From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 04:00:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8293416A403 for ; Tue, 3 Apr 2007 04:00:55 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com [65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id 4DA4E13C44C for ; Tue, 3 Apr 2007 04:00:55 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l333LRXY004110 for ; Mon, 2 Apr 2007 23:21:28 -0400 (EDT) Message-ID: <000301c7759f$416d7210$0200a8c0@satellite> From: "Dave" To: Date: Mon, 2 Apr 2007 23:22:05 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf rules for dhcp servers and clients X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 04:00:55 -0000 Hello, I'm reconfiguring my pf firewalls updating to 6.2. I'm having an issue with dhcp, getting the rules right. I've included the rules below, can anyone comment if they're accurate or if you have working ones? Thanks. Dave. This first snipet is from the network dhcp server, contacting the isp's dhcp server so it can get an ip, and providing dhcp leases to other network clients: ext_if = "rl0" # Allow dhcp pass quick on $ext_if inet proto udp from any port bootps to { 255.255.255.255 ($ext_if) } port bootpc $keep_state # Allow UDP requests to port 67 from firewall to exit ext_if # allow DNS requests to port 53 from firewall to exit EXT # in order to contact internet nameservers (keep state on this connection) # allow UDP requests to port 123 from firewall to exit ext_if # in order to contact internet ntp servers # (keep state on this connection) pass quick on $ext_if inet proto { tcp,udp } from ($ext_if) to any port { ntp, domain } queue interact $keep_state # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall (keep state on this connection) pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port domain $keep_state # allow UDP requests to ports 67, 68, and 123 from int_if clients to enter int_if # in order to perform dhcp and ntp queries on the firewall # ( Keep state on this connection) pass quick on $int_if inet proto { tcp, udp } from { $int_net, 255.255.255.255 } to $int_if port { bootpc, bootps } $keep_state pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port ntp $keep_state This next is for a lan network client contacting the lan router for dhcp and dns ext_if = "vr0" udp_services = "{ domain, bootpc, ntp }" # allow in udp services (dhcp, dns, ntp etc) pass quick on $ext_if inet proto { tcp, udp } from any to any port $udp_services keep state