead of bpf.
Bill Squier (email@example.com) http://www.netbsd.org
I know I don't deserve another chance, but this _is_ America,
and as an American, aren't I entitled to one? --Sideshow Bob.