On Sat, Jan 05, 2002 at 08:31:08PM -0500, Jim Wise wrote:
> Unfortunately I _am_ (see the rc.conf snippet in the original post).
> dhcpd uses INADDR_ANY (and uses bpf on all interfaces), and then doesn't
> respond on the interfaces it's not configured to serve.
> 
> This means a.) that without ipf, dhcpd is seen by an outside port
> scanner as listening on all interfaces, specified or not, and b.) that
> even with ipf, dhcpd is seen by an outside portscanner on udp port 68.
> 
> It also means that were there (and I don't know of any) a buffer
> overflow or other security problem in dhcpd's internal udp handling, ipf
> could _not_ be used to protect the machine from outside exploitation.

Compile dhcpd to use sockets instead of bpf.

-- 
Bill Squier (groo@old-ones.com)                          http://www.netbsd.org

        I know I don't deserve another chance, but this _is_ America,
        and as an American, aren't I entitled to one?  --Sideshow Bob.