From owner-freebsd-security@FreeBSD.ORG Wed Dec 16 17:43:54 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E97E11065672 for ; Wed, 16 Dec 2009 17:43:54 +0000 (UTC) (envelope-from ntarmos@cs.uoi.gr) Received: from gaia.cs.uoi.gr (gaia.cs.uoi.gr [195.130.121.201]) by mx1.freebsd.org (Postfix) with ESMTP id 481D58FC0A for ; Wed, 16 Dec 2009 17:43:53 +0000 (UTC) Received: from zeus.cs.uoi.gr (zeus.cs.uoi.gr [195.130.121.11]) by gaia.cs.uoi.gr (8.14.1/8.14.1) with ESMTP id nBGHVRWb083242 for ; Wed, 16 Dec 2009 19:31:32 +0200 (EET) (envelope-from ntarmos@cs.uoi.gr) Received: from zeus.cs.uoi.gr (localhost [127.0.0.1]) by zeus.cs.uoi.gr (8.13.5/8.13.5) with ESMTP id nBGHVLsd003507 for ; Wed, 16 Dec 2009 19:31:26 +0200 (EET) Received: (from ntarmos@localhost) by zeus.cs.uoi.gr (8.13.5/8.13.5/Submit) id nBGHVLGF003505 for freebsd-security@freebsd.org; Wed, 16 Dec 2009 19:31:21 +0200 (EET) X-Authentication-Warning: zeus.cs.uoi.gr: ntarmos set sender to ntarmos@cs.uoi.gr using -f Date: Wed, 16 Dec 2009 19:31:27 +0200 From: Nikos Ntarmos To: freebsd-security@freebsd.org Message-ID: <20091216173127.GA15741@ace.cs.uoi.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: Computer Science Dept., U. of Ioannina, Greece WWW-Homepage: http://ntarmos.dyndns.org/ X-PGP-Fingerprint: 9680 60A7 DE60 0298 B1F0 9B22 9BA2 7569 CF95 160A Office-Phone: +30-26510-98866 GPS-Info: 39.617660N, 20.838790E User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: ClamAV 0.91.2/10187/Wed Dec 16 17:31:07 2009 on gaia.cs.uoi.gr X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (gaia.cs.uoi.gr [195.130.121.201]); Wed, 16 Dec 2009 19:31:32 +0200 (EET) X-Mailman-Approved-At: Wed, 16 Dec 2009 18:01:41 +0000 Subject: dhclient and pf/ipf/ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 17:43:55 -0000 Hi all. I recently turned net.inet.udp.log_in_vain on on some of my boxen and have been seeing UDP connection attempts to port 67 on the local host. This initially seemed odd, as the target ip addres was indeed that of a DHCP-configured interface and the source address was that of my DHCP server. However, it turns out this is totally valid, as dhclient(8) does not bind(2) on the bootpc port but rather uses bpf(4) to intercept incoming (e.g. DHCPACK) packets destined to the local machine. Nothing wrong with this (other than the occasional log entries), but it got me thinking that there is no need for a firewall rule to allow this sort of traffic on the ingress path on single-host configurations. Moreover, even if there is an inbound deny rule, dhclient(8) will still be able to "receive" those DHCP reply packages (outbound broadcast packets (e.g. DHCPDISCOVER) will also go out just fine but we still need an outbound allow rule to let unicast messages leave the local host). Should we update the relevant pf/ipf/ipfw/dhclient manpages, handbook sections, and example configurations (at least those that have a rule to allow incoming dhcp traffic)? Along the same lines, should udp.log_in_vain be somehow informed to ignore connections to local port 67 from (a possible list of) dhcp servers or even have dhclient(8) bind(2) on UDP port 67 and ignore any incoming messages? Cheers. \n\n PS: Sorry if this has come up again in the past; some google'ing through mailing list archives didn't turn up anything related.