Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 May 2003 23:28:50 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Ben Pfountz <netprince@vt.edu>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests?
Message-ID:  <20030501232850.A15489@xorpc.icir.org>
In-Reply-To: <001a01c3105f$3073d160$6511a8c0@benspiece>; from netprince@vt.edu on Thu, May 01, 2003 at 11:59:11PM -0400
References:  <001a01c3105f$3073d160$6511a8c0@benspiece>
next in thread | previous in thread | raw e-mail | index | archive | help 
could it be that dhcp uses bpf to send the packet ? In that
case, it will bypass the firewall, even if you have ether.ipfw set

	cheers
	luigi

On Thu, May 01, 2003 at 11:59:11PM -0400, Ben Pfountz wrote:
> I am running 4.8-stable updated a few days ago.  I am using a firewall that
> filters clients based on their MAC address, and I noticed a new client could
> acquire a DHCP lease from the server.  After staring at my ruleset for a few
> hours, I decided to try removing all rules, except for the default to deny
> rule.  I tried to renew a DHCP lease from the client and immediately dhcpd
> complained about not having permission to send a response back to the
> client.
> 
> I assume the dhcp request that was sent to the server (a broadcast packet)
> passed through the firewall, and the response from dhcpd (a directed packet)
> was blocked by the firewall as it tried to leave the system.
> 
> I am using IPFW2, with:
> net.link.ether.ipfw: 1
> net.inet.ip.fw.enable: 1
> net.inet.ip.fw.one_pass: 0
> net.inet.ip.fw.debug: 1
> net.inet.ip.fw.verbose: 1
> 
> Is this the correct behavior for IPFW2?
> 
> -----
>  Ben Pfountz
>  Computer Science Undergraduate, Virginia Tech
>  Computer Systems Engineer, Center for Power Electronic Systems
> 
> 
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030501232850.A15489>