Page 1 of 1

Blocking rogue DHCP servers

Posted: Fri Jan 21, 2005 11:26 pm
by Cameron Earnshaw
Anyone know a good firewall rule to block rogue DHCP servers? I have made the MT authoriative but still have problems when one of my clients connects my cable to the LAN rather than the WAN side of their router. I've been trying various rules so far with no luck.

Posted: Fri Jan 21, 2005 11:36 pm
by YazzY
DHCP works on OSI level 2 so maybe you could try to set up some MAC firewalling rule on the interface of your box ..?

Posted: Sat Jan 22, 2005 1:59 am
by UniKyrn
Block replies from their interface for port 67, the server port?

Posted: Sat Jan 22, 2005 2:49 am
by YazzY
Yes, you can try to block bootps - 67/udp requests to your client.
As an example, this is a rule I have in ipf on FreeBSD to allow DHCP requests to my server on my atheros nic:
# allow bootps in for dhcp:
pass in log first quick on ath0 proto udp from 192.168.99.0/24 to 192.168.99.2 port = bootpc keep state keep frags

Keep in mind the DHCP discovery packets will still flow even though you block OSI level 3.

Posted: Sat Jan 22, 2005 10:24 pm
by YazzY
And this is how DHCP requests get blocked to my RouterOS gateway from the Internet:

jan/22/2005 13:26:16 input->DROP, in:WAN, out:(local), src-mac 00:03:2f:23:97:11, 0.0.0.0:68->255.255.255.255:67, len 498