[TriLUG] iptables & FUD
Sean Alexandre
sean at alexan.org
Mon Apr 29 06:25:51 EDT 2013
On Sun, Apr 28, 2013 at 07:54:30PM -0400, Alan Porter wrote:
> >Agreed. And I think that's where it would have helped me here. I only wanted dchpd to
> >run on my lan interface, and not the wan. (Although, looking more closely at the config
> >I think dhcpd was just servicing the lan, even though it was listening on the wan as
> >well for some reason. I need to look into that.)
>
> It's probably doing that because it need to listen for packets
> before an IP address is assigned to that interface. So you listen
> on all addresses and filter the ones for interfaces that you're not
> interested in.
Yes, it looks like that's its default behavior, from what I'm reading (man page for
dhcpd.conf). It can also be configured to listen on just one particular address.
I've just set that option to the address of my LAN interface:
local-address 172.18.215.1;
Now netstat shows this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 172.18.215.1:bootps *:* 4021/dhcpd
Instead of this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 *:bootps *:* 2630/dhcpd
There are a couple of other sockets that are still open on all interfaces, though.
I don't know what these are. It may be dhcpd listening, or maybe it's talking
to one of the machines its given a lease to? (Is there a way to tell in netstat
whether a udp socket is "listening"?) In either case, I'd feel more comfortable if
it were doing this on just the configured "local-address". Here are those other
sockets:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 *:3640 *:* 4021/dhcpd
raw 0 0 *:icmp *:* 7 4021/dhcpd
So for now, I think I'm going to keep my tinfoil hat on and keep iptables running.
Maybe if I knew more about how DHCP works and dhcpd I wouldn't...
More information about the TriLUG
mailing list