tech-net: Re: dhcpd(8) _cannot_ be completely disabled on an interface

Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: None <mipam@ibb.net>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-net
Date: 01/06/2002 14:24:31

In message <20020106194425.B622@ibb1150.ibb.uu.nl>, Mipam writes:
>[SNIP]
>
>> from nmap from an outside host:
>> ...
>> 68/udp     open        bootpc
>> ...
>
>This is because dhcp listens on bpf which is before ipf (seen from
>outside). So requests and answers wont go through the in-kernel
>ip stack and so also not through ipf which listens in front of the ip stack.

Run dhcpd only on the inside interface.  It may still be possible to 
send it packets via hand-crafted stuff by someone on the outside LAN, 
but it should help.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com