Date: Thu, 1 May 2003 23:28:50 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Ben Pfountz <netprince@vt.edu> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? Message-ID: <20030501232850.A15489@xorpc.icir.org> In-Reply-To: <001a01c3105f$3073d160$6511a8c0@benspiece>; from netprince@vt.edu on Thu, May 01, 2003 at 11:59:11PM -0400 References: <001a01c3105f$3073d160$6511a8c0@benspiece>
next in thread | previous in thread | raw e-mail | index | archive | help
could it be that dhcp uses bpf to send the packet ? In that case, it will bypass the firewall, even if you have ether.ipfw set cheers luigi On Thu, May 01, 2003 at 11:59:11PM -0400, Ben Pfountz wrote: > I am running 4.8-stable updated a few days ago. I am using a firewall that > filters clients based on their MAC address, and I noticed a new client could > acquire a DHCP lease from the server. After staring at my ruleset for a few > hours, I decided to try removing all rules, except for the default to deny > rule. I tried to renew a DHCP lease from the client and immediately dhcpd > complained about not having permission to send a response back to the > client. > > I assume the dhcp request that was sent to the server (a broadcast packet) > passed through the firewall, and the response from dhcpd (a directed packet) > was blocked by the firewall as it tried to leave the system. > > I am using IPFW2, with: > net.link.ether.ipfw: 1 > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.one_pass: 0 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > > Is this the correct behavior for IPFW2? > > ----- > Ben Pfountz > Computer Science Undergraduate, Virginia Tech > Computer Systems Engineer, Center for Power Electronic Systems > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030501232850.A15489>