[FS#1132] Default config exposes ipv4 UDP port 68 to the entire Internet
LEDE Bugs
lede-bugs at lists.infradead.org
Wed Nov 1 09:11:11 PDT 2017
The following task has a new comment added:
FS#1132 - Default config exposes ipv4 UDP port 68 to the entire Internet
User who did this - Jo-Philipp Wich (jow-)
----------
I fail to see the security benefit of removing the rule.
Initial DHCP discovery is performed using raw sockets bypassing netfilter entirely. When no DHCP state change (such as renew) is pending, udhcpc does not listen to port 68 at all.
When port 68 inbound is denied and the conntrack tuple initially established by the DHCP request/offer transaction is timed out (which is common for long DHCP lease times), then renew replies will not make it to the client, forcing udhcpc into the netfilter-bypassing, broadcast-using full discovery cycle which causes a complete interface teardown as side effect.
Furthermore your server pinning iptables rule suggestion would break roaming scenarios between different DHCP servers.
Your server-pinned iptables rule would only protect against unsolicitated DHCP renew replies which manage to both provide the proper random XID and to spoof the server source IP. A hypothetical attacker being in such a situation (most likely same segment) could simply exploit the initial DHCP discover handshake.
That leaves the side effect of making a port non-stealth, but stealth mode operation is not the objective of LEDE's default configuration and already requires config tweaks elsewhere in the firewall.
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1132#comment3742
More information about the lede-bugs
mailing list