From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 20:59:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3F6C37B401 for ; Thu, 1 May 2003 20:59:14 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B91743F75 for ; Thu, 1 May 2003 20:59:14 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from zidane.cc.vt.edu (IDENT:mirapoint@zidane-lb.cc.vt.edu [10.1.1.13]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h423xDnN480487 for ; Thu, 1 May 2003 23:59:13 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BJC06389; Thu, 1 May 2003 23:59:12 -0400 (EDT) Received: (qmail 4533 invoked from network); 2 May 2003 03:59:52 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 2 May 2003 03:59:52 -0000 Message-ID: <001a01c3105f$3073d160$6511a8c0@benspiece> From: "Ben Pfountz" To: Date: Thu, 1 May 2003 23:59:11 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: ipfw2 on 4.8-stable accepts broadcast dhcp requests? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 03:59:15 -0000 I am running 4.8-stable updated a few days ago. I am using a firewall that filters clients based on their MAC address, and I noticed a new client could acquire a DHCP lease from the server. After staring at my ruleset for a few hours, I decided to try removing all rules, except for the default to deny rule. I tried to renew a DHCP lease from the client and immediately dhcpd complained about not having permission to send a response back to the client. I assume the dhcp request that was sent to the server (a broadcast packet) passed through the firewall, and the response from dhcpd (a directed packet) was blocked by the firewall as it tried to leave the system. I am using IPFW2, with: net.link.ether.ipfw: 1 net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 Is this the correct behavior for IPFW2? ----- Ben Pfountz Computer Science Undergraduate, Virginia Tech Computer Systems Engineer, Center for Power Electronic Systems