I set up a firewall, but the Kea server still receives packets. Why?
  • 16 Aug 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

I set up a firewall, but the Kea server still receives packets. Why?

  • Dark
    Light
  • PDF

Article summary

Any DHCPv4 server must be able to receive from and send traffic to hosts that don't have an IPv4 address assigned yet. That is typically not possible with regular UDP sockets; therefore, the Kea DHCPv4 server uses raw sockets by default. Raw sockets mean that the incoming packets are received as raw Ethernet frames, thus bypassing the whole kernel IP stack, including any firewalling rules your kernel may provide.

If you do not want the server to use raw sockets, it is possible to configure the Kea DHCPv4 server to use UDP sockets instead. See the dhcp-socket-type configuration parameter described in the the Interface Configuration section of the ARM.

Using UDP sockets has certain limitations. In particular, they may not allow for sending responses directly to clients without IPv4 addresses assigned. That's not a problem, if all your traffic is coming through relay agents.