Date: Mon, 5 Jan 2015 11:33:18 +0100 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: freebsd-ipfw@freebsd.org Subject: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I'm using a pretty simple configuration:
My rc.conf:
ifconfig_sis0="DHCP"
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/ipfw.rules"
My /etc/ipfw.rules:
#!/bin/sh
fwcmd="/sbin/ipfw -q".
${fwcmd} -f flush
${fwcmd} add pass ip from any to any via lo0
${fwcmd} add deny log ip from any to any
But after a reboot this machine is still able to get an IP address by DHCP
and nothing (related to DHCP) is logged on the firewall:
[root@wrap]~# ifconfig sis0
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
ether 00:0d:b9:02:76:58
inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
[root@wrap]~# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 4 1631 deny log ip from any to any
65535 0 0 deny ip from any to any
[root@wrap]~# cat /var/log/security
Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
192.168.100.255:138 in via sis0
Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
192.168.100.255:138 in via sis0
I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
Are DHCP packets exluded from the filtering/logging engine of ipfw ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q>