Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

NetworkManager keeps connectoin to the gateway on port 67
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bobololo
n00b
n00b


Joined: 14 Oct 2020
Posts: 1
PostPosted: Wed Oct 14, 2020 2:23 pm    Post subject: NetworkManager keeps connectoin to the gateway on port 67 Reply with quote
Hello,

I'm not sure whether this is a normal behavior and why NetworkManager needs to keep the connection to the gateway Established for all the time. The case is as follows:

I just tried a netstat in the terminal and I've found the following output:
Quote:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3211/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3083/cupsd
tcp6 0 0 :::22 :::* LISTEN 3211/sshd
tcp6 0 0 ::1:631 :::* LISTEN 3083/cupsd
udp 0 0 192.168.100.9:68 192.168.100.1:67 ESTABLISHED 2916/NetworkManager
udp6 0 0 fe80::32b5:c2ff:fe0:546 :::* 2916/NetworkManager
raw6 0 0 :::58 :::* 7 2916/NetworkManager

I just found that on every Gentoo machine, no matter whether the machine is connected wired or wireless. NetworkManager keeps Established connection to the gateway. I have also a few Ubuntu machines in the same network and they doesn't have same behavior like the Gentoo ones. On Ubuntu there is no Established connection to the gateway on port 68.

I tried to dump the traffic on port 68 but it doesn't log anything. However it's annoying to keep connection when other Linux distribution doesn't do that.

Is it possible the NetworkManager included in Gentoo to have some some un-patched security issues? I'm using the stable build and NetworkManager version is 1.26.0

I've looked for similar topic in the forum, but I didn't found anything. In Google I found similar or the same question for Arch Linux here: https://bbs.archlinux.org/viewtopic.php?id=252041 but the topic no answer.

Does anybody see the same NetworkManager behavior on their environment? And does anybody knows why it's necessary to keep Established connection to the gateway?

Thanks in advance.
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 916
PostPosted: Sat Jun 05, 2021 12:12 am    Post subject: Reply with quote
When comparing Gentoo with Ubuntu, are you comparing like with like? Are the Ubuntu machines using NM? Are the resp. netstat programs from the same source? Looking at a Bionic box, it seems the answer to the second question is yes, but not for the first one - netstat shows that systemd-networkd is used.
Code:

udp        0      0 192.168.1.11:68       0.0.0.0:*                           564/systemd-network

The netstat man page states that in the case of UDP, the state column may be left blank. This holds true for the Ubuntu case, but not the Gentoo case, but why? We know UDP is a stateless and connectionless protocol.

This posting, https://stackoverflow.com/questions/23817178/udp-socket-state-list, explains how the Linux kernel (re-)uses the TCP connection states for UDP. And this one, https://stackoverflow.com/questions/10841678/netstat-na-udp-and-state-established, how a UDP socket can be connected with connect(2) so that packets are only accepted from the named peer. You can actually see this is the case here if you strace the networkmanager process and break the network link, then reestablish it (plug out the wire, wait a few seconds, plug it in again)
Code:
localhost ~ # strace -p 12345  -e trace=connect
strace: Process 12345 attached
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3485, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
connect(21, {sa_family=AF_INET, sin_port=htons(67), sin_addr=inet_addr("192.168.1.254")}, 16) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3728, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
connect(25, {sa_family=AF_INET, sin_port=htons(67), sin_addr=inet_addr("192.168.1.254")}, 16) = 0
...

Also, if you break and reestablish the link, you will see traffic on these ports. Run tcpdump and filter out all irrelevant ports, it will show the BOOTP/DHCP broadcast and the rest of the DHCP conversation.

In brief, NM does not have an established connection to the gateway, but netstat (ss, /proc/net/udp) uses symbolic TCP connection states to show that there's a socket waiting for connections from the gateway. On Ubuntu, the systemd-networkd process appears to have a socket open that listens to broadcasts from any source - I would call that a security concern:)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy