How to open DHCP port using UFW in Linux

Estimated read time 3 min read

The Uncomplicated Firewall (UFW) needs to be configured to allow traffic on UDP ports 67 and 68, regardless of whether the Dynamic Host Configuration Protocol (DHCP) server is local or remote. Additionally, it may be necessary to open both TCP and UDP port 53, which are used for Domain Name Service (DNS). In small business and home environments, typically, both DNS and DHCP services come from a single device. Hence, it would be best if you opened both DHCP and DNS ports using the ufw command.

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux terminal
Category Firewall
Prerequisites ufw command
OS compatibility CentOS • Debian • Linux • Mint • Pop!_OS • Stream • Ubuntu
Est. reading time 2 minutes

 

Opening DHCP port using UFW in Linux

The commands are as follows when UFW:
sudo ufw allow bootps comment 'Allow 67/UDP'
sudo ufw allow bootpc comment 'Allow 68/UDP'
sudo ufw allow 53/udp comment 'Allow DNS_53/UDP'
sudo ufw allow 53/tcp comment 'Allow DNS_53/TCP'

Verify newly added UFW rules follows:
sudo ufw status verbose
Apart from all other rules you will see the following:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
 
To                         Action      From
--                         ------      ----
67/udp                     ALLOW IN    Anywhere                   # Allow 67/UDP
53/udp                     ALLOW IN    Anywhere                   # Allow DNS_53/UDP
53/tcp                     ALLOW IN    Anywhere                   # Allow DNS_53/TCP
68/udp                     ALLOW IN    Anywhere                   # Allow 68/UDP
22/tcp                     ALLOW IN    Anywhere                  
67/udp (v6)                ALLOW IN    Anywhere (v6)              # Allow 67/UDP
53/udp (v6)                ALLOW IN    Anywhere (v6)              # Allow DNS_53/UDP
53/tcp (v6)                ALLOW IN    Anywhere (v6)              # Allow DNS_53/TCP
68/udp (v6)                ALLOW IN    Anywhere (v6)              # Allow 68/UDP
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
.....
.....

Troubleshooting

Are DHCP and DNS traffic still blocked? See the UFW log as follows using the tail command in real-time:
sudo tail -f /var/log/ufw.log
You can query the /var/log/ufw.log as follows:
sudo grep -w 'DPT={PORT_NUMBER_HERE}' /var/log/ufw.log
sudo grep -w 'DPT=67' /var/log/ufw.log
sudo grep -w 'DPT=67' /var/log/ufw.log

You can match both protocols (PROTO) and destination port (DPT)/source port (SPT) as follows:
sudo grep -Ew 'PROTO=UDP.*DPT=67' /var/log/ufw.log
sudo grep -Ew 'PROTO=UDP.*SPT={PORT_NUMBER_HERE}' /var/log/ufw.log

You can also use the journalctl command as follows:
journalctl | grep -i ufw
journalctl -g 'grep_regex_here'
journalctl -g 'ufw'
journalctl -g '\[ufw.*dpt=67'
journalctl -g '\[ufw.*dpt=68'
journalctl -g '\[ufw.*tcp=53'

The -g or --grep option filter output to entries where the MESSAGE= field matches the specified PERL-compatible regular expressions. Please note that if the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case sensitive. This can be overridden with the --case-sensitive=<true|false> option as follows:
journalctl -g '\[ufw.*DPT=53' --case-sensitive=false

Blocking DHCP and DNS traffic using the UFW

Do you need to block the DHCP and DNS traffic? The deny syntax is as follows:
sudo ufw deny bootps comment 'Block 67/UDP'
sudo ufw deny bootpc comment 'Block 68/UDP'
sudo ufw deny 53/udp comment 'Block DNS_53/UDP'
sudo ufw deny 53/tcp comment 'Block DNS_53/TCP'

Summing up

This page explained the UFW rules to open ports for DHCP traffic.
How to open DHCP port using UFW in Linux

Table 1: Port Number Requirements for DHCP Firewall
Port Number Protocol Description
53 TCP & UDP DNS
853 TCP DNS over TLS
853 UDP DNS over DTLS
67 UDP bootps
68 UDP bootpc

You can use the grep command or egrep command by querying the /etc/services file. For example:
grep bootps /etc/service
grep -E -w 'domain|bootpc|bootps' /etc/services

More From Author