When configuring my new firewall using iptables, I noticed something very
peculiar. Even if all input, forward and output traffic was dropped, DHCP
traffic to and from my DHCP server was not blocked even if there were no
rules permitting this traffic.
I even flushed all rules, put a drop all rule on all chains and only allowed
SSH to the box. It did not matter. The DHCP server received the DHCP requests
and happily answered back.
How on earth is this possible? In my opinion, a firewall should block all
traffic no matter what.
But at least I found out the cause of this peculiar behaviour. The ISC DHCP
daemon does not use the TCP/UDP/IP stack of the kernel. It uses RAW
sockets. Raw sockets bypass the whole netfilter mechanism and thus the
firewall.
So remember: applications using RAW sockets cannot be fire walled by default.
Applications need root privileges to use RAW sockets, so RAW sockets
thankfully cannot be used by arbitrary unprivileged users on a system, but
never the less. Be aware of this issue.
Please understand that if a serious security vulnerability is found in the ISC
DHCP daemon, you cannot protect your daemon with a local firewall on your
system. Patching or disabling would then be the only solution.