Dne sreda, 22. marec 2006 17:32 je Martin Skarda napisal(a): | Hi All, | | I'm trying to protect my dhcp server with some rules within iptables | against some DoS, and I see all the "hopefully dropped" packages in my log | target. But the drop doesn't really work: the packages are still going | through my firewall to my dhcp server. | | [...]
While trying out LTSP I observed very similar behaviour (X-Terminals were getting their IPs through iptables even though they shouldn't) I Googled out this thread: http://lists.netfilter.org/pipermail/netfilter/2002-May/034302.html which gave me my answer to why this is so... In short, here is a quote: "Derrik Pates touched on this earlier in the thread, but I'll try and clarify a bit. The DNCP server of the ISC (Internet Software Consortium, http://www.isc.org) uses a different type of network access in Linux, so to speak. Normally, when programs need network access, they open up an Internet socket of the correct protocol (TCP/UDP), which gets any packets destined for it and can send packets after the kernel has applied all IP Tables rules to them. So if you have a policy of DROP/REJECT or you have a rule that matches a packet to.from this socket that DROP/REJECTs it, the socket will not receive or be able to send that packet. However, the ISC DHCP server uses an Internet Socket of protocol Raw instead of TCP or UDP. This facility, naturally, is only available to root (uid 0, really), and receives packets before the IP Tables processing. It also receives all Internet packet headers as well, so it gets to do additional processing. But because Raw sockets get packets before the IP Tables processing, the ISC DHCP server is able to obtain an IP address through DHCP. More information (possibly not in a useful state) can be found in the man pages for socket, ip, tcp, udp, http://nodevice.com/sections/ManIndex/man1275.html, and, of course, the source code." Cheers, Ziga B. -- gentoo-security@gentoo.org mailing list
