Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Jan 2015 13:28:10 +0100
From:      Willy Offermans <Willy@Offermans.Rompen.nl>
To:        Luigi Rizzo <rizzo@iet.unipi.it>
Cc:        Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= <olivier@cochard.me>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID:  <20150105122809.GD31058@vpn.offrom.nl>
In-Reply-To: <CA+hQ2+gt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com>
References:  <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com> <CA+hQ2+gt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hello Luigi and FreeBSD friends,

I do top posting.

So there might be a chance that someting slips through the firewall 
between the start of the firewall and after the bpf traffic of dhclient.
Once the NIC is configured, traffic is possible in principle.
Would it be better to start the bpf traffic of dhclient after the firewall
runs. In the latter case, all will or can work as expected. If yes, how
should this be set? Should one set

 REQUIRE: firewall

in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So
I'm not sure how this should work.

On Mon, Jan 05, 2015 at 01:04:58PM +0100, Luigi Rizzo wrote:
> dhclient uses bpf to send and receive traffic,
> and that acts before the firewall has a chance
> to see the packets.
> 
> There is a chance that incoming packets are
> also passed to the network stack, but they
> are probably discarded before the firewall
> because the interface does not have an address yet.
> 
> cheers
> luigi
> 
> 
> On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé <olivier@cochard.me>
> wrote:
> 
> > I'm using a pretty simple configuration:
> >
> > My rc.conf:
> > ifconfig_sis0="DHCP"
> > firewall_enable="YES"
> > firewall_logging="YES"
> > firewall_script="/etc/ipfw.rules"
> >
> > My /etc/ipfw.rules:
> > #!/bin/sh
> > fwcmd="/sbin/ipfw -q".
> > ${fwcmd} -f flush
> > ${fwcmd} add pass ip from any to any via lo0
> > ${fwcmd} add deny log ip from any to any
> >
> > But after a reboot this machine is still able to get an IP address by DHCP
> > and nothing (related to DHCP) is logged on the firewall:
> >
> > [root@wrap]~# ifconfig sis0
> > sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> >         options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
> >         ether 00:0d:b9:02:76:58
> >         inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
> >         media: Ethernet autoselect (100baseTX <full-duplex>)
> >         status: active
> >
> > [root@wrap]~# ipfw show
> > 00100 0    0 allow ip from any to any via lo0
> > 00200 4 1631 deny log ip from any to any
> > 65535 0    0 deny ip from any to any
> >
> > [root@wrap]~# cat /var/log/security
> > Jan  1 01:16:45 wrap newsyslog[923]: logfile first created
> > Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> > 192.168.100.255:138 in via sis0
> > Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> > 192.168.100.255:138 in via sis0
> >
> > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
> >
> > Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> > _______________________________________________
> > freebsd-ipfw@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> >
> 
> 
> 
> -- 
> -----------------------------------------+-------------------------------
>  Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
>  http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
>  TEL      +39-050-2211611               . via Diotisalvi 2
>  Mobile   +39-338-6809875               . 56122 PISA (Italy)
> -----------------------------------------+-------------------------------
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Wiel

*************************************
 W.K. Offermans



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20150105122809.GD31058>