1 |
Dne sreda, 22. marec 2006 17:32 je Martin Skarda napisal(a): |
2 |
| Hi All, |
3 |
| |
4 |
| I'm trying to protect my dhcp server with some rules within iptables |
5 |
| against some DoS, and I see all the "hopefully dropped" packages in my log |
6 |
| target. But the drop doesn't really work: the packages are still going |
7 |
| through my firewall to my dhcp server. |
8 |
| |
9 |
| [...] |
10 |
|
11 |
While trying out LTSP I observed very similar behaviour (X-Terminals were |
12 |
getting their IPs through iptables even though they shouldn't) I Googled out |
13 |
this thread: |
14 |
|
15 |
http://lists.netfilter.org/pipermail/netfilter/2002-May/034302.html |
16 |
|
17 |
which gave me my answer to why this is so... In short, here is a quote: |
18 |
|
19 |
"Derrik Pates touched on this earlier in the thread, but I'll try and |
20 |
clarify a bit. |
21 |
|
22 |
The DNCP server of the ISC (Internet Software Consortium, |
23 |
http://www.isc.org) uses a different type of network access in Linux, |
24 |
so to speak. Normally, when programs need network access, they open |
25 |
up an Internet socket of the correct protocol (TCP/UDP), which gets |
26 |
any packets destined for it and can send packets after the kernel has |
27 |
applied all IP Tables rules to them. So if you have a policy of |
28 |
DROP/REJECT or you have a rule that matches a packet to.from this |
29 |
socket that DROP/REJECTs it, the socket will not receive or be able to |
30 |
send that packet. |
31 |
|
32 |
However, the ISC DHCP server uses an Internet Socket of protocol Raw |
33 |
instead of TCP or UDP. This facility, naturally, is only available to |
34 |
root (uid 0, really), and receives packets before the IP Tables |
35 |
processing. It also receives all Internet packet headers as well, so |
36 |
it gets to do additional processing. |
37 |
|
38 |
But because Raw sockets get packets before the IP Tables processing, |
39 |
the ISC DHCP server is able to obtain an IP address through DHCP. |
40 |
|
41 |
More information (possibly not in a useful state) can be found in the |
42 |
man pages for socket, ip, tcp, udp, |
43 |
http://nodevice.com/sections/ManIndex/man1275.html, and, of course, |
44 |
the source code." |
45 |
|
46 |
Cheers, |
47 |
Ziga B. |
48 |
-- |
49 |
gentoo-security@g.o mailing list |