I have a dhcp server on my raspberry pi. I setup a firewall which only allows ssh, dns and samba service. However, dhcp server works like a charm too, but why?
Here is the firewall rules:
table ip filter {
chain input {
type filter hook input priority filter; policy drop;
tcp flags == 0x0 drop
tcp flags & (fin | psh | urg) == fin | psh | urg drop
tcp flags & (syn | ack) == syn | ack ct state new drop
tcp dport { 22, 139, 445 } accept
udp dport { 53, 137, 138 } accept
ct state { established, related } accept
iifname "lo" accept
}
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr { 10.0.0.2, 10.0.0.3 } meta mark set 0x00000002
ct mark set meta mark
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority filter; policy accept;
masquerade
}
}
Answer
Many DHCP (IPv4) clients and servers use "raw" sockets, which bypass the IP-level firewall.
On the client side, when a DHCP (IPv4) client starts up, it usually has no IP address at all. Therefore it cannot use ordinary UDP sockets and must use "raw" sockets instead, where it crafts its own UDP and even IP headers. For various reasons, perhaps because raw mode bypasses the regular IP stack, it also bypasses the IP firewall as well. (You can notice the same thing when using tcpdump, which sees all packets before the firewall has a chance to reject them.)
On the server side, the situation is probably similar. The server will be receiving broadcast packets from null address, it needs to know which interface those arrive through (some operating systems didn't have hooks letting applications know that when it comes to UDP), the developers just wanted to reuse the same code, etc.
(This doesn't apply to DHCPv6, as IPv6 hosts do always have an IP address – the link-local fe80:... address – and the software can use ordinary UDP sockets, which are affected by the firewall and can be bound to a specific interface's address.)
No comments:
Post a Comment