| 1 |
Dne sreda, 22. marec 2006 17:32 je Martin Skarda napisal(a): |
| 2 |
| Hi All, |
| 3 |
| |
| 4 |
| I'm trying to protect my dhcp server with some rules within iptables |
| 5 |
| against some DoS, and I see all the "hopefully dropped" packages in my log |
| 6 |
| target. But the drop doesn't really work: the packages are still going |
| 7 |
| through my firewall to my dhcp server. |
| 8 |
| |
| 9 |
| [...] |
| 10 |
|
| 11 |
While trying out LTSP I observed very similar behaviour (X-Terminals were |
| 12 |
getting their IPs through iptables even though they shouldn't) I Googled out |
| 13 |
this thread: |
| 14 |
|
| 15 |
http://lists.netfilter.org/pipermail/netfilter/2002-May/034302.html |
| 16 |
|
| 17 |
which gave me my answer to why this is so... In short, here is a quote: |
| 18 |
|
| 19 |
"Derrik Pates touched on this earlier in the thread, but I'll try and |
| 20 |
clarify a bit. |
| 21 |
|
| 22 |
The DNCP server of the ISC (Internet Software Consortium, |
| 23 |
http://www.isc.org) uses a different type of network access in Linux, |
| 24 |
so to speak. Normally, when programs need network access, they open |
| 25 |
up an Internet socket of the correct protocol (TCP/UDP), which gets |
| 26 |
any packets destined for it and can send packets after the kernel has |
| 27 |
applied all IP Tables rules to them. So if you have a policy of |
| 28 |
DROP/REJECT or you have a rule that matches a packet to.from this |
| 29 |
socket that DROP/REJECTs it, the socket will not receive or be able to |
| 30 |
send that packet. |
| 31 |
|
| 32 |
However, the ISC DHCP server uses an Internet Socket of protocol Raw |
| 33 |
instead of TCP or UDP. This facility, naturally, is only available to |
| 34 |
root (uid 0, really), and receives packets before the IP Tables |
| 35 |
processing. It also receives all Internet packet headers as well, so |
| 36 |
it gets to do additional processing. |
| 37 |
|
| 38 |
But because Raw sockets get packets before the IP Tables processing, |
| 39 |
the ISC DHCP server is able to obtain an IP address through DHCP. |
| 40 |
|
| 41 |
More information (possibly not in a useful state) can be found in the |
| 42 |
man pages for socket, ip, tcp, udp, |
| 43 |
http://nodevice.com/sections/ManIndex/man1275.html, and, of course, |
| 44 |
the source code." |
| 45 |
|
| 46 |
Cheers, |
| 47 |
Ziga B. |
| 48 |
-- |
| 49 |
gentoo-security@g.o mailing list |
Archives