From owner-freebsd-ipfw@FreeBSD.ORG Fri May 2 05:28:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79FFB37B404 for ; Fri, 2 May 2003 05:28:58 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3F3F43F93 for ; Fri, 2 May 2003 05:28:57 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from vivi.cc.vt.edu (IDENT:mirapoint@vivi-lb.cc.vt.edu [10.1.1.12]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h42CSvnP485868 for ; Fri, 2 May 2003 08:28:57 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by vivi.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BCQ63026; Fri, 2 May 2003 08:28:55 -0400 (EDT) Received: (qmail 15074 invoked from network); 2 May 2003 12:29:34 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 2 May 2003 12:29:34 -0000 Message-ID: <000801c310a6$65dcca90$6511a8c0@benspiece> From: "Ben Pfountz" To: "Luigi Rizzo" References: <001a01c3105f$3073d160$6511a8c0@benspiece> <20030501232850.A15489@xorpc.icir.org> Date: Fri, 2 May 2003 08:28:55 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 12:28:58 -0000 Yes, I think thats it, thank you for the clarification. Ben ----- Original Message ----- From: "Luigi Rizzo" To: "Ben Pfountz" Cc: Sent: Friday, May 02, 2003 2:28 AM Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? > could it be that dhcp uses bpf to send the packet ? In that > case, it will bypass the firewall, even if you have ether.ipfw set > > cheers > luigi > > On Thu, May 01, 2003 at 11:59:11PM -0400, Ben Pfountz wrote: > > I am running 4.8-stable updated a few days ago. I am using a firewall that > > filters clients based on their MAC address, and I noticed a new client could > > acquire a DHCP lease from the server. After staring at my ruleset for a few > > hours, I decided to try removing all rules, except for the default to deny > > rule. I tried to renew a DHCP lease from the client and immediately dhcpd > > complained about not having permission to send a response back to the > > client. > > > > I assume the dhcp request that was sent to the server (a broadcast packet) > > passed through the firewall, and the response from dhcpd (a directed packet) > > was blocked by the firewall as it tried to leave the system. > > > > I am using IPFW2, with: > > net.link.ether.ipfw: 1 > > net.inet.ip.fw.enable: 1 > > net.inet.ip.fw.one_pass: 0 > > net.inet.ip.fw.debug: 1 > > net.inet.ip.fw.verbose: 1 > > > > Is this the correct behavior for IPFW2? > > > > ----- > > Ben Pfountz > > Computer Science Undergraduate, Virginia Tech > > Computer Systems Engineer, Center for Power Electronic Systems > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >