Hi,

On my Debian 12 Bookworm ( raspberry pi )

My nftables do not block DHCP packets ! according to this basic rules

nft -y list rulesset

table ip Tip {

	chain chIN {
		type filter hook input priority 0; policy drop;
		ct state established,related accept
	}
	chain chFW {
		type filter hook forward priority 0; policy drop;
	}
	chain chOUT {
		type filter hook output priority 0; policy drop;
		udp dport 67 drop #DHCP
		udp dport 53 accept
		tcp dport { 80, 443} accept
		ct state established,related accept
	}

}

DHCP should be blocked… but it’s not as I get an IP from it…

Any ideas ?

Thanks.

  • SynestineEnglish
    6·
    1 day ago

    Block port 68 as well as 67. And are you sure the output rule is the best place for that?

    • SpongeB0B@programming.devOP
      1·
      18 hours ago

      As I want the system to be quite ( not sending data ) I was suspected the output hook to be the one. what are you suggesting ?