Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 5 Jan 2015 14:51:11 +0100
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@cochard.me>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, Willy@offermans.rompen.nl
Subject:   Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID:  <CA%2BhQ2%2BjfHej17z6GUKLv9R0toa8ac5Q6Yd1yk4gSmdJp=ofDLg@mail.gmail.com>
In-Reply-To: <CA%2Bq%2BTcoX7_0%2B%2BG8b77T-CXGDzmNZhww8hGXVsJxL0C0Qf5cQ7Q@mail.gmail.com>
References:  <CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com> <CA%2BhQ2%2Bgt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com> <20150105122809.GD31058@vpn.offrom.nl> <CA%2Bq%2BTcoX7_0%2B%2BG8b77T-CXGDzmNZhww8hGXVsJxL0C0Qf5cQ7Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labb=C3=A9 <olivier@cochard=
.me>
wrote:

> On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans <Willy@offermans.rompen.n=
l
> > wrote:
>
>> Hello Luigi and FreeBSD friends,
>>
>> I do top posting.
>>
>> So there might be a chance that someting slips through the firewall
>> between the start of the firewall and after the bpf traffic of dhclient.
>> Once the NIC is configured, traffic is possible in principle.
>> Would it be better to start the bpf traffic of dhclient after the firewa=
ll
>> runs. In the latter case, all will or can work as expected. If yes, how
>> should this be set? Should one set
>>
>>  REQUIRE: firewall
>>
>> in /etc/rc.d/dhclient? But there seems no firewall daemon to be present.
>> So
>> I'm not sure how this should work.
>>
>>
> I believe that when Luigi says "that acts before the firewall has a chanc=
e
> to see the packets", he was not speaking of the RC script order, but abou=
t
> the FreeBSD network stack layer order.
> Do you confirm Luigi ?
>
>
=E2=80=8Bcorrect, it's not a matter of time but of placement
of the modules in the stack.

injection through bpf goes just above the
device driver, so there is no chance to see
bpf-generated packets.
For incoming traffic, bpf sees a copy, so the
original still goes through the stack,
but if you want to see it with ipfw you should
probably enable layer2 firewalling.

cheers
luigi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BhQ2%2BjfHej17z6GUKLv9R0toa8ac5Q6Yd1yk4gSmdJp=ofDLg>