From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 23:28:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04F7837B401 for ; Thu, 1 May 2003 23:28:51 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8212D43FA3 for ; Thu, 1 May 2003 23:28:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h426SoKF015523; Thu, 1 May 2003 23:28:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h426SoN0015522; Thu, 1 May 2003 23:28:50 -0700 (PDT) (envelope-from rizzo) Date: Thu, 1 May 2003 23:28:50 -0700 From: Luigi Rizzo To: Ben Pfountz Message-ID: <20030501232850.A15489@xorpc.icir.org> References: <001a01c3105f$3073d160$6511a8c0@benspiece> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <001a01c3105f$3073d160$6511a8c0@benspiece>; from netprince@vt.edu on Thu, May 01, 2003 at 11:59:11PM -0400 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 06:28:51 -0000 could it be that dhcp uses bpf to send the packet ? In that case, it will bypass the firewall, even if you have ether.ipfw set cheers luigi On Thu, May 01, 2003 at 11:59:11PM -0400, Ben Pfountz wrote: > I am running 4.8-stable updated a few days ago. I am using a firewall that > filters clients based on their MAC address, and I noticed a new client could > acquire a DHCP lease from the server. After staring at my ruleset for a few > hours, I decided to try removing all rules, except for the default to deny > rule. I tried to renew a DHCP lease from the client and immediately dhcpd > complained about not having permission to send a response back to the > client. > > I assume the dhcp request that was sent to the server (a broadcast packet) > passed through the firewall, and the response from dhcpd (a directed packet) > was blocked by the firewall as it tried to leave the system. > > I am using IPFW2, with: > net.link.ether.ipfw: 1 > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.one_pass: 0 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > > Is this the correct behavior for IPFW2? > > ----- > Ben Pfountz > Computer Science Undergraduate, Virginia Tech > Computer Systems Engineer, Center for Power Electronic Systems > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"