Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: Steven M. Bellovin <>
From: Jim Wise <>
List: tech-net
Date: 01/06/2002 15:10:33
Hash: SHA1

If you'll look at the rc.conf snippet included in the original message,
I _am_ running dhcpd only on the inside interface.  In fact, dhcpd
listens on ports 67 and 111 with INADDR_ANY, and bpfs on _all_
interfaces for port 68.  Only after receiving a packet does dhcpd check
to see if the packet is from an interface it is supposed to be listening

This, of itself, is pretty clearly a bug in dhcpd.  The fact that dhcpd
in addition uses bpf, and is thus not wrappable with ipfilter makes the
matter even worse.

On Sun, 6 Jan 2002, Steven M. Bellovin wrote:

>In message <>, Mipam writes:
>>> from nmap from an outside host:
>>> ...
>>> 68/udp     open        bootpc
>>> ...
>>This is because dhcp listens on bpf which is before ipf (seen from
>>outside). So requests and answers wont go through the in-kernel
>>ip stack and so also not through ipf which listens in front of the ip stack.
>Run dhcpd only on the inside interface.  It may still be possible to
>send it packets via hand-crafted stuff by someone on the outside LAN,
>but it should help.
>		--Steve Bellovin,
>		Full text of "Firewalls" book now at

- -- 
				Jim Wise
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see