How to confirm a low number port (67 UDP) is being blocked by my firewall?

Question

Based on this answer, blocking port 67 UDP outgoing should be

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp -m udp --dport=67 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
firewall-cmd --reload

Port 67 UDP is the port a DHCP server uses, so I would like to verify that the port is indeed blocked before I start the DHCP server, so I can experiment with it in a sandbox.

Question

Since it is UDP and below 1024, how can I comfirm it is blocked?

Answer 1

You can use a tool like netcat (on the server echo test | nc -u <other IP> 67 and on another machine nc -u -l -p 67, or use Wireshark or similar) and see if the message pops up.

Answer 2

I'm pretty sure you could use Nmap's UDP port scan to specify the protocol and port. The syntax is as follows:

$ sudo nmap -sU -p port target

Answer 3

Port 67 UDP is the port a DHCP server uses, so I would like to verify that the port is indeed closed before I start the dhcp server, so I can experiment with it in a sandbox.

A test DHCP server should be isolated in a VLAN or configured with split scopes that don't overlap existing DHCP ranges. If test and production are in the same broadcast domain, either may get the broadcast which may cause unexpected behavior. See: 2 DHCP servers on one network

Also, you can limit the interfaces dhcpd is listening on to this sandbox net. Without relay agents, it won't see DHCPDISCOVER messages on other nets.