filter DHCP requests

sioux · Wed Feb 21, 2007 1:35 pm

Hi all

I am wondering why when I set a DHCP server on a specific port, then block all incoming traffic with
ip firewall filter add chain=input action=drop
I am still able to recive an Ip address from DHCP server

first I think that there is an invisible rule which accepts that traffic .. but when I add a passthrough rule in a mangle table
ip firewall mangle add chain=input protocol=udp dst-port=67 action=passthrough
and do some dhcp traffic (ipconfig /renew (WinXP)) I noticed that that rule "cautches" this traffic so it means that there is no ACCEPT rule before my added rule.

So .. how could that be? and how I can filter certain DHCP requests (generaly traffic) from some IPs using built in firewall?

thx 4 suggestions

ferry · Thu Feb 22, 2007 4:04 am

if u confuse, just block the ip u don't want it to. u can add block in ip firewall or in ip-dhcp-lease. just add the blocking ip

sioux · Thu Feb 22, 2007 8:58 am

blocking in /ip firewall doesnt work .. in example above I block ALL all traffic which goes to INPUT chain .. and even after doing it I was still able to recive IP from DHCP server

Thu Feb 22, 2007 10:01 am

DHCP client is contacting router and data is passing trough chain=input,
DHCP server[router] replies to client and data is passing trough chain=output.
Make sure you have used correct rule to block access to router, just curious how do you get back access to the router, f'ilter add chain=input action=drop disabled=no' denies all data destined to the router (MAC-Winbox is the last opportunity, if MAC-Winbox server is enabled).

sioux · Thu Feb 22, 2007 11:31 am

DHCP client is contacting router and data is passing trough chain=input,
DHCP server[router] replies to client and data is passing trough chain=output.
Make sure you have used correct rule to block access to router, just curious how do you get back access to the router, f'ilter add chain=input action=drop disabled=no' denies all data destined to the router (MAC-Winbox is the last opportunity, if MAC-Winbox server is enabled).

Yes, I know that replays goes out via Output chain but the DHCP server proces should not answer if I block all at input

I put input action-drop rule via console cable and I am shure that rule is enable

janisk · Thu Feb 22, 2007 4:56 pm

ermmm.. if i do not want that DHCP server responds to requests - i usually disable it

changeip · Thu Feb 22, 2007 6:19 pm

ermm, what he is saying is that the input chain is not filtering input. Plain and simple. I will see if I can test this on our test box today to see if its truly bypassing the firewall (which sounds fishy to me).

Sam

changeip · Thu Feb 22, 2007 6:21 pm

ps - can you please post your input chain?

/ip firewall filter export from=[/ip firewall filter find chain=input]

Thx,
Sam

sioux · Fri Feb 23, 2007 9:00 am

ermm, what he is saying is that the input chain is not filtering input. Plain and simple. I will see if I can test this on our test box today to see if its truly bypassing the firewall (which sounds fishy to me).

that's right

ps - can you please post your input chain?

/ip firewall filter export from=[/ip firewall filter find chain=input]

there is only one rule (in the simplest scenerio)

<ip firewall filter export from=[/ip firewall filter find chain=input]
# jan/01/2000 00:04:58 by RouterOS 2.9.38
# software id = I5XX-3TT
#
/ ip firewall filter
add chain=input action=drop comment="" disabled=no

I'v tested it one more time on the different unit .. same result

changeip ... please post your results !!

janisk · Fri Feb 23, 2007 11:07 am

this is very interesting indeed.

i have some "fortify your router" rules in input chain and thy seem to work correctly why this one rule in particular is not working?

maybe something to do with safe-mode?

changeip · Fri Feb 23, 2007 8:02 pm

I ran a quick test here and I cannot seem to filter it either.

[@cip-office] ip firewall filter> export from=[find comment=DHCP]
# feb/23/2007 09:57:17 by RouterOS 2.9.38
# software id = xxxx-M4T
#
/ ip firewall filter 
add chain=input protocol=udp src-port=67 dst-port=68 action=log log-prefix="DHCP" comment="DHCP" disabled=no 
add chain=input protocol=udp src-port=68 dst-port=67 action=log log-prefix="DHCP" comment="DHCP" disabled=no 
add chain=input protocol=udp src-port=67 dst-port=68 action=drop log-comment="DHCP" disabled=no 
add chain=input protocol=udp src-port=68 dst-port=67 action=drop log-comment="DHCP" disabled=no

I placed rules to block UDP 67 and 68 used for DHCP. These were on the input chain, not the output chain. I have not tested placing them on output chain as that's not considered in this scenario.

dhcp,info,debug 0-inside assigned 10.40.1.202 to 00:0B:82:05:52:6B
firewall,info DHCP input: in:0-inside out:(none), src-mac 00:0b:82:05:52:6b, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 424
firewall,info DHCP input: in:0-inside out:(none), src-mac 00:0b:82:05:52:6b, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 424

I see that DHCP bypasses the firewall filter. The logging shows it assigned an address, and then blocked the packets. This definately should not be happening.

What else is bypassing the firewall?

Sam

changeip · Fri Feb 23, 2007 11:20 pm

I'm guesing RouterOS has hacked something to make DHCP work in prerouting or something ... possibly to make hotspot / universal client work ? Just seems odd that something to the router would bypass the input chain.

Sam

sten · Sat Feb 24, 2007 2:01 am

perhaps it uses BPF for whatever reason (some older linuxen didnt like handling broadcast to 255.255.255.255 properly)

sioux · Sun Feb 25, 2007 12:22 am

so it looks like i need to send it to support! thx for confirming my words.

roland · Fri Jun 01, 2007 6:38 pm

anything back from support?
I feel uncomfortable knowing that something (e.a. DHCP) bypass by firewall.

would be interesting (for me) if this "leak" is true for bridging filters as well.

6523 · Sun Dec 12, 2010 12:23 pm

I think it is not just DHCP. I am seeing the same thing with WinBox access when accessing a MAC address. It appears to me that all MAC level traffic may bypass input and output

Does anyone have a solution?

Update:
For the WinBox solution see http://forum.mikrotik.com/viewtopic.php ... 23#p240323 where support provided answer.

Ben

sten · Tue Dec 14, 2010 5:45 am

Uhm, are you trying to block traffic going through the router, in the input chain?
You don't specify if the DHCP server is on the mikrotik router itself or is a different unit all together.

EDIT: I guess i needed to reread it all

If DHCP service on router is using BPF (Berkley Packet Filter) internally then it would be intercepted by BPF before hitting the firewall.
Perhaps adding the interface to bridge and move the local ip's and dhcp-server to the bridge interface (i know, extra overhead). This way you could use bridge filter to handle it. It's not ideal, i know, seeing as routing over bridged interfaces means re-queuing internally and that adds latency.
I think the line of defense is what interface your set the DHCP-server on. I see the dilemma though.
What would be a good solution for this problem anyway?

filter DHCP requests

filter DHCP requests

Re: filter DHCP requests

Re: filter DHCP requests

Re: filter DHCP requests

Who is online