From owner-freebsd-ipfw@FreeBSD.ORG  Mon Jan  5 12:05:01 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3F293F86
 for <freebsd-ipfw@freebsd.org>; Mon,  5 Jan 2015 12:05:01 +0000 (UTC)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com
 [IPv6:2a00:1450:4010:c03::233])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A34DD64B54
 for <freebsd-ipfw@freebsd.org>; Mon,  5 Jan 2015 12:05:00 +0000 (UTC)
Received: by mail-la0-f51.google.com with SMTP id ms9so18006737lab.38
 for <freebsd-ipfw@freebsd.org>; Mon, 05 Jan 2015 04:04:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=jYFEXOPamHxkSs9fkg2Y74l8lQFCPskgQBFLzs3UaFs=;
 b=XNJvB3My5r8irqt9E2J54oI8posXvXidU9fD6Z6BAHZcoNHQ92m3lmOojQW+5NyDph
 mm2V9wTi6guwFX0cLdr+fi2rnbAsaMa0eED+KR7V6LClAI7jAEmeFDqB9ePyqPVBkjN2
 CF3uVC+Oh4xQcj/XJYrf0pxTh1m7bwIe6iXirXkZT19gr6bpYvNrLwA6Hw/EpSk/2k11
 uZpSfAUpI/LEecJg6Wx1j+I6h19cz3EVX4AdeVRACvuox/zBYsY5c5YxD716PDmcP0zY
 J+Q7sPBsnCGDmgumZMgKpMiO9ZwsrHS8/5lV6rJI+4fFGbjYSx/nzt1NsET2cn5RFyEB
 YkLg==
MIME-Version: 1.0
X-Received: by 10.152.5.7 with SMTP id o7mr74516363lao.26.1420459498629; Mon,
 05 Jan 2015 04:04:58 -0800 (PST)
Sender: rizzo.unipi@gmail.com
Received: by 10.114.10.168 with HTTP; Mon, 5 Jan 2015 04:04:58 -0800 (PST)
In-Reply-To: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
References: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
Date: Mon, 5 Jan 2015 13:04:58 +0100
X-Google-Sender-Auth: rf4WE5BTn7DF3qqY3M01v2BFR6E
Message-ID: <CA+hQ2+gt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com>
Subject: Re: Why ipfw didn't filter neither log DHCP packets ?
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@cochard.me>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 12:05:01 -0000

dhclient uses bpf to send and receive traffic,
and that acts before the firewall has a chance
to see the packets.

There is a chance that incoming packets are
also passed to the network stack, but they
are probably discarded before the firewall
because the interface does not have an address yet.

cheers
luigi


On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labb=C3=A9 <olivier@cochar=
d.me>
wrote:

> I'm using a pretty simple configuration:
>
> My rc.conf:
> ifconfig_sis0=3D"DHCP"
> firewall_enable=3D"YES"
> firewall_logging=3D"YES"
> firewall_script=3D"/etc/ipfw.rules"
>
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd=3D"/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
>
> But after a reboot this machine is still able to get an IP address by DHC=
P
> and nothing (related to DHCP) is logged on the firewall:
>
> [root@wrap]~# ifconfig sis0
> sis0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1=
500
>         options=3D83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
>         ether 00:0d:b9:02:76:58
>         inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>
> [root@wrap]~# ipfw show
> 00100 0    0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0    0 deny ip from any to any
>
> [root@wrap]~# cat /var/log/security
> Jan  1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
>
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
>
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>



--=20
-----------------------------------------+-------------------------------
 Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
 http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
 TEL      +39-050-2211611               . via Diotisalvi 2
 Mobile   +39-338-6809875               . 56122 PISA (Italy)
-----------------------------------------+-------------------------------