All versions of DHCPcd prior to 1.3.22-p12 are vunerable to rogue DHCP servers. These hacked DHCP server could execute any commands on the vunerable DHCP client. Please make sure you are running 1.3.22-p12 or newer.
See Section 5 for some other excellent URLs on setting up DHCP clients
First, a quote from the TrinityOS firewall rule set about Linux DHCP clients:
--
# NOTE: Red Hat users of DHCP to get TCP/IP addresses (Cablemodems, DSL, etc)
# will need to install and use a different DHCP client than the stock
# client called "pump". It should be noted that newer
# versions of pump can run scripts upon lease bringup, renew, etc. One
# recommended DHCP client is called "dhcpcd" and can found
# in Appendix A.
#
# The stock Red Hat DHCP client doesn't allow the ability to have scripts
# run when DHCP gets a TCP/IP address. Specifically, DHCP delves out
# TCP/IP addresses to its clients for a limited amount of time; this
# called a "lease". When a DHCP lease expires, the client will query the
# DHCP server for a lease renewal. Though the DHCP client will usually
# get back its original TCP/IP address, this is NOT always guaranteed.
# With this understood, if you receive a different TCP/IP address than
# the IPCHAINS firewall was configured for, the firewall will block ALL
# network access in and out of the Linux server because that was what it
# was configured to do.
#
# As mentioned above, the key to solve this problem is to use a DHCP
# client program that can re-run the /etc/rc.d/init.d/firewall rule set
# once a new TCP/IP address is set. The new rule set will make the required
# changes to the rule sets to allow network traffic from and to your new
# TCP/IP address.
--
Another thing to note from the DHCPcd documentation:
--
In a case dhcpcd detects a change in assigned IP address it
will try to execute /etc/dhcpc/dhcpcd-interface.exe program.
The word <interface> is substituted by the actual interface name
like e.g. eth0. Caution: do not use /etc/dhcpcd-interface.exe
as a bootup script. It will not be executed if the assigned IP address
is the same as it was before reboot. The included sample
/etc/dhcpc/dhcpcd-eth0.exe will log the time of IP change
to /var/log/messages file.
--
- Note: 1. If you use TrinityOS's strong firewall rule set, you'll have to un-# out the "DHCP - Client" IPCHAINS or IPFWADM rule sets in both the Incoming and Outgoing rules to allow DHCP in through your EXTERNAL interface.
2. You will also have to execute the /etc/rc.d/rc.firewall when DHCP initial IP address or when it renews its IP address lease. Newer "dhcpcd" clients offer this functionality though not all of them do (such as "pump"). Be sure you use one that DOES have this function. It should be noted that newer versions of pump can run scripts upon lease bringup, renew, etc.
Here is a real quick intro on how to do this:
########
If you are running Mandrake 6.1, load up "vi" and go to /etc/sysconfig/network-scripts/ifup line 87. If you are running Redhat 6.x, edit the same file and do a search for "DHCP" (run the command "/DHCP" without the quotes).
You'll look for something like the following:
--
if [ -n "$DHCP" ]; then
echo -n "Determining IP information for $DEVICE via dhcpcd..."
if /sbin/dhcpcd -i $DEVICE -h $HOSTNAME ; then
echo " done."
else
echo " failed."
exit 1
--
You'll want to change it to something like the following (if it doesn't already look like this already).
--
if [ -n "$DHCP" ]; then
echo -n "Determining IP information for $DEVICE via dhcpcd..."
if /sbin/dhcpcd -H -D $DEVICE ; then
echo " done."
else
echo " failed."
exit 1
--
Next, you need to create a link to the firewall rule set for your given EXTERNAL interface:
ln -s /etc/rc.d/rc.firewall /etc/dhcpc/dhcpcd-*EXTIF*.exe
Replace the "*EXTIP*" for the name of your external interface. For example, if your external interface is "eth0", it would be:
ln -s /etc/rc.d/init.d/firewall /etc/dhcpc/dhcpcd-eth0.exe
That's it! Now when the /sbin/ifup script or dhcpcd programs are called, they will get their IP address and then run the firewall rule set automatically.
One thing that DHCP does -not- give out is DNS search lists. To me, thats a pretty big bummer. But you can fake it with a script executed from the dhcpcd-*.exe file once you get your initial DHCP lease. Please note that you'll have to create a master dhcpcd-eth*.exe file that runs both the rc.firewall script AND the DNS-search trick if you want all this functionality in one place.
/etc/dhcpc/dhcpcd-eth0.exe
#!/bin/bash search=`grep -c -e acme /etc/resolv.conf` #echo $search if [ "$search" != "0" ]; then mv -f /etc/resolv.conf /etc/resolv.conf.old echo "domain acme123.com" > /etc/resolv.conf grep -v -e "search" -e "domain" /etc/resolv.conf.old >> /etc/resolv.conf echo "search acme123.com backupacme.com" >> /etc/resolv.conf fi
Please note: Once you setup this DNS-search hack, things might not work. To get things running, delete the /etc/dhcpc/dhcpcd-eth0.info and .cache (this example is for eth0) files. Then run "ifdown eth0" and then "ifup eth0".