-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Steven" == Steven M Bellovin <smb@research.att.com> writes:
    Steven> In message <20020106194425.B622@ibb1150.ibb.uu.nl>, Mipam writes:
    >> [SNIP]
    >> 
    >>> from nmap from an outside host:
    >>> ...
    >>> 68/udp     open        bootpc
    >>> ...
    >> 
    >> This is because dhcp listens on bpf which is before ipf (seen from
    >> outside). So requests and answers wont go through the in-kernel
    >> ip stack and so also not through ipf which listens in front of the ip stack.

    Steven> Run dhcpd only on the inside interface.  It may still be possible to 
    Steven> send it packets via hand-crafted stuff by someone on the outside LAN, 
    Steven> but it should help.

  As has been pointed out, the packets are still seen by dhcpd, and the port
looks open. 

  How can I tell from outside if the machine is still intact, or now has a
trojan on port 68 now? What does one tell the customer when they hire a 3rd
party to do an audit on the install?

  We need to fix this, let's stop other arguments.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

  

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPDi5LIqHRg3pndX9AQFSKwP9EEEcR3TAcmAMJO3CA6NoUDP7qUZh1oMR
9p9i6C+x+jxPOOcAAlSOpb9nQOF9uDQq7YSqqv5kWU40dI5gQ8XrUDpOJfBabf55
L4/Uq+w8ofjXsb5474WASKxtLOZCw5dW9moNoZV2XmGcnwHi7zCnW5LcyF2ovUrG
dknDuAFNRJc=
=/pWU
-----END PGP SIGNATURE-----