DHCP can punch through a locked down firewall

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Installation - Getting started with Red Hat Linux

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	sendmail configuration on redhat
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	Promise 378 controller
•	kernel 2 6 and /dev/sound/mixer not found
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	Lotus Notes under Wine
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	Command stream end of file while reading
•	rpm database corrupt
•	qla2300 modules

DHCP can punch through a locked down firewall

DHCP can punch through a locked down firewall

2005-01-05 - By Ian Laurie

Back

Reply: 1 2 3 4 5 6 7 8 9 10 >>

While investigating some DHCP issues, I came across a very disturbing
firewall issue in RHEL3 U4 that has me more than a little concerned.

My configuration:
kernel-2.4.21-27.0.1.EL
dhcp-3.0.1-10_EL3
iptables-1.2.8-12.3

If I lock down the system with:

server# service iptables panic

Then just to be really sure:

server# iptables -I INPUT -j DROP
server# iptables -I OUTPUT -j DROP
server# iptables -I FORWARD -j DROP

Then, to make sure the system heard me:

server# iptables-save
# Generated by iptables-save v1.2.8 on Wed Dec 29 12:29:03 2004
*filter
:INPUT DROP [23:2331]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:1212]
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP
COMMIT
# Completed on Wed Dec 29 12:29:03 2004
server#

Now, my understanding is that I may as well have pulled eth0 out of the
PCI socket, right? This should kill networking stone dead?

I rebooted another PC that needs DHCP, it renewed its lease using the
locked down server, and this was in the log file on the server:

Dec 29 12:32:55 server dhcpd: DHCPREQUEST for 10.105.108.128 from 00:e0:29:94
:64:b0 via eth0
Dec 29 12:32:55 server dhcpd: DHCPACK on 10.105.108.128 to 00:e0:29:94:64:b0
via eth0

I don't recall installing a telepathic network adapter..... Can anyone offer
some advice on this issue?

Is dhcpd supposed to be able to get packets and send packets, while bypassing
the firewall completely?

I have repeated the tests over the past days, it is 100% repeatable that an FC3
box
can renew a lease through a locked down RHEL3 server. Interestingly, a WinXP
box
could not. With some logging rules, it seemed dhcpd was getting the lease
request,
but returned an error sending the response (ERRNO=Operation not permitted)
which you
would expect when the OUTPUT chain is locked down. Yet when renewing a lease
for
FC3, the response packet *could* make it out. In both cased dhcpd got the
request
through a locked down INPUT chain.

I'm either "really missing something" or I've found the bug of the month.

Thanks for any help
Ian

--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list

Earn $52 per hosting referral at Lunarpages.