DHCP request (and other?) traffic bypasses UFW/iptables firewall
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables |
Invalid
|
High
|
|||
ufw |
Invalid
|
Undecided
|
Jamie Strandboge |
Bug Description
Ubuntu 11.04
ufw 0.30.1-1ubuntu1
iptables 1.4.10-1ubuntu1
isc-dhcp-server 4.1.1-P1-15ubuntu9
All packages up to date as of the filing of this bug.
The bug is fully documented in this bug report that I filed with the iptables/netfilter folks:
http://
The short short version is that, even if I have an iptables rule to drop all UDP packets to port 67 as the first rule of the INPUT filter chain, the dhcpd daemon still receives DHCP request packets. I can use the iptables TRACE functionality to confirm that iptables thinks it is dropping the packet, but the syslogs (and the fact that a test client system gets an IP address) show that dhcpd receives the packet anyway. I cannot yet determine if dhcpd gets the packet before iptables processes it, or if the iptables DROP function somehow fails.
I believe that this is a bug in iptables upstream, but since I have not yet confirmed that it exists on another distribution, I am posting a bug report here so that the Ubuntu community is made aware of it.
Changed in iptables: | |
importance: | Unknown → High |
status: | Unknown → Confirmed |
Changed in iptables: | |
status: | Confirmed → Invalid |
I have publicly disclosed the bug report, because I discussed it publicly before I realized that it was a bug, so the horse is already out of the barn.