From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 10:33:40 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DAEDDA32 for ; Mon, 5 Jan 2015 10:33:40 +0000 (UTC) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 708271F44 for ; Mon, 5 Jan 2015 10:33:40 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id x13so27227654wgg.5 for ; Mon, 05 Jan 2015 02:33:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=RPHygpaui5Sg21IYNQ7un+IcMNMRjKWLzW7MJYBzBIQ=; b=cgEHYzvYlIJumUQ/RJt22q9J41KSH4hYlZmuqMBYcf5RA2YTrNEPBgbQ9Z00z7bUJS zVDlppSJY5wieyEEWdKQZCpgv5EJ6iYQfGT6fcw6MvLutdhUuHPPb63MIzahjvhp3kFx O+SqjTikaPsy/qCMyRlPdTPp0B/iUBL6k0YnuuVa86V+LEu04eBcrLym3EbSKdR0K0aH qmjNUSWTqdvjKUq3DZYvkRdZwAmtVu2wQ8iKPknkPgDKppa/G5eDfpSNLAhTcKaLg/fo Y+cndiKVBDnO990D6vUKD3/KIPnH50EmkQwNH5VVCU/AbKUNaUjjX92DM5DHbcrBmja8 KbYg== X-Received: by 10.180.88.165 with SMTP id bh5mr24139186wib.77.1420454018790; Mon, 05 Jan 2015 02:33:38 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.194.61.98 with HTTP; Mon, 5 Jan 2015 02:33:18 -0800 (PST) From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Mon, 5 Jan 2015 11:33:18 +0100 X-Google-Sender-Auth: c96rSpF3vtGE-oohvt786Slj5Go Message-ID: Subject: Why ipfw didn't filter neither log DHCP packets ? To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 10:33:40 -0000 I'm using a pretty simple configuration: My rc.conf: ifconfig_sis0="DHCP" firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/ipfw.rules" My /etc/ipfw.rules: #!/bin/sh fwcmd="/sbin/ipfw -q". ${fwcmd} -f flush ${fwcmd} add pass ip from any to any via lo0 ${fwcmd} add deny log ip from any to any But after a reboot this machine is still able to get an IP address by DHCP and nothing (related to DHCP) is logged on the firewall: [root@wrap]~# ifconfig sis0 sis0: flags=8843 metric 0 mtu 1500 options=83808 ether 00:0d:b9:02:76:58 inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 media: Ethernet autoselect (100baseTX ) status: active [root@wrap]~# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 4 1631 deny log ip from any to any 65535 0 0 deny ip from any to any [root@wrap]~# cat /var/log/security Jan 1 01:16:45 wrap newsyslog[923]: logfile first created Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 192.168.100.255:138 in via sis0 Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 192.168.100.255:138 in via sis0 I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. Are DHCP packets exluded from the filtering/logging engine of ipfw ? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 11:22:57 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D11272C9 for ; Mon, 5 Jan 2015 11:22:57 +0000 (UTC) Received: from frv198.fwdcdn.com (frv198.fwdcdn.com [212.42.77.198]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C415644F9 for ; Mon, 5 Jan 2015 11:22:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=nMwXSMWBr5WGhVENczyMb0iiKT2z7SOcuPaNNSGjXqA=; b=DCF2Ef+XSdLuML6hFMU4/GG2MCUsy0Moy/hh5u9MX91thZrUtoNduWM4C8asHY9F20dMDadhlD/2SQgXPVg93EeXJEuwV/FM/tcGoUi0tmb5eYFcJ8uaCKVyz4Nqwde+uGaz0n5tHu39rt7YnlgGWIT0pZOGYQwL0dgREAd7WCA=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv198.fwdcdn.com with smtp ID 1Y85kB-000KtH-TA for freebsd-ipfw@freebsd.org; Mon, 05 Jan 2015 13:22:43 +0200 Date: Mon, 05 Jan 2015 13:22:43 +0200 From: wishmaster Subject: Re: Why ipfw didn't filter neither log DHCP packets ? To: olivier@cochard.me X-Mailer: mail.ukr.net 5.0 Message-Id: <1420456491.300138955.6ctqnlp5@frv34.fwdcdn.com> In-Reply-To: References: MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Mon, 05 Jan 2015 13:22:43 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 11:22:58 -0000 Hi. Have the same problem, but with wlan. With rule like below Ipfw add deny log all from any to any i do not see any packets in ipfw -d show output. LAN behind wlan interface gets ip-addr, but inet is blocked, of course. ---- Vitaliy --- Original Message --- From: "Olivier Cochard-LabbĂ©" Date: 5 January 2015, 12:33:46 > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 0 0 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 11:47:35 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25E0899F for ; Mon, 5 Jan 2015 11:47:35 +0000 (UTC) Received: from cpsmtpb-ews08.kpnxchange.com (cpsmtpb-ews08.kpnxchange.com [213.75.39.13]) by mx1.freebsd.org (Postfix) with ESMTP id 8572A64833 for ; Mon, 5 Jan 2015 11:47:33 +0000 (UTC) Received: from cpsps-ews19.kpnxchange.com ([10.94.84.185]) by cpsmtpb-ews08.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 12:46:20 +0100 Received: from CPSMTPM-CMT106.kpnxchange.com ([195.121.3.22]) by cpsps-ews19.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 12:46:20 +0100 Received: from donald.offrom.nl ([77.170.60.162]) by CPSMTPM-CMT106.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18264); Mon, 5 Jan 2015 12:46:20 +0100 Received: from squid (squid.vpn.offrom.nl [10.168.0.72]) by donald.offrom.nl (8.14.8/8.14.8) with ESMTP id t05BkIFZ006593; Mon, 5 Jan 2015 12:46:18 +0100 (CET) (envelope-from Willy@Offermans.Rompen.nl) Received: from willy by squid with local (Exim 4.80) (envelope-from ) id 1Y866v-00087V-Ba; Mon, 05 Jan 2015 12:46:13 +0100 Date: Mon, 5 Jan 2015 12:46:13 +0100 From: Willy Offermans To: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <20150105114613.GC31058@vpn.offrom.nl> Reply-To: Willy@Offermans.Rompen.nl References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-OriginalArrivalTime: 05 Jan 2015 11:46:20.0463 (UTC) FILETIME=[3919F3F0:01D028DD] X-RcptDomain: freebsd.org Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 11:47:35 -0000 Hello Olivier and FreeBSD friends, On Mon, Jan 05, 2015 at 11:33:18AM +0100, Olivier Cochard-Labbé wrote: > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 0 0 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" I guess that dhcp daemon is started before firewall is started or, better, firewall rules are applied. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel ************************************* W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 Mobile: +49 1575 414 60 55 e-mail: Willy@Offermans.Rompen.nl From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 12:05:01 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F293F86 for ; Mon, 5 Jan 2015 12:05:01 +0000 (UTC) Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A34DD64B54 for ; Mon, 5 Jan 2015 12:05:00 +0000 (UTC) Received: by mail-la0-f51.google.com with SMTP id ms9so18006737lab.38 for ; Mon, 05 Jan 2015 04:04:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=jYFEXOPamHxkSs9fkg2Y74l8lQFCPskgQBFLzs3UaFs=; b=XNJvB3My5r8irqt9E2J54oI8posXvXidU9fD6Z6BAHZcoNHQ92m3lmOojQW+5NyDph mm2V9wTi6guwFX0cLdr+fi2rnbAsaMa0eED+KR7V6LClAI7jAEmeFDqB9ePyqPVBkjN2 CF3uVC+Oh4xQcj/XJYrf0pxTh1m7bwIe6iXirXkZT19gr6bpYvNrLwA6Hw/EpSk/2k11 uZpSfAUpI/LEecJg6Wx1j+I6h19cz3EVX4AdeVRACvuox/zBYsY5c5YxD716PDmcP0zY J+Q7sPBsnCGDmgumZMgKpMiO9ZwsrHS8/5lV6rJI+4fFGbjYSx/nzt1NsET2cn5RFyEB YkLg== MIME-Version: 1.0 X-Received: by 10.152.5.7 with SMTP id o7mr74516363lao.26.1420459498629; Mon, 05 Jan 2015 04:04:58 -0800 (PST) Sender: rizzo.unipi@gmail.com Received: by 10.114.10.168 with HTTP; Mon, 5 Jan 2015 04:04:58 -0800 (PST) In-Reply-To: References: Date: Mon, 5 Jan 2015 13:04:58 +0100 X-Google-Sender-Auth: rf4WE5BTn7DF3qqY3M01v2BFR6E Message-ID: Subject: Re: Why ipfw didn't filter neither log DHCP packets ? From: Luigi Rizzo To: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 12:05:01 -0000 dhclient uses bpf to send and receive traffic, and that acts before the firewall has a chance to see the packets. There is a chance that incoming packets are also passed to the network stack, but they are probably discarded before the firewall because the interface does not have an address yet. cheers luigi On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labb=C3=A9 wrote: > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0=3D"DHCP" > firewall_enable=3D"YES" > firewall_logging=3D"YES" > firewall_script=3D"/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd=3D"/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHC= P > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=3D8843 metric 0 mtu 1= 500 > options=3D83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 0 0 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > --=20 -----------------------------------------+------------------------------- Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL +39-050-2211611 . via Diotisalvi 2 Mobile +39-338-6809875 . 56122 PISA (Italy) -----------------------------------------+------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 12:28:26 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 32BAF3AB for ; Mon, 5 Jan 2015 12:28:26 +0000 (UTC) Received: from cpsmtpb-ews08.kpnxchange.com (cpsmtpb-ews08.kpnxchange.com [213.75.39.13]) by mx1.freebsd.org (Postfix) with ESMTP id 90C6366CE4 for ; Mon, 5 Jan 2015 12:28:24 +0000 (UTC) Received: from cpsps-ews24.kpnxchange.com ([10.94.84.190]) by cpsmtpb-ews08.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 13:28:18 +0100 Received: from CPSMTPM-CMT106.kpnxchange.com ([195.121.3.22]) by cpsps-ews24.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 13:28:18 +0100 Received: from donald.offrom.nl ([77.170.60.162]) by CPSMTPM-CMT106.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18264); Mon, 5 Jan 2015 13:28:18 +0100 Received: from squid (squid.vpn.offrom.nl [10.168.0.72]) by donald.offrom.nl (8.14.8/8.14.8) with ESMTP id t05CSFSD006935; Mon, 5 Jan 2015 13:28:15 +0100 (CET) (envelope-from Willy@Offermans.Rompen.nl) Received: from willy by squid with local (Exim 4.80) (envelope-from ) id 1Y86lW-0008A4-4e; Mon, 05 Jan 2015 13:28:10 +0100 Date: Mon, 5 Jan 2015 13:28:10 +0100 From: Willy Offermans To: Luigi Rizzo Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <20150105122809.GD31058@vpn.offrom.nl> Reply-To: Willy@Offermans.Rompen.nl References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-OriginalArrivalTime: 05 Jan 2015 12:28:18.0537 (UTC) FILETIME=[15FD8D90:01D028E3] X-RcptDomain: freebsd.org Cc: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= , "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 12:28:26 -0000 Hello Luigi and FreeBSD friends, I do top posting. So there might be a chance that someting slips through the firewall between the start of the firewall and after the bpf traffic of dhclient. Once the NIC is configured, traffic is possible in principle. Would it be better to start the bpf traffic of dhclient after the firewall runs. In the latter case, all will or can work as expected. If yes, how should this be set? Should one set REQUIRE: firewall in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So I'm not sure how this should work. On Mon, Jan 05, 2015 at 01:04:58PM +0100, Luigi Rizzo wrote: > dhclient uses bpf to send and receive traffic, > and that acts before the firewall has a chance > to see the packets. > > There is a chance that incoming packets are > also passed to the network stack, but they > are probably discarded before the firewall > because the interface does not have an address yet. > > cheers > luigi > > > On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé > wrote: > > > I'm using a pretty simple configuration: > > > > My rc.conf: > > ifconfig_sis0="DHCP" > > firewall_enable="YES" > > firewall_logging="YES" > > firewall_script="/etc/ipfw.rules" > > > > My /etc/ipfw.rules: > > #!/bin/sh > > fwcmd="/sbin/ipfw -q". > > ${fwcmd} -f flush > > ${fwcmd} add pass ip from any to any via lo0 > > ${fwcmd} add deny log ip from any to any > > > > But after a reboot this machine is still able to get an IP address by DHCP > > and nothing (related to DHCP) is logged on the firewall: > > > > [root@wrap]~# ifconfig sis0 > > sis0: flags=8843 metric 0 mtu 1500 > > options=83808 > > ether 00:0d:b9:02:76:58 > > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > > media: Ethernet autoselect (100baseTX ) > > status: active > > > > [root@wrap]~# ipfw show > > 00100 0 0 allow ip from any to any via lo0 > > 00200 4 1631 deny log ip from any to any > > 65535 0 0 deny ip from any to any > > > > [root@wrap]~# cat /var/log/security > > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > > 192.168.100.255:138 in via sis0 > > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > > 192.168.100.255:138 in via sis0 > > > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > -- > -----------------------------------------+------------------------------- > Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL +39-050-2211611 . via Diotisalvi 2 > Mobile +39-338-6809875 . 56122 PISA (Italy) > -----------------------------------------+------------------------------- > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel ************************************* W.K. Offermans From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 13:42:09 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4561B3C3 for ; Mon, 5 Jan 2015 13:42:09 +0000 (UTC) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C7EE564442 for ; Mon, 5 Jan 2015 13:42:08 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id x12so27408350wgg.25 for ; Mon, 05 Jan 2015 05:42:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=zFYR6TU8PEKtrWDgCzYiZE7j+SPBLf/DafLoU1frgqE=; b=owwiNXT38rDYEwf8aGBxxi/zzpdInOicQq7i408CitOEBmIE3l+3OWV8zgSgJS5Oke 29HwAUkU9DBQw3CkoZDUs+TeLCI+p5ghs8kVcW3jt3ln7jQH4JpLb0MLdb1IEuquC0iS kwgplrJcAq9OlHvX1wDdyOueWAT1O2AwQVFwArmDHqai2h5Kbyz0Dpib2HpagRDE5kDb PwiOmd9m2BM4ZnVA9GzE0aG736CP9T+qaVn2t5hHfqfZBLIqwniAdTNt9lU6sjhXzY3C I6yy7HJEOF30AcX7c3DCYOQTqNiTxTJ3crNATtbo9BCgMDcsiiSrq/4VrxcaMnN1dNjQ u9AQ== X-Received: by 10.180.101.200 with SMTP id fi8mr25743575wib.77.1420465327182; Mon, 05 Jan 2015 05:42:07 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.194.61.98 with HTTP; Mon, 5 Jan 2015 05:41:47 -0800 (PST) In-Reply-To: <20150105122809.GD31058@vpn.offrom.nl> References: <20150105122809.GD31058@vpn.offrom.nl> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Mon, 5 Jan 2015 14:41:47 +0100 X-Google-Sender-Auth: 4jgSFjK8bKkYOIQRay_Ympq52wo Message-ID: Subject: Re: Why ipfw didn't filter neither log DHCP packets ? To: Willy@offermans.rompen.nl Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-ipfw@freebsd.org" , Luigi Rizzo X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 13:42:09 -0000 On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans wrote: > Hello Luigi and FreeBSD friends, > > I do top posting. > > So there might be a chance that someting slips through the firewall > between the start of the firewall and after the bpf traffic of dhclient. > Once the NIC is configured, traffic is possible in principle. > Would it be better to start the bpf traffic of dhclient after the firewall > runs. In the latter case, all will or can work as expected. If yes, how > should this be set? Should one set > > REQUIRE: firewall > > in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So > I'm not sure how this should work. > > I believe that when Luigi says "that acts before the firewall has a chance to see the packets", he was not speaking of the RC script order, but about the FreeBSD network stack layer order. Do you confirm Luigi ? Because I've tryed to fix ifpw's RC script order by changing: - /etc/rc.d/ipfw: replaced "REQUIRE: ppp" by "REQUIRE: FILESYSTEMS" (like /etc/rc.d/ipfilter) - /etc/rc.d/netif: Add "ipfw" in the REQUIRE list But no change: DHCP is still allowed. Then, why there are specific DHCP-clients rules in /etc/rc.firewall script (like in WORKSTATION mode) if there are useless ? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 13:51:14 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 80CA16C9 for ; Mon, 5 Jan 2015 13:51:14 +0000 (UTC) Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F0CAA645A5 for ; Mon, 5 Jan 2015 13:51:13 +0000 (UTC) Received: by mail-lb0-f172.google.com with SMTP id z12so9959848lbi.3 for ; Mon, 05 Jan 2015 05:51:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=a4XHcdJEc8zq5G1zWFTUiS3CimTyjQ0euygcEzK5Hqo=; b=jZ8yn4lAr0uXnBvKNm1Uk0WZQrNZ/YTOO9CXhy5tUPUvrAr25Ls4J2XDAKm1NMAB8V tLrJDg8AAhm2gKsw8YHpc0oAxUIp+34gt5esuBBocsh8lGoq5n0UKWATSeF40lWhCVdl kY+i+pPuAo3ZO42vNZ5gE6RekBouS2t5sWGea3Z6B6+kYMkeG/tjjbgm9NfWWWik0JJ8 loWH3cATlbVNTsvqCqUw5/99iPNsBRC63bOq24436ed+hTf5+fdB6GS5X9psjimfF8/T s18QD3kg77ZN6OHqY5DddqEtX0KAF6itr5nngmXh+ySUh99sCt9UI4BSajSIQ1AuwYNc oWhQ== MIME-Version: 1.0 X-Received: by 10.152.29.129 with SMTP id k1mr93465549lah.10.1420465872006; Mon, 05 Jan 2015 05:51:12 -0800 (PST) Sender: rizzo.unipi@gmail.com Received: by 10.114.10.168 with HTTP; Mon, 5 Jan 2015 05:51:11 -0800 (PST) In-Reply-To: References: <20150105122809.GD31058@vpn.offrom.nl> Date: Mon, 5 Jan 2015 14:51:11 +0100 X-Google-Sender-Auth: axunU3T_yx392isXlIil_izf-LU Message-ID: Subject: Re: Why ipfw didn't filter neither log DHCP packets ? From: Luigi Rizzo To: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-ipfw@freebsd.org" , Willy@offermans.rompen.nl X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 13:51:14 -0000 On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labb=C3=A9 wrote: > On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans > wrote: > >> Hello Luigi and FreeBSD friends, >> >> I do top posting. >> >> So there might be a chance that someting slips through the firewall >> between the start of the firewall and after the bpf traffic of dhclient. >> Once the NIC is configured, traffic is possible in principle. >> Would it be better to start the bpf traffic of dhclient after the firewa= ll >> runs. In the latter case, all will or can work as expected. If yes, how >> should this be set? Should one set >> >> REQUIRE: firewall >> >> in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. >> So >> I'm not sure how this should work. >> >> > I believe that when Luigi says "that acts before the firewall has a chanc= e > to see the packets", he was not speaking of the RC script order, but abou= t > the FreeBSD network stack layer order. > Do you confirm Luigi ? > > =E2=80=8Bcorrect, it's not a matter of time but of placement of the modules in the stack. injection through bpf goes just above the device driver, so there is no chance to see bpf-generated packets. For incoming traffic, bpf sees a copy, so the original still goes through the stack, but if you want to see it with ipfw you should probably enable layer2 firewalling. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 03:54:52 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B924CA9 for ; Tue, 6 Jan 2015 03:54:52 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 385E526CF for ; Tue, 6 Jan 2015 03:54:51 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-233-252.lns20.per1.internode.on.net [121.45.233.252]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t063sZSm002617 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 5 Jan 2015 19:54:38 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <54AB5C75.8020001@freebsd.org> Date: Tue, 06 Jan 2015 11:54:29 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Luigi Rizzo , =?UTF-8?B?T2xpdmllciBDb2NoYXJkLUxhYg==?= =?UTF-8?B?YsOp?= Subject: Re: Why ipfw didn't filter neither log DHCP packets ? References: <20150105122809.GD31058@vpn.offrom.nl> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "freebsd-ipfw@freebsd.org" , Willy@offermans.rompen.nl X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2015 03:54:52 -0000 On 1/5/15 9:51 PM, Luigi Rizzo wrote: > On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-LabbĂ© > wrote: > >> >> I believe that when Luigi says "that acts before the firewall has a chance >> to see the packets", he was not speaking of the RC script order, but about >> the FreeBSD network stack layer order. >> Do you confirm Luigi ? >> >> > ​correct, it's not a matter of time but of placement > of the modules in the stack. > > injection through bpf goes just above the > device driver, so there is no chance to see > bpf-generated packets. > For incoming traffic, bpf sees a copy, so the > original still goes through the stack, > but if you want to see it with ipfw you should > probably enable layer2 firewalling. the ordering of the various "special" packet intercepts has always been an 'unsolved problem'. Packets may be intercepted by several different agents in the networkng code. There are (at least): bpf/tcpdump divert netgraph ipfw/pf/ipf if_bridge vlan handling And maybe others I didn't think of in the 20 seconds it took to write this. Each of these has an equivalent outgoing injection point as well. It is possible to make arguments for several different orders in which packets should hit these. For example: It makes perfect sense for tcpdump to see everything on the wire regardless of what else is going on, however it may also make sense to filter what gets to dhclient. Unfortunately, they both use the same way of getting packets. Maybe the answer is to change dhclient to use a different method. When it was originally done only bpf existed. > cheers > luigi > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 8 15:08:17 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9F1703F5 for ; Thu, 8 Jan 2015 15:08:17 +0000 (UTC) Received: from m50-132.163.com (m50-132.163.com [123.125.50.132]) by mx1.freebsd.org (Postfix) with ESMTP id B482AC31 for ; Thu, 8 Jan 2015 15:08:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:Subject:Message-ID:MIME-Version; bh=8RS6g BwSAX8r3rQw1Ykg0v0xi+8Z1ozBiRlOU0fijyQ=; b=HO6bM+0OYqilMuTInr5uH 0RnDfcdrV0CWUHDl+STjVzdjb4fNCswQcO0TS3v5AogiJvAtNQOnboeGaMGzf5QE KHnCJVb7bjy+YNoAUHeigSQ+GJ1lCWcSR9WPB1162QqSVddbQfIUstsEO0jzwbeE WLlsMvTqJQ1paZEO4jVP3k= Received: from efghi (unknown [27.214.65.122]) by smtp2 (Coremail) with SMTP id DNGowEDZBWPJma5U+MHJAQ--.189S3; Thu, 08 Jan 2015 22:52:57 +0800 (CST) Date: Thu, 8 Jan 2015 22:52:57 +0800 From: "abscnp@163.com" Reply-To: abscn@hotmail.com To: "freebsd-ipfw" Subject: equipment solution Message-ID: <201501082252573253344@163.com> X-Mailer: Foxmail 6, 10, 201, 20 [cn] MIME-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 X-CM-TRANSID: DNGowEDZBWPJma5U+MHJAQ--.189S3 X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUzFAJUUUUU X-Originating-IP: [27.214.65.122] X-CM-SenderInfo: pdevu0rs6rljoofrz/xtbBLxF7-FD+K8FMIwAAsS X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2015 15:08:17 -0000 VGhpcyBpcyBTdGV2ZW4gZnJvbSBDaGluYS4gV2UgbWFpbmx5IHN1cHBseSBkaWZmZXJlbnQgZW5n aW5lZXJpbmcgbWFjaGluZXJ5IGFuZCBzcGFyZSBwYXJ0czoNCndoZWVsIGxvYWRlciwgYmFja2hv ZSBsb2FkZXIsIG1vdG9yIGdyYWRlciwgcm9hZCByb2xsZXIsIGJ1bGxkb3plciwgZm9ybGlmdCB0 cnVjaywgdHJ1Y2sgY3JhbmUsIHRyYWN0b3IsIGV0Yy4NCm91ciB3ZWJzaXRlIGlzIHd3dy5xemJv Y2hlbmcuY29tDQoNCkJlc3QgUmVnYXJkcw0KDQpTdGV2ZW4NCi0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0NClFJTkdaSE9VIEJPQ0hFTkcgTUFDSElORVJZIENPLixMVEQNClRl bDorODYgMTg2NjA2NDIzMTEgRW1haWw6IGFic2NuQGhvdG1haWwuY29tICBTa3lwZTogcXpib2No ZW5nZmlvbmExICAgICAgICAgICAgDQpBZGQ6IFFpbmd6aG91IENpdHksIFNoYW5kb25nIFByb3Zp bmNlLCBDaGluYQ0Kd3d3LnF6Ym9jaGVuZy5jb20=