netfilter firewalling problems and solutions

Dagmar d'Surreal dagmar.wants at
Sat Feb 21 11:40:36 PST 2004

On Thu, 2004-02-19 at 22:48, Archaic wrote:
> On Thu, Feb 19, 2004 at 10:28:15PM -0600, Dagmar d'Surreal wrote:
> > 
> > So the packets on your machines forward themselves across interfaces
> > with the help of some manner of magical elves instead of service
> > daemons?
> Hey! Don't knock magical elves. They're good workers. ;)
> > Netfilter can see everything dhcpd does.
> You sure about that? IIRC dhclient, unlike other clients, uses a raw
> socket. At least the last time I used it it did. iptables couldn't
> filter it because it didn't see it.

It can see it.   It's not useful to filter traffic going to DHCPd (or
dhclient, now that you've mentioned it) because it breaks with the RFC. 
We can't assume we know the MAC address of the DHCP server, and if
hostname-based entries are used in the lease database, we don't _need_
to know the MAC address of the client machines.

Basically, the moment you are considering filtering traffic to either
one of these, it's a sign that _you shouldn't be using DHCP_ because
DHCP is only useful for eliminating the work involved in configuring
machines' IP addresses.  If one ties all this down to fixed values, then
one is effectively doing static IP assignment with a whole lot of wasted
effort and added vulnerability exposure on the side.

> > If you sit down and flowchart what you propose, you're going to see
> > there will be a lot of useless chain jumping going on.  A new chain is
> > only really useful when you have to perform multiple (as in at least
> > three) tests on each packet, because the chain jump itself is match
> > operation.  Until someone implements flow control (or *shudder* QoS) on
> > a per-service basis there's not much that I can see that would require
> > more than one or two rules to hit per packet and service.
> Yeah, but spend too much time trying to minimize the number of rules
> that will match each packet and I would fear something getting missed.

This is why pretty much the only chain jumps I'm doing at the moment are
on a per-interface basis--mainly to keep rules that only apply sensibly
to one interface from applying to all the interfaces, which chops the
work down by nearly half without assuming foreknowledge about the
traffic itself.
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at

More information about the hlfs-dev mailing list