Mailinglist Archive: opensuse-security (408 mails)
| < Previous | Next > |
Re: [suse-security] SuSEfirewall2 vs. DHCP
- From: Alan Hadsell <ahadsell@xxxxxxxxxxxx>
- Date: Mon, 01 Apr 2002 13:10:47 -0600
- Message-id: <uelhz6xqg.fsf@xxxxxxxxxxxx>
Erwin Lam <erwin.lam@xxxxxxx> writes:
> On Mon, 1 Apr 2002, Alan Hadsell wrote:
>
> AH> My problem: When the DHCP lease times out, the firewall box can't
> AH> acquire a new one. It appears that the firewall's anti-spoofing rules
> AH> are blocking the DHCP server's reply. At the time when this happens,
> AH> I get numerous SuSE-FW-DROP-ANTI-SPOOFING messages with source port =
> AH> 67 and destination port = 68. At this point, I lose all Internet
> AH> connectivity until I reboot the firewall box.
> AH>
> AH> My configuration includes FW_SERVICE_DHCLIENT="yes".
> You also need to set
>
> FW_SERVICES_EXT_UDP="bootpc"
This should be equivalent to FW_SERVICES_EXT_UDP="68", right? OK,
I'll try that. I guess I don't understand why it's necessary, though.
The script says:
,----[ from SuSEfirewall2 ]
| test "$FW_SERVICE_DHCLIENT" = yes && {
| $LAA $IPTABLES -A INPUT -j LOG ${LOG}"-ACCEPT " -p udp --sport 67 -d 255.255.255.255/32 --dport 68
| $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED -p udp --sport 67 -d 255.255.255.255/32 --dport 68
| }
`----
...which seems to imply that any such packet would be accepted, and
not hit the anti-spoofing rules (which are applied later). Or is it
tripping over the "--state ESTABLISHED"?
I also don't understand this: if this is an issue of not ACCEPTing the
message, why don't I get UNALLOWED-TARGET messages, rather than
ANTI-SPOOFING messages (in other words, I don't understand why it has
decided this is a spoofed messaged rather than just one directed to a
closed port).
--
Alan Hadsell
"Whatever does not kill me makes me stranger".
> On Mon, 1 Apr 2002, Alan Hadsell wrote:
>
> AH> My problem: When the DHCP lease times out, the firewall box can't
> AH> acquire a new one. It appears that the firewall's anti-spoofing rules
> AH> are blocking the DHCP server's reply. At the time when this happens,
> AH> I get numerous SuSE-FW-DROP-ANTI-SPOOFING messages with source port =
> AH> 67 and destination port = 68. At this point, I lose all Internet
> AH> connectivity until I reboot the firewall box.
> AH>
> AH> My configuration includes FW_SERVICE_DHCLIENT="yes".
> You also need to set
>
> FW_SERVICES_EXT_UDP="bootpc"
This should be equivalent to FW_SERVICES_EXT_UDP="68", right? OK,
I'll try that. I guess I don't understand why it's necessary, though.
The script says:
,----[ from SuSEfirewall2 ]
| test "$FW_SERVICE_DHCLIENT" = yes && {
| $LAA $IPTABLES -A INPUT -j LOG ${LOG}"-ACCEPT " -p udp --sport 67 -d 255.255.255.255/32 --dport 68
| $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED -p udp --sport 67 -d 255.255.255.255/32 --dport 68
| }
`----
...which seems to imply that any such packet would be accepted, and
not hit the anti-spoofing rules (which are applied later). Or is it
tripping over the "--state ESTABLISHED"?
I also don't understand this: if this is an issue of not ACCEPTing the
message, why don't I get UNALLOWED-TARGET messages, rather than
ANTI-SPOOFING messages (in other words, I don't understand why it has
decided this is a spoofed messaged rather than just one directed to a
closed port).
--
Alan Hadsell
"Whatever does not kill me makes me stranger".
| < Previous | Next > |