firewall-cmd, can't block dhcp request

Support for security such as Firewalls and securing linux
Post Reply
Posts: 5
Joined: 2019/12/04 09:09:52

firewall-cmd, can't block dhcp request

Post by lebrun78 » 2019/12/04 09:16:11


I would like to set up a DHCP server, and the time of the debugging, I would like to block the incoming DHCP requests with the firewall, I tested with rules firewall cmd but the requests dhcp are always passing, even in passing the network interface in drop or block rule, or dmz.
Can you advise me ?

User avatar
Posts: 2806
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall-cmd, can't block dhcp request

Post by jlehtone » 2019/12/04 11:05:11

The thing is ... new IPv4 dhcp client broadcasts a bare request that has no destination IP nor source IP. Just sender's MAC-address. It has to, for it has no address, nor knows network's broadcast address. Most of firewall filtering is based on IP addresses.

That is not the whole reason; the DHCP server process appears to "listen" outside of the firewall, earlier in the network stack than netfilter.

Stop the dhcp server?

Posts: 2994
Joined: 2014/09/20 11:22:14

Re: firewall-cmd, can't block dhcp request

Post by aks » 2019/12/15 08:52:34

On the DHCP server:

Set the interface down - if the interface down nothing will be answered (and that applies to all other services on that interface).

There are many implementations of DHCP now, but generally DHCP uses the bootp port 68 over either UDP or TCP (and that's easy to check, what ports is the DHCP server listening on?). Block broadcast (ff.ff.ff.ff) and subnet broadcast (i.e.: the broadcast address of the subnet, so for example on that would be and the TCP and UDP ports used by the DHCP server listener. Note that if you're blocking inbound broadcasts, that'll apply to all services on that interface.

But I think you shouldn't have to take a service offline for debugging!

User avatar
Posts: 38
Joined: 2014/12/03 19:58:02

Re: firewall-cmd, can't block dhcp request

Post by Errosion » 2019/12/16 21:09:12

I just went through something similar on one of my servers where certain requests were passing even though I thought they should be blocked.

It had to do with how the zones are configured within firewalld.

I will admit, I only did enough reading and understanding to sort my means. I wanted to limit ssh traffic to a specific set of IP ranges. My active zone was public and I had my two IP ranges listed in the internal zone. Both public and internal had the ssh service enabled. But if I removed either of the IP ranges from my internal zone, I could still ssh from a device outside of the range. I found I needed to remove ssh from the public (active) zone, which relegated the rules up to the internal zone.

But do some reading here: ... with_zones

That helped me figure out what I needed to do. Might help you as well.

Maybe you have the dhcp service listed under some other zone that you are not expecting.

Post Reply

Return to “CentOS 7 - Security Support”