Date: Mon, 05 Jan 2015 13:22:43 +0200 From: wishmaster <artemrts@ukr.net> To: olivier@cochard.me Cc: freebsd-ipfw@freebsd.org Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <1420456491.300138955.6ctqnlp5@frv34.fwdcdn.com> In-Reply-To: <CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com> References: <CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Have the same problem, but with wlan. With rule like below
Ipfw add deny log all from any to any
i do not see any packets in ipfw -d show output.
LAN behind wlan interface gets ip-addr, but inet is blocked, of course.
----
Vitaliy
--- Original Message ---
From: "Olivier Cochard-Labbé"
Date: 5 January 2015, 12:33:46
> I'm using a pretty simple configuration:
>
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
>
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
>
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
>
> [root@wrap]~# ifconfig sis0
> sis0: flags=8843 metric 0 mtu 1500
> options=83808
> ether 00:0d:b9:02:76:58
> inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
> media: Ethernet autoselect (100baseTX )
> status: active
>
> [root@wrap]~# ipfw show
> 00100 0 0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0 0 deny ip from any to any
>
> [root@wrap]~# cat /var/log/security
> Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
>
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
>
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 11:47:35 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by hub.freebsd.org (Postfix) with ESMTPS id 25E0899F
for <freebsd-ipfw@freebsd.org>; Mon, 5 Jan 2015 11:47:35 +0000 (UTC)
Received: from cpsmtpb-ews08.kpnxchange.com (cpsmtpb-ews08.kpnxchange.com
[213.75.39.13]) by mx1.freebsd.org (Postfix) with ESMTP id 8572A64833
for <freebsd-ipfw@freebsd.org>; Mon, 5 Jan 2015 11:47:33 +0000 (UTC)
Received: from cpsps-ews19.kpnxchange.com ([10.94.84.185]) by
cpsmtpb-ews08.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514);
Mon, 5 Jan 2015 12:46:20 +0100
Received: from CPSMTPM-CMT106.kpnxchange.com ([195.121.3.22]) by
cpsps-ews19.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514);
Mon, 5 Jan 2015 12:46:20 +0100
Received: from donald.offrom.nl ([77.170.60.162]) by
CPSMTPM-CMT106.kpnxchange.com over TLS secured channel with Microsoft
SMTPSVC(7.0.6002.18264); Mon, 5 Jan 2015 12:46:20 +0100
Received: from squid (squid.vpn.offrom.nl [10.168.0.72])
by donald.offrom.nl (8.14.8/8.14.8) with ESMTP id t05BkIFZ006593;
Mon, 5 Jan 2015 12:46:18 +0100 (CET)
(envelope-from Willy@Offermans.Rompen.nl)
Received: from willy by squid with local (Exim 4.80)
(envelope-from <Willy@Offermans.Rompen.nl>)
id 1Y866v-00087V-Ba; Mon, 05 Jan 2015 12:46:13 +0100
Date: Mon, 5 Jan 2015 12:46:13 +0100
From: Willy Offermans <Willy@Offermans.Rompen.nl>
To: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= <olivier@cochard.me>
Subject: Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID: <20150105114613.GC31058@vpn.offrom.nl>
Reply-To: Willy@Offermans.Rompen.nl
References: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-OriginalArrivalTime: 05 Jan 2015 11:46:20.0463 (UTC)
FILETIME=[3919F3F0:01D028DD]
X-RcptDomain: freebsd.org
Cc: freebsd-ipfw@freebsd.org
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>;
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 11:47:35 -0000
Hello Olivier and FreeBSD friends,
On Mon, Jan 05, 2015 at 11:33:18AM +0100, Olivier Cochard-Labbé wrote:
> I'm using a pretty simple configuration:
>
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
>
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
>
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
>
> [root@wrap]~# ifconfig sis0
> sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
> ether 00:0d:b9:02:76:58
> inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
>
> [root@wrap]~# ipfw show
> 00100 0 0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0 0 deny ip from any to any
>
> [root@wrap]~# cat /var/log/security
> Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
>
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
>
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
I guess that dhcp daemon is started before firewall is started or, better,
firewall rules are applied.
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,
Wiel
*************************************
W.K. Offermans
Home: +31 45 544 49 44
Mobile: +31 681 15 87 68
Mobile: +49 1575 414 60 55
e-mail: Willy@Offermans.Rompen.nl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1420456491.300138955.6ctqnlp5>