ufw

DHCP request (and other?) traffic bypasses UFW/iptables firewall

Bug #816786 reported by Robert Lange
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables
Invalid
High
ufw
Invalid
Undecided
Jamie Strandboge

Bug Description

Ubuntu 11.04
ufw 0.30.1-1ubuntu1
iptables 1.4.10-1ubuntu1
isc-dhcp-server 4.1.1-P1-15ubuntu9
All packages up to date as of the filing of this bug.

The bug is fully documented in this bug report that I filed with the iptables/netfilter folks:

http://bugzilla.netfilter.org/show_bug.cgi?id=730

The short short version is that, even if I have an iptables rule to drop all UDP packets to port 67 as the first rule of the INPUT filter chain, the dhcpd daemon still receives DHCP request packets. I can use the iptables TRACE functionality to confirm that iptables thinks it is dropping the packet, but the syslogs (and the fact that a test client system gets an IP address) show that dhcpd receives the packet anyway. I cannot yet determine if dhcpd gets the packet before iptables processes it, or if the iptables DROP function somehow fails.

I believe that this is a bug in iptables upstream, but since I have not yet confirmed that it exists on another distribution, I am posting a bug report here so that the Ubuntu community is made aware of it.

Revision history for this message
Robert Lange (rcl24) wrote :

I have publicly disclosed the bug report, because I discussed it publicly before I realized that it was a bug, so the horse is already out of the barn.

visibility: private → public
Bug Watch Updater (bug-watch-updater)
Changed in iptables:
importance: Unknown → High
status: Unknown → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This potentially sounds like a bug in iptables, not ufw. One thing to remember: when using ufw, connection tracking is enabled so it is possible that the connection tracking module is kicking in. First, let's take ufw out of the equation and do:
$ sudo ufw disable
$ sudo reboot # ensure a clean start
$ sudo iptables -A INPUT -p udp -j DROP
$ sudo ip6tables -A INPUT -p udp -j DROP
<stop the dhcp server, then start it>

Retest connectivity. If the packets are not dropped, please give the output of 'sudo netstat -atuvpn' and any tcpdump output as well as:
$ sudo iptables -L -n
$ sudo ip6tables -L -n

If they are not dropped, it is a problem with iptables/kernel. If they are not, we can look at ufw.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Robert Lange (rcl24) wrote :

Looks like it is not a bug with ufw or iptables.

Per Mark Andrews of isc.org:

"DHCP uses packet filters and these tie into the IP stack before the
firewall."

A different topic, but the explanation is also relevant here:

https://lists.isc.org/pipermail/dhcp-users/2010-January/010723.html

Apparently dhcpd uses raw sockets to maximize its robustness and reliability in dealing with DHCP. Also, it uses as a fallback a UDP socket, and it was the packets to this fallback that iptables was dropping.

So, if your DHCP server operates on the same machine as your firewall, don't expect your firewall to stop traffic to it.

Changed in ufw:
status: Incomplete → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your research and feedback. :)

Bug Watch Updater (bug-watch-updater)
Changed in iptables:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.