From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 11:22:57 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D11272C9 for ; Mon, 5 Jan 2015 11:22:57 +0000 (UTC) Received: from frv198.fwdcdn.com (frv198.fwdcdn.com [212.42.77.198]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C415644F9 for ; Mon, 5 Jan 2015 11:22:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=nMwXSMWBr5WGhVENczyMb0iiKT2z7SOcuPaNNSGjXqA=; b=DCF2Ef+XSdLuML6hFMU4/GG2MCUsy0Moy/hh5u9MX91thZrUtoNduWM4C8asHY9F20dMDadhlD/2SQgXPVg93EeXJEuwV/FM/tcGoUi0tmb5eYFcJ8uaCKVyz4Nqwde+uGaz0n5tHu39rt7YnlgGWIT0pZOGYQwL0dgREAd7WCA=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv198.fwdcdn.com with smtp ID 1Y85kB-000KtH-TA for freebsd-ipfw@freebsd.org; Mon, 05 Jan 2015 13:22:43 +0200 Date: Mon, 05 Jan 2015 13:22:43 +0200 From: wishmaster Subject: Re: Why ipfw didn't filter neither log DHCP packets ? To: olivier@cochard.me X-Mailer: mail.ukr.net 5.0 Message-Id: <1420456491.300138955.6ctqnlp5@frv34.fwdcdn.com> In-Reply-To: References: MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Mon, 05 Jan 2015 13:22:43 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 11:22:58 -0000 Hi. Have the same problem, but with wlan. With rule like below Ipfw add deny log all from any to any i do not see any packets in ipfw -d show output. LAN behind wlan interface gets ip-addr, but inet is blocked, of course. ---- Vitaliy --- Original Message --- From: "Olivier Cochard-LabbĂ©" Date: 5 January 2015, 12:33:46 > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 0 0 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 11:47:35 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25E0899F for ; Mon, 5 Jan 2015 11:47:35 +0000 (UTC) Received: from cpsmtpb-ews08.kpnxchange.com (cpsmtpb-ews08.kpnxchange.com [213.75.39.13]) by mx1.freebsd.org (Postfix) with ESMTP id 8572A64833 for ; Mon, 5 Jan 2015 11:47:33 +0000 (UTC) Received: from cpsps-ews19.kpnxchange.com ([10.94.84.185]) by cpsmtpb-ews08.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 12:46:20 +0100 Received: from CPSMTPM-CMT106.kpnxchange.com ([195.121.3.22]) by cpsps-ews19.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); Mon, 5 Jan 2015 12:46:20 +0100 Received: from donald.offrom.nl ([77.170.60.162]) by CPSMTPM-CMT106.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18264); Mon, 5 Jan 2015 12:46:20 +0100 Received: from squid (squid.vpn.offrom.nl [10.168.0.72]) by donald.offrom.nl (8.14.8/8.14.8) with ESMTP id t05BkIFZ006593; Mon, 5 Jan 2015 12:46:18 +0100 (CET) (envelope-from Willy@Offermans.Rompen.nl) Received: from willy by squid with local (Exim 4.80) (envelope-from ) id 1Y866v-00087V-Ba; Mon, 05 Jan 2015 12:46:13 +0100 Date: Mon, 5 Jan 2015 12:46:13 +0100 From: Willy Offermans To: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <20150105114613.GC31058@vpn.offrom.nl> Reply-To: Willy@Offermans.Rompen.nl References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-OriginalArrivalTime: 05 Jan 2015 11:46:20.0463 (UTC) FILETIME=[3919F3F0:01D028DD] X-RcptDomain: freebsd.org Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 11:47:35 -0000 Hello Olivier and FreeBSD friends, On Mon, Jan 05, 2015 at 11:33:18AM +0100, Olivier Cochard-Labbé wrote: > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 0 0 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" I guess that dhcp daemon is started before firewall is started or, better, firewall rules are applied. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel ************************************* W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 Mobile: +49 1575 414 60 55 e-mail: Willy@Offermans.Rompen.nl