Subject: dhcpd(8) _cannot_ be completely disabled on an interface
To: tech-net@netbsd.org, <tech-security@netbsd.org>
From: Jim Wise <jwise@draga.com>
List: tech-net
Date: 01/05/2002 10:17:11
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, so I'm setting up a replacement border NAT router for the network
here.  This machine has a few real outside addresses, and NATs for two
internal LANs.  It provides DHCP service on the two internal LANs.

As one would expect, I have used ipf(8) to block access to all ports
which are inadvertently opened on the outside interface due to daemons
listening on INADDR_ANY (see previous post on this subject).  On the tcp
side, with the help of ipf's `block ... return-rst' capability, this is
completely transparent to a scanning host.  On the udp side, with the
help of ipf's `block ... return-icmp-as-dest(port-unr)' this is likewise
completely transparent -- with one exception.

port 68.  dhcpd(8).

The problem is, unlike the other udp ports which dhcpd(8) uses (67,
111), dhcpd does _not_ listen on port 68.  It appears that it is using
bpf to snatch packets directly from the wire.  As bpf does (and should)
get a shot at packets before ipf does its magic, this port is de facto
open regardless of ipfilter rules stating otherwise (test this.  no
really.  run dhcpd on a host, block all udp packets to port 68, and nmap
- -sU scan the host.  you may be surprised).

And yes, this occurs even though dhcpd(8) is explicitly _not_ started on
the outside interface.

To review:

Inside interfaces are ray0 and le0 (yes, dhcp is limited to a specific
set of hardware addresses on ray0.  that's another discussion).  Outside
interface is vr0.

from rc.conf:
...
ipfilter=YES                                    # uses /etc/ipf.conf
ipnat=YES                                       # uses /etc/ipnat.conf
...
dhcpd=YES               dhcpd_flags="-q le0 ray0"
...

from ipf.conf:
...
block return-icmp-as-dest(port-unr) in log quick on vr0 from any to any port = 68
...

from nmap from an outside host:
...
68/udp     open        bootpc
...

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8NxkFN71lEcOYcw4RAl9lAKC8kprXBU0UMep5IV0DG9+/fmWUMgCfa9+M
/tuYTiQd74zbYXA4NO7F9hU=
=nYcB
-----END PGP SIGNATURE-----