[Dnsmasq-discuss] Problem using dnsmasq as dhcp

/dev/rob0 rob0 at gmx.co.uk
Wed Jan 4 21:44:46 GMT 2017


On Wed, Jan 04, 2017 at 06:38:30PM +0100, Archimede Pitagorico wrote:
> <html><head></head><body><div style="font-family: 
...

Um, please don't post HTML to mailing lists.  Many of the more 
helpful people you might encounter are using console-based MUAs, and 
they won't get to see your fancy fonts and formatting.  Also, top- 
posting is awkward to read.  Please trim your quotes and keep them 
with the relevant reply text ("inline quoting".)

> <div>it was a rule in the PREROUTING chain of the raw 
> table:</div>
> 
> <div>rpfilter --invert -j DROP </div>
> 
> <div>that caused messages incoming from clients to be dropped.

And here's another problem: be careful with filtering in the raw 
table.  Filtering should be done in the filter table (which, go 
figure, may be why they named it "filter".)

> <div> </div>
> 
> <div>It is easy to modify the rule to allow dhcp traffic
> through, so problem solved.</div>
> 
> <div> </div>
> 
> <div>I have another question however about this:</div>
> 
> <div>> ISC's dhcp server uses a lower-level 
> network model than dnsmasq, and can work despite
> iptables rules to the contrary.</div>
> 
> <div>How can an app bypass the kernel firewall? Can you please 
> suggest a reference for me to understand better? </div>

Well, that's overstating it a bit.

ISC dhcpd uses raw sockets, and those are (like tcpdump) seen before 
the netfilter subsystem.

But note, a complete DHCP exchange is "DORA": Discover by the client; 
Offer by the server; Request by the client; and Ack by the server.  
With dhcpd only DO are not blockable.  RA certainly are.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:



More information about the Dnsmasq-discuss mailing list