From owner-freebsd-questions Sun Jan 26 22:29:33 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B526937B401 for ; Sun, 26 Jan 2003 22:29:31 -0800 (PST) Received: from mail.adelphia.net (pa-plum1b-166.pit.adelphia.net [24.53.161.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB25C43E4A for ; Sun, 26 Jan 2003 22:29:25 -0800 (PST) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com ([172.16.0.95]) by mail.adelphia.net (8.12.3/8.12.3) with ESMTP id h0R6UniE006471; Mon, 27 Jan 2003 01:30:49 -0500 (EST) (envelope-from wmoran@potentialtech.com) Message-ID: <3E34D1F8.2050209@potentialtech.com> Date: Mon, 27 Jan 2003 01:30:16 -0500 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Warren Block Cc: Brian McCann , questions@freebsd.org Subject: Re: IPFW and DHCPD References: <000801c2c5ba$cf7845b0$1500a8c0@dogbert> <20030126215555.U2592@wonkity.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Warren Block wrote: > On Sun, 26 Jan 2003, Brian McCann wrote: > > >>You need to allow UDP ports 67&68 for full DHCP support, in both >>directions...so.... >> >>"ipfw add allow any 67 to any any via int out" >>"ipfw add allow any 67 to any any via int in" >>"ipfw add allow any 68 to any any via int out" >>"ipfw add allow any 68 to any any via int in" >> >>Something like that should do it. >> >>Hope that helps. > > > ipfw didn't like those rules (ipfw: invalid protocol ``any''). I think > it can be done easier, too: > > ${fwcmd} add pass udp from any 67,68 to any via ${iif} > > But I'm not seeing any counts on that rule when a notebook client tries > for a DHCP lease, and the client never gets a lease. This is crazy. There is no sane way that anyone can give you rules for this without knowing the rest of your firewall rules. Amoung other things, _where_ you place the rules in the list, and what other rules that may match DCHP traffic are critical to the success of your firewall rules. Considering you stated that you're not sure if your firewall or dhcpd was problematic, I would suggest the following diag procedure. 1) Set the machine to the "open" firewall profile and attempt to get a DHCP addy. If you can, then the problem is in the firewall, if you can't, then fix your dhcpd config before worrying about the firewall. 2) Here's the basic rules for DHCP: You need to allow udp traffic in/out to ports 67/68. You need to make sure this includes traffic from 0.0.0.0 (this is the IP that DHCP uses before it has a DHCP addy) to 255.255.255.255. 3) If you have trouble, pretend to be an IP packed and trace through the rules to see where you get caught. The most frustrating thing I hit with firewall rules is when an earlier rule inadvertently catchs the traffic before the rule I intended. 4) If you're still having trouble, post the _entire_ ruleset to the list asking for help. It's the only way anyone can expect to give you any real help. Firewalls are just like that, you have to look at the whole thing or you can't see any of it. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message