-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you'll look at the rc.conf snippet included in the original message,
I _am_ running dhcpd only on the inside interface.  In fact, dhcpd
listens on ports 67 and 111 with INADDR_ANY, and bpfs on _all_
interfaces for port 68.  Only after receiving a packet does dhcpd check
to see if the packet is from an interface it is supposed to be listening
to.

This, of itself, is pretty clearly a bug in dhcpd.  The fact that dhcpd
in addition uses bpf, and is thus not wrappable with ipfilter makes the
matter even worse.

On Sun, 6 Jan 2002, Steven M. Bellovin wrote:

>In message <20020106194425.B622@ibb1150.ibb.uu.nl>, Mipam writes:
>>[SNIP]
>>
>>> from nmap from an outside host:
>>> ...
>>> 68/udp     open        bootpc
>>> ...
>>
>>This is because dhcp listens on bpf which is before ipf (seen from
>>outside). So requests and answers wont go through the in-kernel
>>ip stack and so also not through ipf which listens in front of the ip stack.
>
>Run dhcpd only on the inside interface.  It may still be possible to
>send it packets via hand-crafted stuff by someone on the outside LAN,
>but it should help.
>
>		--Steve Bellovin, http://www.research.att.com/~smb
>		Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8OK8/N71lEcOYcw4RAu/fAJ9+FWmPy8IMN/3DGGCPBhLrfSK9gACdHZRs
AkYB4/+uTeLv8y/bduqPBpg=
=m9O4
-----END PGP SIGNATURE-----