For what reason OpenWrt by default listens on port 67 UDP bootp on WAN interface?

czezz · May 26, 2020, 9:19pm

For what reason OpenWRT by default listens on port 67 UDP bootp on WAN interface?

root@OpenWrt:~# netstat -anp | grep 67
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2284/dnsmasq

Test from external/internet host:

[External-internet.host]$ sudo nmap -sT -sU -p 67 OpenWRT-Public-IP
PORT   STATE         SERVICE
67/tcp filtered      dhcps
67/udp open|filtered dhcps

[External-internet.host]$ nc -vuz OpenWRT-Public-IP 67
Connection to OpenWRT-Public-IP 67 port [udp/bootps] succeeded!

jow · May 26, 2020, 9:23pm

This is the Dnsmasq DHCP server. It listens on all interfaces. If you can nmap it from the wan side, your firewall configuration is broken.

czezz · May 26, 2020, 9:31pm

Really? Its a default one.
I actually see not a single line about port 67 in fw config.


root@OpenWrt:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user

anomeome · May 26, 2020, 9:35pm

As would be expected unless you added something toe allow the port.

czezz · May 26, 2020, 9:39pm

I would rather say this is unexpected.

By default OpenWRT FW config should close all WAN ports (if I get it right)
For what reason dnsmasq (DHCP Server) is listening on WAN?

anomeome · May 26, 2020, 9:42pm

It ain't, unless you allowed it. This appears very rehash of you other thread.

jow · May 26, 2020, 9:43pm

Dnsmasq is listening on the wildcard address and filtering incoming requests internally to drop inbound packets from interfaces it is not supposed to handle.

Did you actually nmap from a host outside of your network? Scanning ports of the external IP from within your LAN will bypass the WAN side firewall.

czezz · May 26, 2020, 9:47pm

Yes, of course as I mentioned in my initial post "Test from external/internet host".
Its funny though telnet test gives "Connection refused"


[External-internet.host]$ telnet OpenWRT-Public-IP 67
Trying OpenWRT-Public-IP...
telnet: Unable to connect to remote host: Connection refused

jow · May 26, 2020, 9:55pm

I think it is just nc (specifically OpenBSD netcat) giving misleading diagnostics. UDP, by nature, is a connectionless protocol so I don't see how it can establish a connection of any kind to an UDP port.

See also https://unix.stackexchange.com/questions/235830/how-does-netcat-know-if-a-udp-port-is-open for reference

Here's a little test that shows the problem:

jow@j7:~$ nc -vuz google.com 53
Connection to google.com 53 port [udp/domain] succeeded!
jow@j7:~$ nc -vuz google.com 67
Connection to google.com 67 port [udp/bootps] succeeded!
jow@j7:~$ nc -vuz google.com 68
Connection to google.com 68 port [udp/bootpc] succeeded!
jow@j7:~$ nc -vuz google.com 69
Connection to google.com 69 port [udp/tftp] succeeded!
jow@j7:~$ nc -vuz google.com 1234
Connection to google.com 1234 port [udp/*] succeeded!

So in short, nc is not an adequate test to check whether an UDP port is "open"

czezz · May 26, 2020, 10:26pm

Yes, it seems like.
Telnet and nmap (in a way) says port 67 is closed/not reachable.

When it comes to DHCP server: https://openwrt.org/docs/guide-user/base-system/dhcp
I have found this:
You can disable a lease pool for a specific interface by specifying the ignore option in the corresponding section.
and this:
ignore boolean no 0 Specifies whether dnsmasq should ignore this pool if set to 1

And that is the default setting for WAN port:

cat /etc/config/dhcp
config dhcp 'wan'
 option interface 'wan'
 option ignore '1'

trendy · May 26, 2020, 10:33pm

telnet is tcp, dhcp is udp.
And we told you in your other topic that nc is misleading yet you insist on using it.

Generally speaking, with all these topics are you trying to do some penetration testing on OpenWrt, are you trying to learn about penetration testing or do you just think you found first such big holes lying there?