[FS#1132] Default config exposes ipv4 UDP port 68 to the entire Internet
LEDE Bugs
lede-bugs at lists.infradead.org
Tue Oct 31 16:00:00 PDT 2017
A new Flyspray task has been opened. Details are below.
User who did this - Peter Backes (rtc)
Attached to Project - LEDE Project
Summary - Default config exposes ipv4 UDP port 68 to the entire Internet
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - Medium
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - I am using the davidc502 LEDE Snapshot
I noticed LEDE comes with the following Firewall traffic rule enabled by default:
Name: Allow-DHCP-Renew
Match: IPv4-udp
>From any host in wan
To any router IP at port 68 on this device
Action: Accept input
Apparently this rule was introduced in https://dev.openwrt.org/ticket/4108
I do not think it is a good idea to pass through port 68 for the entire Internet. This is not needed to solve the problem discussed at https://dev.openwrt.org/ticket/4108 It should be sufficient to open port 68 only to the DHCP server's network. This network is known when a DHCP lease is established.
Why is it not a good idea? udhcpc listens on port 68 only for as long as it needs it. Most of the time it does not. But that causes the kernel to reply to UDP packets sent to port 68, telling the source that it is closed. This thwarts stealth setups, where ping and all ports are dropped. Sending any UDP packet to port 68 will reveal to the source that the host is actually up.
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1132
More information about the lede-bugs
mailing list