Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 05 Mar 2007 14:40:26 +0100
From:      Volker <volker@vwsoft.com>
To:        "rance@frontiernet.net" <rance@frontiernet.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: home router with internal services available question
Message-ID:  <45EC1DCA.3080001@vwsoft.com>
In-Reply-To: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net>
References:  <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 12/23/-58 20:59, rance@frontiernet.net wrote:
> I had a basic NAT setup that was almost working.   dhcp requests on my
> lan were not
> getting answered by the gateway host.
> 
> I looked at the firewall rules and figured it was because there wasn't a
> specific way to
> handle port 67 data (if should be handled by the internal interface of
> the freebsd box.
> 
> With the firewall disabled Lan machines can get an IP address, but cant
> surf the net,
> with the firewall enabled they can surf the net, but cant get a dhcp
> address.

That's an easy one if you know what's going on on the wire:

- let udp/bootps and udp/bootpc pass your fw rules
- DO NOT filter for IP address ranges for these rules!

A DHCP request arrives at your machine w/o any IP address assigned
or it may arrive with an IP address not known to your machine
(169.anything - Windows does this for example).

So you should not filter like:

pass on $int_if proto udp from 192.168.1.0/24 to self port bootps
keep state

but instead:
pass in log on $int_if proto udp from any to self port bootps keep state

In my rules I'm additionally using these rules:
pass in log on $int_if proto udp from any to any port bootpc keep state
pass in log on $int_if proto udp from any port bootpc to any keep state
but I don't think they're necessary as the very first rule ("...to
self port bootps...") should match.

That should be all. You should watch the packet flow using tcpdump
(either on pflog0 or your real network NIC).

HTH,

Volker

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45EC1DCA.3080001>