How to confirm a low number port (67 UDP) is being blocked by my firewall?

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

Based on this answer, blocking port 67 UDP outgoing should be

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp -m udp --dport=67 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
firewall-cmd --reload

Port 67 UDP is the port a DHCP server uses, so I would like to verify that the port is indeed blocked before I start the DHCP server, so I can experiment with it in a sandbox.

Question

Since it is UDP and below 1024, how can I comfirm it is blocked?

linux networking firewall

share|improve this question

edited 16 mins ago

200_success

4,10011840

asked 5 hours ago

Sandra

4,3473275137

add a comment | 

up vote
3
down vote

favorite

Based on this answer, blocking port 67 UDP outgoing should be

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp -m udp --dport=67 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
firewall-cmd --reload

Port 67 UDP is the port a DHCP server uses, so I would like to verify that the port is indeed blocked before I start the DHCP server, so I can experiment with it in a sandbox.

Question

Since it is UDP and below 1024, how can I comfirm it is blocked?

linux networking firewall

share|improve this question

edited 16 mins ago

200_success

4,10011840

asked 5 hours ago

Sandra

4,3473275137

add a comment | 

up vote
3
down vote

favorite

up vote
3
down vote

favorite

Based on this answer, blocking port 67 UDP outgoing should be

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp -m udp --dport=67 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
firewall-cmd --reload

Port 67 UDP is the port a DHCP server uses, so I would like to verify that the port is indeed blocked before I start the DHCP server, so I can experiment with it in a sandbox.

Question

Since it is UDP and below 1024, how can I comfirm it is blocked?

linux networking firewall

share|improve this question

edited 16 mins ago

200_success

4,10011840

asked 5 hours ago

Sandra

4,3473275137

Based on this answer, blocking port 67 UDP outgoing should be

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp -m udp --dport=67 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
firewall-cmd --reload

Port 67 UDP is the port a DHCP server uses, so I would like to verify that the port is indeed blocked before I start the DHCP server, so I can experiment with it in a sandbox.

Question

Since it is UDP and below 1024, how can I comfirm it is blocked?

linux networking firewall

linux networking firewall

share|improve this question

edited 16 mins ago

200_success

4,10011840

asked 5 hours ago

Sandra

4,3473275137

share|improve this question

edited 16 mins ago

200_success

4,10011840

asked 5 hours ago

Sandra

4,3473275137

share|improve this question

share|improve this question

edited 16 mins ago

200_success

4,10011840

edited 16 mins ago

200_success

4,10011840

edited 16 mins ago

200_success

4,10011840

4,10011840

asked 5 hours ago

Sandra

4,3473275137

asked 5 hours ago

Sandra

4,3473275137

asked 5 hours ago

Sandra

4,3473275137

4,3473275137

add a comment | 

add a comment | 

3 Answers
3

active

oldest

votes

up vote
1
down vote



accepted

You can use a tool like netcat (on the server echo test | nc -u <other IP> 67 and on another machine nc -u -l -p 67, or use Wireshark or similar) and see if the message pops up.

share|improve this answer

answered 4 hours ago

user

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
2
down vote

Port 67 UDP is the port a DHCP server uses, so I would like to verify
that the port is indeed closed before I start the dhcp server, so I
can experiment with it in a sandbox.

A test DHCP server should be isolated in a VLAN or configured with split scopes that don't overlap existing DHCP ranges. If test and production are in the same broadcast domain, either may get the broadcast which may cause unexpected behavior. See: 2 DHCP servers on one network

Also, you can limit the interfaces dhcpd is listening on to this sandbox net. Without relay agents, it won't see DHCPDISCOVER messages on other nets.

share|improve this answer

answered 4 hours ago

John Mahowald

5,9021612

add a comment | 

up vote
0
down vote

I'm pretty sure you could use Nmap's UDP port scan to specify the protocol and port. The syntax is as follows:

$ sudo nmap -sU -p port target

share|improve this answer

answered 5 hours ago

OHackerDoAmor

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937838%2fhow-to-confirm-a-low-number-port-67-udp-is-being-blocked-by-my-firewall%23new-answer', 'question_page');

);

Post as a guest

Name Email

3 Answers
3

active

oldest

votes

3 Answers
3

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
1
down vote



accepted

You can use a tool like netcat (on the server echo test | nc -u <other IP> 67 and on another machine nc -u -l -p 67, or use Wireshark or similar) and see if the message pops up.

share|improve this answer

answered 4 hours ago

user

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote



accepted

You can use a tool like netcat (on the server echo test | nc -u <other IP> 67 and on another machine nc -u -l -p 67, or use Wireshark or similar) and see if the message pops up.

share|improve this answer

answered 4 hours ago

user

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote



accepted

up vote
1
down vote



accepted

You can use a tool like netcat (on the server echo test | nc -u <other IP> 67 and on another machine nc -u -l -p 67, or use Wireshark or similar) and see if the message pops up.

share|improve this answer

answered 4 hours ago

user

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

You can use a tool like netcat (on the server echo test | nc -u <other IP> 67 and on another machine nc -u -l -p 67, or use Wireshark or similar) and see if the message pops up.

share|improve this answer

answered 4 hours ago

user

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

answered 4 hours ago

user

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 4 hours ago

user

341

answered 4 hours ago

user

341

341

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

user is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

up vote
2
down vote

Port 67 UDP is the port a DHCP server uses, so I would like to verify
that the port is indeed closed before I start the dhcp server, so I
can experiment with it in a sandbox.

A test DHCP server should be isolated in a VLAN or configured with split scopes that don't overlap existing DHCP ranges. If test and production are in the same broadcast domain, either may get the broadcast which may cause unexpected behavior. See: 2 DHCP servers on one network

Also, you can limit the interfaces dhcpd is listening on to this sandbox net. Without relay agents, it won't see DHCPDISCOVER messages on other nets.

share|improve this answer

answered 4 hours ago

John Mahowald

5,9021612

add a comment | 

up vote
2
down vote

Port 67 UDP is the port a DHCP server uses, so I would like to verify
that the port is indeed closed before I start the dhcp server, so I
can experiment with it in a sandbox.

A test DHCP server should be isolated in a VLAN or configured with split scopes that don't overlap existing DHCP ranges. If test and production are in the same broadcast domain, either may get the broadcast which may cause unexpected behavior. See: 2 DHCP servers on one network

Also, you can limit the interfaces dhcpd is listening on to this sandbox net. Without relay agents, it won't see DHCPDISCOVER messages on other nets.

share|improve this answer

answered 4 hours ago

John Mahowald

5,9021612

add a comment | 

up vote
2
down vote

up vote
2
down vote

Port 67 UDP is the port a DHCP server uses, so I would like to verify
that the port is indeed closed before I start the dhcp server, so I
can experiment with it in a sandbox.

A test DHCP server should be isolated in a VLAN or configured with split scopes that don't overlap existing DHCP ranges. If test and production are in the same broadcast domain, either may get the broadcast which may cause unexpected behavior. See: 2 DHCP servers on one network

Also, you can limit the interfaces dhcpd is listening on to this sandbox net. Without relay agents, it won't see DHCPDISCOVER messages on other nets.

share|improve this answer

answered 4 hours ago

John Mahowald

5,9021612

Port 67 UDP is the port a DHCP server uses, so I would like to verify
that the port is indeed closed before I start the dhcp server, so I
can experiment with it in a sandbox.

A test DHCP server should be isolated in a VLAN or configured with split scopes that don't overlap existing DHCP ranges. If test and production are in the same broadcast domain, either may get the broadcast which may cause unexpected behavior. See: 2 DHCP servers on one network

Also, you can limit the interfaces dhcpd is listening on to this sandbox net. Without relay agents, it won't see DHCPDISCOVER messages on other nets.

share|improve this answer

answered 4 hours ago

John Mahowald

5,9021612

share|improve this answer

share|improve this answer

answered 4 hours ago

John Mahowald

5,9021612

answered 4 hours ago

John Mahowald

5,9021612

answered 4 hours ago

John Mahowald

5,9021612

5,9021612

add a comment | 

add a comment | 

up vote
0
down vote

I'm pretty sure you could use Nmap's UDP port scan to specify the protocol and port. The syntax is as follows:

$ sudo nmap -sU -p port target

share|improve this answer

answered 5 hours ago

OHackerDoAmor

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
0
down vote

I'm pretty sure you could use Nmap's UDP port scan to specify the protocol and port. The syntax is as follows:

$ sudo nmap -sU -p port target

share|improve this answer

answered 5 hours ago

OHackerDoAmor

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
0
down vote

up vote
0
down vote

I'm pretty sure you could use Nmap's UDP port scan to specify the protocol and port. The syntax is as follows:

$ sudo nmap -sU -p port target

share|improve this answer

answered 5 hours ago

OHackerDoAmor

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I'm pretty sure you could use Nmap's UDP port scan to specify the protocol and port. The syntax is as follows:

$ sudo nmap -sU -p port target

share|improve this answer

answered 5 hours ago

OHackerDoAmor

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

answered 5 hours ago

OHackerDoAmor

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 5 hours ago

OHackerDoAmor

111

answered 5 hours ago

OHackerDoAmor

111

111

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

OHackerDoAmor is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937838%2fhow-to-confirm-a-low-number-port-67-udp-is-being-blocked-by-my-firewall%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email