Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: None <email@example.com, firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 01/06/2002 15:53:03
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Steven" == Steven M Bellovin <firstname.lastname@example.org> writes:
Steven> In message <20020106194425.B622@ibb1150.ibb.uu.nl>, Mipam writes:
>>> from nmap from an outside host:
>>> 68/udp open bootpc
>> This is because dhcp listens on bpf which is before ipf (seen from
>> outside). So requests and answers wont go through the in-kernel
>> ip stack and so also not through ipf which listens in front of the ip stack.
Steven> Run dhcpd only on the inside interface. It may still be possible to
Steven> send it packets via hand-crafted stuff by someone on the outside LAN,
Steven> but it should help.
As has been pointed out, the packets are still seen by dhcpd, and the port
How can I tell from outside if the machine is still intact, or now has a
trojan on port 68 now? What does one tell the customer when they hire a 3rd
party to do an audit on the install?
We need to fix this, let's stop other arguments.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Finger me for keys
-----END PGP SIGNATURE-----