Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 05 Jan 2015 13:22:43 +0200
From:      wishmaster <artemrts@ukr.net>
To:        olivier@cochard.me
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID:  <1420456491.300138955.6ctqnlp5@frv34.fwdcdn.com>
In-Reply-To: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
References:  <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi. Have the same problem, but with wlan. With rule like below
Ipfw add deny log all from any to any

i do not see any packets in ipfw -d show output.
LAN behind wlan interface gets ip-addr, but inet is blocked, of course.

----
Vitaliy


 --- Original Message ---
 From: "Olivier Cochard-Labbé" 
 Date: 5 January 2015, 12:33:46
 


> I'm using a pretty simple configuration:
> 
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
> 
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
> 
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
> 
> [root@wrap]~# ifconfig sis0
> sis0: flags=8843  metric 0 mtu 1500
> options=83808 
> ether 00:0d:b9:02:76:58
> inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
> media: Ethernet autoselect (100baseTX )
> status: active
> 
> [root@wrap]~# ipfw show
> 00100 0 0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0 0 deny ip from any to any
> 
> [root@wrap]~# cat /var/log/security
> Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> 
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
> 
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> 
 
From owner-freebsd-ipfw@FreeBSD.ORG  Mon Jan  5 11:47:35 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 25E0899F
 for <freebsd-ipfw@freebsd.org>; Mon,  5 Jan 2015 11:47:35 +0000 (UTC)
Received: from cpsmtpb-ews08.kpnxchange.com (cpsmtpb-ews08.kpnxchange.com
 [213.75.39.13]) by mx1.freebsd.org (Postfix) with ESMTP id 8572A64833
 for <freebsd-ipfw@freebsd.org>; Mon,  5 Jan 2015 11:47:33 +0000 (UTC)
Received: from cpsps-ews19.kpnxchange.com ([10.94.84.185]) by
 cpsmtpb-ews08.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); 
 Mon, 5 Jan 2015 12:46:20 +0100
Received: from CPSMTPM-CMT106.kpnxchange.com ([195.121.3.22]) by
 cpsps-ews19.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); 
 Mon, 5 Jan 2015 12:46:20 +0100
Received: from donald.offrom.nl ([77.170.60.162]) by
 CPSMTPM-CMT106.kpnxchange.com over TLS secured channel with Microsoft
 SMTPSVC(7.0.6002.18264); Mon, 5 Jan 2015 12:46:20 +0100
Received: from squid (squid.vpn.offrom.nl [10.168.0.72])
 by donald.offrom.nl (8.14.8/8.14.8) with ESMTP id t05BkIFZ006593;
 Mon, 5 Jan 2015 12:46:18 +0100 (CET)
 (envelope-from Willy@Offermans.Rompen.nl)
Received: from willy by squid with local (Exim 4.80)
 (envelope-from <Willy@Offermans.Rompen.nl>)
 id 1Y866v-00087V-Ba; Mon, 05 Jan 2015 12:46:13 +0100
Date: Mon, 5 Jan 2015 12:46:13 +0100
From: Willy Offermans <Willy@Offermans.Rompen.nl>
To: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= <olivier@cochard.me>
Subject: Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID: <20150105114613.GC31058@vpn.offrom.nl>
Reply-To: Willy@Offermans.Rompen.nl
References: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-OriginalArrivalTime: 05 Jan 2015 11:46:20.0463 (UTC)
 FILETIME=[3919F3F0:01D028DD]
X-RcptDomain: freebsd.org
Cc: freebsd-ipfw@freebsd.org
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>;
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 11:47:35 -0000

Hello Olivier and FreeBSD friends,

On Mon, Jan 05, 2015 at 11:33:18AM +0100, Olivier Cochard-Labbé wrote:
> I'm using a pretty simple configuration:
> 
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
> 
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
> 
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
> 
> [root@wrap]~# ifconfig sis0
> sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
>         ether 00:0d:b9:02:76:58
>         inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> 
> [root@wrap]~# ipfw show
> 00100 0    0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0    0 deny ip from any to any
> 
> [root@wrap]~# cat /var/log/security
> Jan  1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> 
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
> 
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"

I guess that dhcp daemon is started before firewall is started or, better,
firewall rules are applied.

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Wiel

*************************************
 W.K. Offermans
Home:   +31 45 544 49 44
Mobile: +31 681 15 87 68
Mobile: +49 1575 414 60 55
e-mail: Willy@Offermans.Rompen.nl



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?1420456491.300138955.6ctqnlp5>