When i set up any machine on my network, it picks up an ip number from somewhere, but not from my domain. I assume whatever port dhcp works on is open, allowing it to pick up an ip from an outside dhcp server. Which port/protocol do i block to stop machines picking up this outside DHCP server? thanks all, Elf.
Elf,
When i set up any machine on my network, it picks up an ip number from somewhere, but not from my domain. I assume whatever port dhcp works on is open, allowing it to pick up an ip from an outside dhcp server. Which port/protocol do i block to stop machines picking up this outside DHCP server?
I am not sure whether dhcp is a routable protocol in the first place; if it is not, an outside machine can neither receive nor answer dhcp requests from your machines. AFAIK dhcp clients broadcast their subnet only. But why not use a port scanner to check for open ports and a network monitoring software to see where the answers to the dhcp requests come from? Regards, Roland
When i set up any machine on my network, it picks up an ip number from somewhere, but not from my domain. I assume whatever port dhcp works on is open, allowing it to pick up an ip from an outside dhcp server. Which port/protocol do i block to stop machines picking up this outside DHCP server?
I am not sure whether dhcp is a routable protocol in the first place; if it is not, an outside machine can neither receive nor answer dhcp requests from your machines. AFAIK dhcp clients broadcast their subnet only.
Here you can checkt it out http://www.udel.edu/network/how.html Summary : ethernet broadcasts - if a router on ethernet that knows i dhcp-server outside it will route masked with own ip.
On Fri, Feb 15, 2002 at 09:57:21AM +0100, Roland Salzburger wrote:
Elf,
When i set up any machine on my network, it picks up an ip number from somewhere, but not from my domain. I assume whatever port dhcp works on is open, allowing it to pick up an ip from an outside dhcp server. Which port/protocol do i block to stop machines picking up this outside DHCP server?
I am not sure whether dhcp is a routable protocol in the first place; if it is not, an outside machine can neither receive nor answer dhcp requests from your machines. AFAIK dhcp clients broadcast their subnet only.
Yes, DHCP operates on link level (at least for the broadcasts). However the protocols allows relaying the packets (then via unicast) to a DHCP server on another physical network. But you need a DHCP gateway for that.
But why not use a port scanner to check for open ports and a network monitoring software to see where the answers to the dhcp requests come from?
Why not run the DHCP client in debug mode and look into the log files? :) The ports to be blocked would be 67 and 68 (UDP). Try 'tcpdump -i <device> port 67 or port 68' Note that some OSes, if they are configured as DHCP clients but there is no server answering, try and pick random addresses in the 169.254.x.x (LINKLOCAL) range (MacOS, Windows). Peter -- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
On Thursday 14 February 2002 05:03 am, elfed lewis wrote:
When i set up any machine on my network, it picks up an ip number from somewhere, but not from my domain. I assume whatever port dhcp works on is open, allowing it to pick up an ip from an outside dhcp server. Which port/protocol do i block to stop machines picking up this outside DHCP server?
thanks all, Elf.
Betcha dollars to donuts you got a rogue dhcp server In-house. Unless you hung a machine on the wrong side of the firewall its most probable that it is infact comeing from your network. Ports? We don't need no stinkin ports... -- _________________________________ John Andersen / Juneau Alaska
Betcha dollars to donuts you got a rogue dhcp server In-house. Unless you hung a machine on the wrong side of the firewall its most probable that it is infact comeing from your network.
Ports? We don't need no stinkin ports...
Some ports seems to stink (ok - higher ip rev) cat /etc/services | grep -i dhcp ?? /sbin/SuSEfirewall2 snip ------ ###################### # Allow DHCP replies # ###################### test "$FW_SERVICE_DHCLIENT" = yes && { $LAA $IPTABLES -A INPUT -j LOG ${LOG}-ACCEPT -p udp --sport 67 -d 255.255.2 $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED -p udp --spor } test "$FW_SERVICE_DHCPD" = yes && { $LAA $IPTABLES -A INPUT -j LOG ${LOG}-ACCEPT -p udp --sport 68 -d 255.255.2 $IPTABLES -A INPUT -j "$ACCEPT" -m state --state NEW,ESTABLISHED -p udp -- } ----- snap shows that udp-ports 67/68 are involved. Pleaze enlight us ! They smell ! :O)_ Michael Appeldorn PS: Me german (as you can read) - so what means : Betcha dollars to donuts ?
On Friday 15 February 2002 12:40 am, Michael Appeldorn wrote:
shows that udp-ports 67/68 are involved.
Pleaze enlight us ! They smell !
:O)_
But he would have to have a dhcp relay for an off site dhcp server to get thru, and he would surely know if he had set such a thing up. More likely some one put a linux box or a win2k box on his inside net and mistakenly turned on dhcpd rather than dhcpc. I've seen people put rogue dhcp servers dishing out 192.168 ips on the public side of a cable modem. Boy does THAT inconvience a lot of people. I forget how dhcp works but seems to me it initially runs in arp, not ip. -- _________________________________ John Andersen / Juneau Alaska
participants (6)
-
elfed lewis -
John Andersen -
Michael Appeldorn -
Peter Poeml -
Roland Salzburger -
Stefan Waidele jun.