From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 12:28:26 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 32BAF3AB for ; Mon, 5 Jan 2015 12:28:26 +0000 (UTC) Received: from cpsmtpb-ews08.kpnxchange.com (cpsmtpb-ews08.kpnxchange.com [213.75.39.13]) by mx1.freebsd.org (Postfix) with ESMTP id 90C6366CE4 for ; Mon, 5 Jan 2015 12:28:24 +0000 (UTC) Received: from cpsps-ews24.kpnxchange.com ([10.94.84.190]) by cpsmtpb-ews08.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 13:28:18 +0100 Received: from CPSMTPM-CMT106.kpnxchange.com ([195.121.3.22]) by cpsps-ews24.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 13:28:18 +0100 Received: from donald.offrom.nl ([77.170.60.162]) by CPSMTPM-CMT106.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18264); Mon, 5 Jan 2015 13:28:18 +0100 Received: from squid (squid.vpn.offrom.nl [10.168.0.72]) by donald.offrom.nl (8.14.8/8.14.8) with ESMTP id t05CSFSD006935; Mon, 5 Jan 2015 13:28:15 +0100 (CET) (envelope-from Willy@Offermans.Rompen.nl) Received: from willy by squid with local (Exim 4.80) (envelope-from ) id 1Y86lW-0008A4-4e; Mon, 05 Jan 2015 13:28:10 +0100 Date: Mon, 5 Jan 2015 13:28:10 +0100 From: Willy Offermans To: Luigi Rizzo Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <20150105122809.GD31058@vpn.offrom.nl> Reply-To: Willy@Offermans.Rompen.nl References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-OriginalArrivalTime: 05 Jan 2015 12:28:18.0537 (UTC) FILETIME=[15FD8D90:01D028E3] X-RcptDomain: freebsd.org Cc: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= , "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 12:28:26 -0000 Hello Luigi and FreeBSD friends, I do top posting. So there might be a chance that someting slips through the firewall between the start of the firewall and after the bpf traffic of dhclient. Once the NIC is configured, traffic is possible in principle. Would it be better to start the bpf traffic of dhclient after the firewall runs. In the latter case, all will or can work as expected. If yes, how should this be set? Should one set REQUIRE: firewall in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So I'm not sure how this should work. On Mon, Jan 05, 2015 at 01:04:58PM +0100, Luigi Rizzo wrote: > dhclient uses bpf to send and receive traffic, > and that acts before the firewall has a chance > to see the packets. > > There is a chance that incoming packets are > also passed to the network stack, but they > are probably discarded before the firewall > because the interface does not have an address yet. > > cheers > luigi > > > On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé > wrote: > > > I'm using a pretty simple configuration: > > > > My rc.conf: > > ifconfig_sis0="DHCP" > > firewall_enable="YES" > > firewall_logging="YES" > > firewall_script="/etc/ipfw.rules" > > > > My /etc/ipfw.rules: > > #!/bin/sh > > fwcmd="/sbin/ipfw -q". > > ${fwcmd} -f flush > > ${fwcmd} add pass ip from any to any via lo0 > > ${fwcmd} add deny log ip from any to any > > > > But after a reboot this machine is still able to get an IP address by DHCP > > and nothing (related to DHCP) is logged on the firewall: > > > > [root@wrap]~# ifconfig sis0 > > sis0: flags=8843 metric 0 mtu 1500 > > options=83808 > > ether 00:0d:b9:02:76:58 > > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > > media: Ethernet autoselect (100baseTX ) > > status: active > > > > [root@wrap]~# ipfw show > > 00100 0 0 allow ip from any to any via lo0 > > 00200 4 1631 deny log ip from any to any > > 65535 0 0 deny ip from any to any > > > > [root@wrap]~# cat /var/log/security > > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > > 192.168.100.255:138 in via sis0 > > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > > 192.168.100.255:138 in via sis0 > > > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > -- > -----------------------------------------+------------------------------- > Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL +39-050-2211611 . via Diotisalvi 2 > Mobile +39-338-6809875 . 56122 PISA (Italy) > -----------------------------------------+------------------------------- > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel ************************************* W.K. Offermans