The Uncomplicated Firewall (UFW) needs to be configured to allow traffic on UDP ports 67 and 68, regardless of whether the Dynamic Host Configuration Protocol (DHCP) server is local or remote. Additionally, it may be necessary to open both TCP and UDP port 53, which are used for Domain Name Service (DNS). In small business and home environments, typically, both DNS and DHCP services come from a single device. Hence, it would be best if you opened both DHCP and DNS ports using the ufw command.
| Tutorial details | |
|---|---|
| Difficulty level | Easy |
| Root privileges | Yes |
| Requirements | Linux terminal |
| Category | Firewall |
| Prerequisites | ufw command |
| OS compatibility | CentOS • Debian • Linux • Mint • Pop!_OS • Stream • Ubuntu |
| Est. reading time | 2 minutes |
Opening DHCP port using UFW in Linux
The commands are as follows when UFW:
$ sudo ufw allow bootps comment 'Allow 67/UDP'
$ sudo ufw allow bootpc comment 'Allow 68/UDP'
$ sudo ufw allow 53/udp comment 'Allow DNS_53/UDP'
$ sudo ufw allow 53/tcp comment 'Allow DNS_53/TCP'
Verify newly added UFW rules follows:
$ sudo ufw status verbose
Apart from all other rules you will see the following:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 67/udp ALLOW IN Anywhere # Allow 67/UDP 53/udp ALLOW IN Anywhere # Allow DNS_53/UDP 53/tcp ALLOW IN Anywhere # Allow DNS_53/TCP 68/udp ALLOW IN Anywhere # Allow 68/UDP 22/tcp ALLOW IN Anywhere 67/udp (v6) ALLOW IN Anywhere (v6) # Allow 67/UDP 53/udp (v6) ALLOW IN Anywhere (v6) # Allow DNS_53/UDP 53/tcp (v6) ALLOW IN Anywhere (v6) # Allow DNS_53/TCP 68/udp (v6) ALLOW IN Anywhere (v6) # Allow 68/UDP 22/tcp (v6) ALLOW IN Anywhere (v6) ..... .....
Troubleshooting
Are DHCP and DNS traffic still blocked? See the UFW log as follows using the tail command in real-time:
$ sudo tail -f /var/log/ufw.log
You can query the /var/log/ufw.log as follows:
$ sudo grep -w 'DPT={PORT_NUMBER_HERE}' /var/log/ufw.log
$ sudo grep -w 'DPT=67' /var/log/ufw.log
$ sudo grep -w 'DPT=67' /var/log/ufw.log
You can match both protocols (PROTO) and destination port (DPT)/source port (SPT) as follows:
$ sudo grep -Ew 'PROTO=UDP.*DPT=67' /var/log/ufw.log
$ sudo grep -Ew 'PROTO=UDP.*SPT={PORT_NUMBER_HERE}' /var/log/ufw.log
You can also use the journalctl command as follows:
$ journalctl | grep -i ufw
$ journalctl -g 'grep_regex_here'
$ journalctl -g 'ufw'
$ journalctl -g '\[ufw.*dpt=67'
$ journalctl -g '\[ufw.*dpt=68'
$ journalctl -g '\[ufw.*tcp=53'
The -g or --grep option filter output to entries where the MESSAGE= field matches the specified PERL-compatible regular expressions. Please note that if the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case sensitive. This can be overridden with the --case-sensitive=<true|false> option as follows:
$ journalctl -g '\[ufw.*DPT=53' --case-sensitive=false
Blocking DHCP and DNS traffic using the UFW
Do you need to block the DHCP and DNS traffic? The deny syntax is as follows:
$ sudo ufw deny bootps comment 'Block 67/UDP'
$ sudo ufw deny bootpc comment 'Block 68/UDP'
$ sudo ufw deny 53/udp comment 'Block DNS_53/UDP'
$ sudo ufw deny 53/tcp comment 'Block DNS_53/TCP'
Summing up
This page explained the UFW rules to open ports for DHCP traffic.
| Port Number | Protocol | Description |
|---|---|---|
| 53 | TCP & UDP | DNS |
| 853 | TCP | DNS over TLS |
| 853 | UDP | DNS over DTLS |
| 67 | UDP | bootps |
| 68 | UDP | bootpc |
You can use the grep command or egrep command by querying the /etc/services file. For example:
$ grep bootps /etc/service
$ grep -E -w 'domain|bootpc|bootps' /etc/services
