On Wed, Jan 04, 2017 at 06:38:30PM +0100, Archimede Pitagorico wrote:
> <html><head></head><body><div style="font-family:
...
Um, please don't post HTML to mailing lists. Many of the more
helpful people you might encounter are using console-based MUAs, and
they won't get to see your fancy fonts and formatting. Also, top-
posting is awkward to read. Please trim your quotes and keep them
with the relevant reply text ("inline quoting".)
> <div>it was a rule in the PREROUTING chain of the raw
> table:</div>
>
> <div>rpfilter --invert -j DROP </div>
>
> <div>that caused messages incoming from clients to be dropped.
And here's another problem: be careful with filtering in the raw
table. Filtering should be done in the filter table (which, go
figure, may be why they named it "filter".)
> <div> </div>
>
> <div>It is easy to modify the rule to allow dhcp traffic
> through, so problem solved.</div>
>
> <div> </div>
>
> <div>I have another question however about this:</div>
>
> <div>> ISC's dhcp server uses a lower-level
> network model than dnsmasq, and can work despite
> iptables rules to the contrary.</div>
>
> <div>How can an app bypass the kernel firewall? Can you please
> suggest a reference for me to understand better? </div>
Well, that's overstating it a bit.
ISC dhcpd uses raw sockets, and those are (like tcpdump) seen before
the netfilter subsystem.
But note, a complete DHCP exchange is "DORA": Discover by the client;
Offer by the server; Request by the client; and Ack by the server.
With dhcpd only DO are not blockable. RA certainly are.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: