, <tech-security@netbsd.org>
From: David Laight <David.Laight@btinternet.com>
List: tech-security
Date: 01/07/2002 10:19:54
>
> The problem is, unlike the other udp ports which dhcpd(8) uses (67,
> 111), dhcpd does _not_ listen on port 68. It appears that it is using
> bpf to snatch packets directly from the wire. As bpf does (and should)
> get a shot at packets before ipf does its magic, this port is de facto
> open regardless of ipfilter rules stating otherwise (test this. no
> really. run dhcpd on a host, block all udp packets to port 68, and nmap
> - -sU scan the host. you may be surprised).
>
> And yes, this occurs even though dhcpd(8) is explicitly _not_ started on
> the outside interface.
>
> To review:
>
> Inside interfaces are ray0 and le0 (yes, dhcp is limited to a specific
> set of hardware addresses on ray0. that's another discussion). Outside
> interface is vr0.
>
> from rc.conf:
> ...
> ipfilter=YES # uses /etc/ipf.conf
> ipnat=YES # uses /etc/ipnat.conf
> ...
> dhcpd=YES dhcpd_flags="-q le0 ray0"
> ...
>
What happens if you start dhcpd after bringing up ray0 and le0 but
before bringing up vr0?
(doing this is left as an exercise...)
David