Ted Unangst(tedu@tedunangst.com) on 2018.12.13 13:38:58 -0500:
> netstat -an tells me I am listening to all the udp.
>
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
> udp 0 0 *.* *.*
> udp 0 0 127.0.0.1.53 *.*
> udp 0 0 *.* *.*
> udp 0 0 *.5353 *.*
> udp 0 0 *.* *.*
>
> What are those *.* sockets doing? How can you listen to all the ports?
In the case of dhclient, it opens that SOCK_RAW socket to send packets
to a dhcp server:
get_udp_sock() does socket(AF_INET, SOCK_RAW, IPPROTO_UDP). But it does not
bind() or connect(). Thats why you have "Local Address" and "Foreign
Address" *.*.
I think the second one might be the one it opens with ioctlfd =
socket(AF_INET, SOCK_DGRAM, 0). It only uses it to do ioctl() on it, see
section INTERFACES in netintro(4).
> According to fstat, two belong to dhclient and one to chrome.
>
> root dhclient 55241 3* internet dgram udp *:0
> root dhclient 55241 5* internet dgram udp *:0
> tedu chrome 52839 107* internet dgram udp *:0
>
> Although now they are printed as *:0. How do such sockets work?
The first socket above is used in send_packet() in sendmsg(ifi->ufdesc, msg,
&0) to a specific dhcp server.
It is not used to receive packets and indeed it cannot receive any on that
socket.
It sends broadcast packets via bpf(4) and receives packets via bpf(4).
> And, perhaps more directly, how would I block this in pf.conf?
In the case of dhclient, you cant. Well, you can try, but it will break
things. The problem is that dhclient is special, it needs to send things
while there is no IP configuration on an interfaces. So it needs to do
things itself that the IP stack would do for normal programs.
If you run dhclient, you trust it not to send bad things, and not to receive
things it should not see (It configures the bpf filter to only get packets
to port 67).
As for chrome, i have no idea what it is doing... ;)
No comments:
Post a Comment