Blocking rogue DHCP servers

Cameron Earnshaw · Fri Jan 21, 2005 11:26 pm

Anyone know a good firewall rule to block rogue DHCP servers? I have made the MT authoriative but still have problems when one of my clients connects my cable to the LAN rather than the WAN side of their router. I've been trying various rules so far with no luck.

YazzY · Fri Jan 21, 2005 11:36 pm

DHCP works on OSI level 2 so maybe you could try to set up some MAC firewalling rule on the interface of your box ..?

UniKyrn · Sat Jan 22, 2005 1:59 am

Block replies from their interface for port 67, the server port?

YazzY · Sat Jan 22, 2005 2:49 am

Yes, you can try to block bootps - 67/udp requests to your client.
As an example, this is a rule I have in ipf on FreeBSD to allow DHCP requests to my server on my atheros nic:
# allow bootps in for dhcp:
pass in log first quick on ath0 proto udp from 192.168.99.0/24 to 192.168.99.2 port = bootpc keep state keep frags

Keep in mind the DHCP discovery packets will still flow even though you block OSI level 3.

YazzY · Sat Jan 22, 2005 10:24 pm

And this is how DHCP requests get blocked to my RouterOS gateway from the Internet:

jan/22/2005 13:26:16 input->DROP, in:WAN, out:(local), src-mac 00:03:2f:23:97:11, 0.0.0.0:68->255.255.255.255:67, len 498