Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Jan 2015 13:04:58 +0100
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@cochard.me>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID:  <CA+hQ2+gt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com>
In-Reply-To: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
References:  <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
dhclient uses bpf to send and receive traffic,
and that acts before the firewall has a chance
to see the packets.

There is a chance that incoming packets are
also passed to the network stack, but they
are probably discarded before the firewall
because the interface does not have an address yet.

cheers
luigi


On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labb=C3=A9 <olivier@cochar=
d.me>
wrote:

> I'm using a pretty simple configuration:
>
> My rc.conf:
> ifconfig_sis0=3D"DHCP"
> firewall_enable=3D"YES"
> firewall_logging=3D"YES"
> firewall_script=3D"/etc/ipfw.rules"
>
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd=3D"/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
>
> But after a reboot this machine is still able to get an IP address by DHC=
P
> and nothing (related to DHCP) is logged on the firewall:
>
> [root@wrap]~# ifconfig sis0
> sis0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1=
500
>         options=3D83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
>         ether 00:0d:b9:02:76:58
>         inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>
> [root@wrap]~# ipfw show
> 00100 0    0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0    0 deny ip from any to any
>
> [root@wrap]~# cat /var/log/security
> Jan  1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
>
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
>
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>



--=20
-----------------------------------------+-------------------------------
 Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
 http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
 TEL      +39-050-2211611               . via Diotisalvi 2
 Mobile   +39-338-6809875               . 56122 PISA (Italy)
-----------------------------------------+-------------------------------



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CA+hQ2+gt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg>