I repair computers as a hobby, and I always make it a point to check if the Ethernet ports are functioning properly. However, I've noticed that on some computers that don't support "open source BIOS", PXE boot is enabled in the BIOS. I personally don't trust it, even when it's turned off. I once had a machine, donated from a corporate environment, that was still trying to PXE boot at startup despite the option being disabled.
Given this, I'm wondering if simply blocking port 69 is enough to secure the system? My research into TFTP and PXE has uncovered some important points.
I discovered that DHCP Options 66 and 67 are often used in PXE boot setups:
DHCP Option 66 (Boot Server Name) option specifies the name or IP address of the TFTP server that the client should use to obtain the boot file.
DHCP Option 67 (Boot File Name) option indicates the name of the boot file that the client should request from the TFTP server specified in Option 66. the client aims to request from the TFTP server defined in Option 66.
Now, I want to know how I can use iptables or nftables on my OpenWrt router to block any connections that include DHCP Options 66 and 67.
DHCP request contains features it wants, server responds with features it supports, if you do not configure options with boot file the machine just proceeds with normal boot. If you want to have some machines netboot - make a specific port where you plug a pc that serves boot file (google is big, you can find conditional filter between normal pxe and efi platform) to some recovery/diagnostic system.
So far I have this rule for blocking TCP/UDP port 69
IPTables Block TFTP on TCP and UDP Port 69
# Block TFTP via UDP (port 69)
iptables -A INPUT -p udp --dport 69 -j DROP
# Block TFTP via TCP (port 69)
iptables -A INPUT -p tcp --dport 69 -j DROP
Nftables equivalent rules Block TFTP on TCP and UDP Port 69
# Block TFTP via UDP (port 69)
nft add rule ip tftp_filter input udp dport 69 drop
# Block TFTP via TCP (port 69)
nft add rule ip tftp_filter input tcp dport 69 drop
But how can you block DHCP Options Option 66 and Option 67 on port 68???
Do I have to filter some kind of string with an expression?
Am I going about this the wrong way with firewall?
Do I need to edit something in dnsmasq.conf or OpenWrt's dhcp config settings to disable such options?
nftables do not include application-level filter for dhcp options.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/dhcp
cat /etc/config/firewall
If someone is able to set up such a server on the same LAN, there is nothing you can do at the router to prevent it from attacking the PC that tries to PXE boot.
If that were to happen I’d argue there’s bigger security concerns. And if someone had that much access what are the chances they wouldn’t just be able to directly access the PC in question? Would be a lot less hassle than setting up the infrastructure for PXE booting.
But anyway, the reason for my query is (I suspect) @Qveen-dev doesn’t have such a setup and is wasting their time trying to solve an issue that doesn’t exist.
