-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I''m going mad here, ever since upgrading to shorewall 2.0 any broadcast dhcp packet is seen by my firewall and logged. With 1.X series i stopped this, although I don''t remeber how. I searched the faq, mailing list and good old friend google, but no success. I tried the following rules: (I know i mix the src & dst ports, but just to be sure, and work around my stupidity sometimes ;-)) DROP lan fw udp 67 68 DROP lan fw udp 68 67 DROP lan fw udp 68 DROP lan fw udp 67 DROP lan:eth2 fw udp 67 DROP lan:eth2 fw udp 68 The only way I could fix it is: iptables -I INPUT 1 -i eth2 -p udp --sport 68 --dport 67 -j DROP The log, the input chain and the eth2_in that is used in this is attached and at the bottom of the email. Basicly what I''m looking for is a way to add an entry to the top of either the input or the eth2_in chain. Interfaces: #ZONE INTERFACE BROADCAST OPTIONS adsl eth0 detect routefilter,norfc1918,nobogons,nosmurfs,arp_filter dmz eth1 detect routefilter,norfc1918,nobogons,nosmurfs,arp_filter lan eth2 detect routefilter,norfc1918,nobogons,nosmurfs,arp_filter net ppp0 - routefilter,norfc1918,nobogons,nosmurfs,arp_filter vpn tun0 - routefilter,nosmurfs,arp_filter #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Version info: Shorewall 2.0.6 Kernel 2.4.22-1.2197.nptlsmp from FC1 iptables v1.2.9 If more info is required please let me know. The log that shows up is (see also attachement for now wrapped.): Jul 29 20:07:20 hn00sia01 kernel: Shorewall:bogons:DROP:IN=eth2 OUTMAC=ff:ff:ff:ff:ff:ff:00:02:a5:c3:7d:ab:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=128 ID=52808 PROTO=UDP SPT=68 DPT=67 LEN=320 Looking at the input and eth2_in chain (again see attachment), Chain INPUT: Chain INPUT (policy DROP 0 packets, 0 bytes) ~ pkts bytes target prot opt in out source ~ destination ~ 356 34965 ACCEPT all -- lo * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 0 0 DROP !icmp -- * * 0.0.0.0/0 ~ 0.0.0.0/0 state INVALID ~ 2036 865203 eth0_in all -- eth0 * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 483 37624 eth1_in all -- eth1 * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 3745 449828 eth2_in all -- eth2 * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 667 147650 ppp0_in all -- ppp0 * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 0 0 tun0_in all -- tun0 * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 0 0 Reject all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 0 0 LOG all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' ~ 0 0 reject all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 Chain eth2_in: Chain eth2_in (1 references) ~ pkts bytes target prot opt in out source ~ destination ~ 404 42719 dynamic all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 state INVALID,NEW ~ 404 42719 smurfs all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 state NEW ~ 404 42719 norfc1918 all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 state NEW ~ 404 42719 nobogons all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 state NEW ~ 3859 464078 eth2_dyni all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 ~ 3859 464078 lan2fw all -- * * 0.0.0.0/0 ~ 0.0.0.0/0 Thanks in advance Stijn - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl> -----BEGIN PGP SIGNATURE----- iD8DBQFBCUDqjU9r45tKnOARAplEAKCuywn5yADJp/CGFJb9R1SM9KvhvgCdGApG ZDvqbBZiDZwX2VbQvnkqALM=VMhz -----END PGP SIGNATURE-----
Stijn Jonker wrote:> -----BEGIN PGP SIGNED MESSAGE-----> lan eth2 detect routefilter,norfc1918,nobogons,nosmurfs,arp_filterSet the dhcp option!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom,
Tom Eastep said the following on 29-Jul-04 20:46:
> Stijn Jonker wrote:
>
>> lan eth2 detect routefilter,norfc1918,nobogons,nosmurfs,arp_filter
>
>
> Set the dhcp option!!
Hmm in that case I don''t understand the docs, the option DHCP is when
either the firewall is running dhcpd or gets an IP address by dhcp,
correct? (Again maybe i''m acting stupid)
I assume you refer to this: "You may also wish to use this option if you
have a static IP but you are on a LAN segment that has a lot of Laptops
that use DHCP and you select the norfc1918 option (see below)."
By setting the DHCP option, I make the FW accept the dhcp packet.
Although there isn''t anything listening, imho an fw should not be open
for services it doesn''t offer.
In my case the firewall is on a lan (same broadcast domain) where an
dhcp server is active. When a client is doing a dhcp request the dhcp
server see the packet and answer the request.
The issue is the firewall sees it aswell and logs it.
My network drawing in ascii:
Network: 192.168.175.0/24
dhcpd client
.1| |
-------------------------
.254|
firewall - <dmz>
| \
<internet> <vpn>
Client send dhcp discover: layer 2 broadcast (ff:ff:ff:ff:ff)
destination. layer 3 broadcast: 255.255.255.255
192.168.175.1 answers the dhcp discover, further communication is layer
2 unicast. But the firewall is seeing the initial layer 2/3 broadcast,
and dropping this in the bogons list.
The final, not so nice option is to add the manual iptables entry to one
of the initialization files off course.
Thanks again.
--
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> > I assume you refer to this: "You may also wish to use this option if you > have a static IP but you are on a LAN segment that has a lot of Laptops > that use DHCP and you select the norfc1918 option (see below)."Yes.> > By setting the DHCP option, I make the FW accept the dhcp packet. > Although there isn''t anything listening, imho an fw should not be open > for services it doesn''t offer.Whether your firewall eats DHCP broadcasts or ignores them is irrelevant.> > In my case the firewall is on a lan (same broadcast domain) where an > dhcp server is active. When a client is doing a dhcp request the dhcp > server see the packet and answer the request. > > The issue is the firewall sees it aswell and logs it. > > My network drawing in ascii: > > Network: 192.168.175.0/24 > > dhcpd client > .1| | > ------------------------- > .254| > firewall - <dmz> > | \ > <internet> <vpn> > > Client send dhcp discover: layer 2 broadcast (ff:ff:ff:ff:ff) > destination. layer 3 broadcast: 255.255.255.255 > > 192.168.175.1 answers the dhcp discover, further communication is layer > 2 unicast. But the firewall is seeing the initial layer 2/3 broadcast, > and dropping this in the bogons list.You can always add this entry at the head of the bogons file: 0.0.0.0 DROP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Stijn Jonker wrote: > >> >> I assume you refer to this: "You may also wish to use this option if >> you have a static IP but you are on a LAN segment that has a lot of >> Laptops that use DHCP and you select the norfc1918 option (see below)." > > > Yes. > >> >> By setting the DHCP option, I make the FW accept the dhcp packet. >> Although there isn''t anything listening, imho an fw should not be open >> for services it doesn''t offer. > > > Whether your firewall eats DHCP broadcasts or ignores them is irrelevant. > >> >> In my case the firewall is on a lan (same broadcast domain) where an >> dhcp server is active. When a client is doing a dhcp request the dhcp >> server see the packet and answer the request. >> >> The issue is the firewall sees it aswell and logs it. >> >> My network drawing in ascii: >> >> Network: 192.168.175.0/24 >> >> dhcpd client >> .1| | >> ------------------------- >> .254| >> firewall - <dmz> >> | \ >> <internet> <vpn> >> >> Client send dhcp discover: layer 2 broadcast (ff:ff:ff:ff:ff) >> destination. layer 3 broadcast: 255.255.255.255 >> >> 192.168.175.1 answers the dhcp discover, further communication is >> layer 2 unicast. But the firewall is seeing the initial layer 2/3 >> broadcast, and dropping this in the bogons list. > > > You can always add this entry at the head of the bogons file: > > 0.0.0.0 DROP >Or 0.0.0.0 RETURN -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Or 0.0.0.0 RETURN >A ''bogons'' file with that entry included in available from the Shorewall Errata page. The change will be included in 2.0.7 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, Thanks a lot. Tom Eastep said the following on 29-Jul-04 23:26:> Tom Eastep wrote: > >> >> Or 0.0.0.0 RETURN >> > > A ''bogons'' file with that entry included in available from the Shorewall > Errata page. The change will be included in 2.0.7 > > -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>