Page 1 of 1
filter DHCP requests
Posted: Wed Feb 21, 2007 1:35 pm
by sioux
Hi all
I am wondering why when I set a DHCP server on a specific port, then block all incoming traffic with
ip firewall filter add chain=input action=drop
I am still able to recive an Ip address from DHCP server
first I think that there is an invisible rule which accepts that traffic .. but when I add a passthrough rule in a mangle table
ip firewall mangle add chain=input protocol=udp dst-port=67 action=passthrough
and do some dhcp traffic (ipconfig /renew (WinXP)) I noticed that that rule "cautches" this traffic so it means that there is no ACCEPT rule before my added rule.
So .. how could that be? and how I can filter certain DHCP requests (generaly traffic) from some IPs using built in firewall?
thx 4 suggestions
Posted: Thu Feb 22, 2007 4:04 am
by ferry
if u confuse, just block the ip u don't want it to. u can add block in ip firewall or in ip-dhcp-lease. just add the blocking ip
Posted: Thu Feb 22, 2007 8:58 am
by sioux
blocking in /ip firewall doesnt work .. in example above I block ALL all traffic which goes to INPUT chain .. and even after doing it I was still able to recive IP from DHCP server
Posted: Thu Feb 22, 2007 10:01 am
by sergejs
DHCP client is contacting router and data is passing trough chain=input,
DHCP server[router] replies to client and data is passing trough chain=output.
Make sure you have used correct rule to block access to router, just curious how do you get back access to the router, f'ilter add chain=input action=drop disabled=no' denies all data destined to the router (MAC-Winbox is the last opportunity, if MAC-Winbox server is enabled).
Posted: Thu Feb 22, 2007 11:31 am
by sioux
DHCP client is contacting router and data is passing trough chain=input,
DHCP server[router] replies to client and data is passing trough chain=output.
Make sure you have used correct rule to block access to router, just curious how do you get back access to the router, f'ilter add chain=input action=drop disabled=no' denies all data destined to the router (MAC-Winbox is the last opportunity, if MAC-Winbox server is enabled).
Yes, I know that replays goes out via Output chain but the DHCP server proces should not answer if I block all at input
I put input action-drop rule via console cable and I am shure that rule is enable
Posted: Thu Feb 22, 2007 4:56 pm
by janisk
ermmm.. if i do not want that DHCP server responds to requests - i usually disable it
Posted: Thu Feb 22, 2007 6:19 pm
by changeip
ermm, what he is saying is that the input chain is not filtering input. Plain and simple. I will see if I can test this on our test box today to see if its truly bypassing the firewall (which sounds fishy to me).
Sam
Posted: Thu Feb 22, 2007 6:21 pm
by changeip
ps - can you please post your input chain?
/ip firewall filter export from=[/ip firewall filter find chain=input]
Thx,
Sam
Posted: Fri Feb 23, 2007 9:00 am
by sioux
ermm, what he is saying is that the input chain is not filtering input. Plain and simple. I will see if I can test this on our test box today to see if its truly bypassing the firewall (which sounds fishy to me).
that's right
ps - can you please post your input chain?
/ip firewall filter export from=[/ip firewall filter find chain=input]
there is only one rule (in the simplest scenerio)
<ip firewall filter export from=[/ip firewall filter find chain=input]
# jan/01/2000 00:04:58 by RouterOS 2.9.38
# software id = I5XX-3TT
#
/ ip firewall filter
add chain=input action=drop comment="" disabled=no
I'v tested it one more time on the different unit .. same result
changeip ... please post your results !!
Posted: Fri Feb 23, 2007 11:07 am
by janisk
this is very interesting indeed.
i have some "fortify your router" rules in input chain and thy seem to work correctly why this one rule in particular is not working?
maybe something to do with safe-mode?
Posted: Fri Feb 23, 2007 8:02 pm
by changeip
I ran a quick test here and I cannot seem to filter it either.
[@cip-office] ip firewall filter> export from=[find comment=DHCP]
# feb/23/2007 09:57:17 by RouterOS 2.9.38
# software id = xxxx-M4T
#
/ ip firewall filter
add chain=input protocol=udp src-port=67 dst-port=68 action=log log-prefix="DHCP" comment="DHCP" disabled=no
add chain=input protocol=udp src-port=68 dst-port=67 action=log log-prefix="DHCP" comment="DHCP" disabled=no
add chain=input protocol=udp src-port=67 dst-port=68 action=drop log-comment="DHCP" disabled=no
add chain=input protocol=udp src-port=68 dst-port=67 action=drop log-comment="DHCP" disabled=no
I placed rules to block UDP 67 and 68 used for DHCP. These were on the input chain, not the output chain. I have not tested placing them on output chain as that's not considered in this scenario.
dhcp,info,debug 0-inside assigned 10.40.1.202 to 00:0B:82:05:52:6B
firewall,info DHCP input: in:0-inside out:(none), src-mac 00:0b:82:05:52:6b, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 424
firewall,info DHCP input: in:0-inside out:(none), src-mac 00:0b:82:05:52:6b, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 424
I see that DHCP bypasses the firewall filter. The logging shows it assigned an address, and then blocked the packets. This definately should not be happening.
What else is bypassing the firewall?
Sam
Posted: Fri Feb 23, 2007 11:20 pm
by changeip
I'm guesing RouterOS has hacked something to make DHCP work in prerouting or something ... possibly to make hotspot / universal client work ? Just seems odd that something to the router would bypass the input chain.
Sam
Posted: Sat Feb 24, 2007 2:01 am
by sten
perhaps it uses BPF for whatever reason (some older linuxen didnt like handling broadcast to 255.255.255.255 properly)
Posted: Sun Feb 25, 2007 12:22 am
by sioux
so it looks like i need to send it to support! thx for confirming my words.
Re: filter DHCP requests
Posted: Fri Jun 01, 2007 6:38 pm
by roland
anything back from support?
I feel uncomfortable knowing that something (e.a. DHCP) bypass by firewall.
would be interesting (for me) if this "leak" is true for bridging filters as well.
Re: filter DHCP requests
Posted: Sun Dec 12, 2010 12:23 pm
by 6523
I think it is not just DHCP. I am seeing the same thing with WinBox access when accessing a MAC address. It appears to me that all MAC level traffic may bypass input and output
Does anyone have a solution?
Update:
For the WinBox solution see
http://forum.mikrotik.com/viewtopic.php ... 23#p240323 where support provided answer.
Ben
Re: filter DHCP requests
Posted: Tue Dec 14, 2010 5:45 am
by sten
Uhm, are you trying to block traffic going
through the router, in the input chain?
You don't specify if the DHCP server is on the mikrotik router itself or is a different unit all together.
EDIT: I guess i needed to reread it all
If DHCP service on router is using BPF (Berkley Packet Filter) internally then it would be intercepted by BPF before hitting the firewall.
Perhaps adding the interface to bridge and move the local ip's and dhcp-server to the bridge interface (i know, extra overhead). This way you could use bridge filter to handle it. It's not ideal, i know, seeing as routing over bridged interfaces means re-queuing internally and that adds latency.
I think the line of defense is what interface your set the DHCP-server on. I see the dilemma though.
What would be a good solution for this problem anyway?