Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: None <,>
From: Michael Richardson <>
List: tech-net
Date: 01/06/2002 15:53:03

>>>>> "Steven" == Steven M Bellovin <> writes:
    Steven> In message <>, Mipam writes:
    >> [SNIP]
    >>> from nmap from an outside host:
    >>> ...
    >>> 68/udp     open        bootpc
    >>> ...
    >> This is because dhcp listens on bpf which is before ipf (seen from
    >> outside). So requests and answers wont go through the in-kernel
    >> ip stack and so also not through ipf which listens in front of the ip stack.

    Steven> Run dhcpd only on the inside interface.  It may still be possible to 
    Steven> send it packets via hand-crafted stuff by someone on the outside LAN, 
    Steven> but it should help.

  As has been pointed out, the packets are still seen by dhcpd, and the port
looks open. 

  How can I tell from outside if the machine is still intact, or now has a
trojan on port 68 now? What does one tell the customer when they hire a 3rd
party to do an audit on the install?

  We need to fix this, let's stop other arguments.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys