Source zone: WAN, Destination zone: Device (input), Destination Port 68 = ALLOW
Does that mean UDP Port 68 is open to the world?
If not, how and why would it work differently?
Yes, but it is difficult to get an IP from your ISP if it isn't.
3 Likes
netstat -l -n -p
1 Like
DHCP discovery and request are sent as broadcasts, therefore there is no connection for the firewall to track and allow the DHCP offer and ack. That's why the dhcp client port should allow incoming connections. Even if some malicious actor managed to send something to the dhcp client and it reached your router, it would be discarded as invalid. The router has already an IP and is not expecting to get unsolicited packets.
1 Like
I see some uhttpd and dnsmasq and all the Foreign Addresses are either "0.0.0.0:*" or ":::*".
What should I do with this command?
That should answer your first question from the OP.
1 Like
Even if some malicious actor managed to send something to the dhcp client and it reached your router, it would be discarded as invalid. The router has already an IP and is not expecting to get unsolicited packets.
Sending broadcasts is just fine, but potential problem lies in incoming traffic after that.
Theoretically a malicious actor can "get in" and start talking to your DHCP client before the next time your router is looking for an IP from ISP. You can get rid of this problem in your PC by limiting all port 68 traffic to a source addres, you can easily know the source address on that scenario (it's just your router). But if your router is getting it's IP from ISP's DHCP server, how would you find out that server's IP using OpenWRT?
Another theoretical attack vector would be due to a specially crafted packet making another program (instead of the dhcp client) to respond to that traffic which is incoming on port 68, and then start exploiting the system.
If that can give you any idea, I will mention how I would reduce this attack surface on a windows machine. Using Windows Filtering Platform (WFP), you can allow only DHCP Client Service to be able to respond to port 68 traffic rather than any other program.
Here, it seems we only have the choice of allowing or denying all UDP traffic from the world incoming to port 68 of the router, without being able to further limit it. Which I might consider as a security issue.
EDIT: On PPPOE connections, is your routers IP negotiated with ISP's DHCP server?
Can't we see ISP's DHCP server's IP in a log somewhere in OpenWRT? That could be static which might help us provide a source IP to the firewall.
That's assuming it doesn't change over time, or there's more than one.
But you do realize most threats doesn't come into your LAN by breaching the router/fw, right??
1 Like
No it's not, if they're capable of "exploiting" the DHCP port, they might as well spoof the IP too, and your filter have zero effect.
what would mean your security's already breached, since the DHCPd would need to be stopped, for something/one else to be listening on the same port.
pretty sure that's achievable using selinux, but that's a completely different level of PITA.
did you send the same questions to the people who made the original fw for your router ?