Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: None <>
From: Bill Squier <>
List: tech-net
Date: 01/06/2002 02:51:43
On Sat, Jan 05, 2002 at 08:31:08PM -0500, Jim Wise wrote:
> Unfortunately I _am_ (see the rc.conf snippet in the original post).
> dhcpd uses INADDR_ANY (and uses bpf on all interfaces), and then doesn't
> respond on the interfaces it's not configured to serve.
> This means a.) that without ipf, dhcpd is seen by an outside port
> scanner as listening on all interfaces, specified or not, and b.) that
> even with ipf, dhcpd is seen by an outside portscanner on udp port 68.
> It also means that were there (and I don't know of any) a buffer
> overflow or other security problem in dhcpd's internal udp handling, ipf
> could _not_ be used to protect the machine from outside exploitation.

Compile dhcpd to use sockets instead of bpf.

Bill Squier (                

        I know I don't deserve another chance, but this _is_ America,
        and as an American, aren't I entitled to one?  --Sideshow Bob.