from Hacker News

DHCP is not blocked by ufw/iptables

by timost on 7/27/23, 2:32 PM with 123 comments

  • by SamuelAdams on 7/27/23, 4:45 PM

    Wait until they learn about Docker ignoring iptable rules.

    https://www.baeldung.com/linux/docker-container-published-po...

  • by yomlica8 on 7/27/23, 4:41 PM

    Can anyone recommend a decent book on linux firewalls, iptables and the like? Every time I wade into this I feel I'm missing to much base knowledge to make good decisions.

  • by tambourine_man on 7/27/23, 6:03 PM

    It’s these kinds of things that makes me realize I don’t really know what I’m doing regarding networks. I would never have imagined.

    Even FreeBSD’s stack, which was always much more straightforward to me, behaves like this, it seems. There’s no hope.

  • by binkHN on 7/27/23, 5:01 PM

    FWIW, this is the same behavior on OpenBSD—DHCP listens directly on bpf, which sees traffic before the packet filter.

  • by le-mark on 7/27/23, 4:44 PM

    That is a surprising revalation; that iptables filters traffic depending on Linux implementations details. One could imagine the outcry if firewall vendor X suffered a similar “feature”. Or is this well known for Linux iptable users?

  • by allanrbo on 7/27/23, 5:55 PM

    Even within iptables / nftables / nft there's a ton of places to hook in. I always need to take a long hard look at this diagram to get it right: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter...

  • by Joel_Mckay on 7/27/23, 7:08 PM

    if you have systemd/Netplan/docker, than expect chaotic firewall states.

    Each can drop some nasty use-case specific assumptions that cause odd issues in other areas.

    Happy computing =)

  • by josephcsible on 7/27/23, 7:09 PM

    For people who wish this weren't the case, would you want tools like tcpdump and Wireshark to also only see packets that the firewall allows? If not, then what change would you propose exactly that changes the former without breaking the latter?

  • by 1vuio0pswjnm7 on 7/27/23, 10:18 PM

    But could it be blocked using eBPF

    https://docs.kernel.org/networking/filter.html

  • by m463 on 7/27/23, 10:16 PM

    I've just disabled those exceptional rules when dhcp isn't required.

    I'm wondering if this is:

    - a default configuration situation (which I think I rectified)

    - DHCP exception hardcoded in the firewall binaries

  • by anfractuosity on 7/27/23, 6:39 PM

    Intriguing, so there's no way to block DHCP from Linux at all as all firewalls such as ufw/nftables/iptables, would use netfilter behind the scenes?

  • by jas- on 7/27/23, 9:46 PM

    ARP? Don’t you need arptables for this? OSI model 101

  • by pseudosavant on 7/28/23, 5:56 PM

    Had an interesting exchange with chatgpt/gpt4 about this. Initially gets it wrong, but then explains it really well after being corrected with this link. Apparently Windows has similar default behavior too.

    Me: Is DHCP affected by iptables firewall rules on Linux?

    GPT: Yes, DHCP (Dynamic Host Configuration Protocol) traffic can be affected by iptables firewall rules on a Linux system.

    iptables can be used to filter network traffic, and it does this by checking each network packet against a set of rules. If a rule matches the packet, a specific action is taken (such as allowing the packet through, dropping it, or logging it).

    For DHCP, which uses UDP, the communication usually happens over port 67 for the DHCP server and port 68 for the DHCP client. If there are iptables rules that block these ports, it could prevent the DHCP from functioning correctly.

    For instance, if you want to allow DHCP traffic, you might need to include rules such as these in your iptables configuration:

    ``` iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT iptables -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT ```

    The exact rules you need will depend on your specific setup and requirements. Always remember to test your configuration thoroughly to ensure it's working as expected.

    Me: This suggests that answer is incorrect. https://unix.stackexchange.com/questions/447440/ufw-iptables...

    GPT: I apologize for the confusion. The interaction between DHCP and iptables is indeed more nuanced than my previous message indicated.

    When a machine requests an IP address using DHCP, it doesn't have an IP yet, so the DHCP server sends the reply to the broadcast IP, which is typically 255.255.255.255. Linux has a kernel parameter called `rp_filter` (Reverse Path Filtering), which by default allows these broadcast packets through, bypassing any iptables rules. This is because the kernel recognizes that these packets are part of a legitimate IP address assignment process, so it allows them in despite any firewall rules.

    So in practice, while DHCP does technically use ports that could be blocked by iptables, the Linux kernel generally ensures that DHCP traffic is allowed through anyway. This behavior is fundamental to the operation of DHCP, and trying to change it could break your system's ability to obtain an IP address.

    Me: How does the Windows firewall handle DHCP filtering, or not?

    GPT: The Windows Firewall handles DHCP traffic similarly to other traffic, but with some built-in allowances because of how critical DHCP is for network connectivity.

    By default, Windows Firewall has predefined rules to allow DHCP traffic. DHCP uses UDP port 67 for servers and UDP port 68 for clients. The firewall rules permit these inbound and outbound connections so that a DHCP client can obtain an IP address from a DHCP server.

    However, unlike typical firewall rules, the rules for DHCP are handled a bit differently because, at the time of the DHCP process, the client does not yet have an IP address. For this reason, the DHCP process cannot be subject to standard IP address-based filtering rules.

    In the default configuration, Windows Firewall will not block DHCP traffic because this would disrupt network connectivity. But a user could technically create custom rules to block DHCP; this would likely cause significant network problems, and therefore it's not recommended.

    As a reminder, DHCP is a fundamental protocol for IP networks, enabling devices to request and receive an IP address and thus communicate on the network. Blocking DHCP traffic would typically prevent a device from obtaining an IP address, thereby blocking network access.

    https://chat.openai.com/share/6e02686c-a330-4efe-b261-1e0d09...