[Dnsmasq-discuss] Firestarter interference
Simon Kelley
simon at thekelleys.org.uk
Fri Sep 16 22:09:32 BST 2005
Andrew Greig wrote:
> Firestarter has an explicit option to "Enable DHCP for the local
> network" however this turned out to just (re)start ISC dhcpd if you had
> it installed. No firewall rules related to the protocol are added by
> this option, so it seems a bit of a red herring.
>
>
This is an ongoing source of confusion. In the spirit of Andrew's
excellent post, I'll try and explain here what's happening, for future
reference.
The ISC dhcpd, at least on Linux, uses the Linux Packet Filter to do
most network access. This is a very low level facility which just
delivers raw copies of packets, before any of the network stack
processing. The LPF is so low-level that it gets packets before the
iptables firewall code, hence iptables rules don't affect delivery of
packets to the ISC dhcpd, and there's no need for firewall designers to
worry about the strange source and destination addresses which are
encountered in some legitimate DHCP packets.
On the other hand, dnsmasq (and, at least udhpcd) use the normal IP
network stack for receiving DHCP packets. They are therefore affected by
iptables rules, and any firewall design has to allow for DHCP packets
with strange addresses.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list