Every time the dhcp service starts, it listens not only on 0.0.0.0:67 but also on 0.0.0.0:PORT where PORT is a random number.
Anyone knows where this behaviour comes from?
root@OpenWrt:/# netstat -ntapue
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 10.0.16.1:22 0.0.0.0:* LISTEN 898/sshd
netstat: /proc/net/tcp6: No such file or directory
udp 0 0 10.0.16.1:514 0.0.0.0:* 922/syslog-ng
udp 0 0 0.0.0.0:60738 0.0.0.0:* 1290/dhcpd
udp 0 0 0.0.0.0:67 0.0.0.0:* 1290/dhcpd
udp 0 0 10.0.16.1:69 0.0.0.0:* 974/tftpd-hpa
netstat: /proc/net/udp6: No such file or directory
My config is:
# dhcpd.conf
ddns-updates off;
authoritative;
# don't let clients modify their own A records
ignore client-updates;
default-lease-time 3600;
max-lease-time 86400;
option domain-name "lan";
option domain-name-servers 212.24.188.130, 212.24.188.131;
subnet 10.0.16.0 netmask 255.255.255.0 {
host marvin
{ hardware ethernet 48:5D:11:2F:22:31;
fixed-address 10.0.16.202; }
range 10.0.16.207 10.0.16.209;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.16.255;
option routers 10.0.16.1;
deny unknown-clients;
next-server 10.0.16.1;
filename "pxelinux.0";
}
Search in google returns that it's a kind of a bug:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1176046
On the launchpad there is also a link to the proposed solution (building package from source with extra options for ./configure script):
http://forums.debian.net/viewtopic.php?f=10&t=95273
I have checked release notes for latest stable (4.2.5-P1) and development (4.2.6b1 and 4.3.0b1) versions of ISC DHCPD and this bug does not seem to be fixed there.
For OpenWRT to rebuild the package from source with custom options, you need to build your own opkg package using cross-compiler for your router's architecture, or even rebuild the whole OpenWRT image: http://wiki.openwrt.org/doc/devel/packages
So to solve the security issue I would suggest you to just block all ports except needed (22, 67, 69, 514) with your firewall.