Hi,
On my Debian 12 Bookworm ( raspberry pi )
My nftables do not block DHCP packets ! according to this basic rules
nft -y list rulesset
table ip Tip {
chain chIN {
type filter hook input priority 0; policy drop;
ct state established,related accept
}
chain chFW {
type filter hook forward priority 0; policy drop;
}
chain chOUT {
type filter hook output priority 0; policy drop;
udp dport 67 drop #DHCP
udp dport 53 accept
tcp dport { 80, 443} accept
ct state established,related accept
}
}
DHCP should be blocked… but it’s not as I get an IP from it…
Any ideas ?
Thanks.
DHCP uses raw sockets so it gets to skip the normal networking stack. See here for the same question on Reddit: https://www.reddit.com/r/linuxadmin/comments/flcsc8/nftables_not_blocking_incoming_dhcp_traffic/
Why block from the firewall. Normally you would set a static ip to not use dhcp. You could also uninstall or disable the dhcp client service.
Obviously, but I’m anyway wondering why it doesn’t blocking like it should
I hope nftables do not let other pass like this…
Block port 68 as well as 67. And are you sure the output rule is the best place for that?
As I want the system to be quite ( not sending data ) I was suspected the
outputhook to be the one. what are you suggesting ?
