From owner-freebsd-pf@FreeBSD.ORG Mon Mar 5 13:40:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A8C3316A401 for ; Mon, 5 Mar 2007 13:40:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 6DAC313C442 for ; Mon, 5 Mar 2007 13:40:39 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cf0.q.ppp-pool.de [89.53.124.240]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A16D3128841; Mon, 5 Mar 2007 14:40:31 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 99FA62E56D; Mon, 5 Mar 2007 14:40:26 +0100 (CET) Message-ID: <45EC1DCA.3080001@vwsoft.com> Date: Mon, 05 Mar 2007 14:40:26 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "rance@frontiernet.net" References: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> In-Reply-To: <20070305043922.qgd8g96zo6jo0g0k@webmail.frontiernet.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: home router with internal services available question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2007 13:40:39 -0000 On 12/23/-58 20:59, rance@frontiernet.net wrote: > I had a basic NAT setup that was almost working. dhcp requests on my > lan were not > getting answered by the gateway host. > > I looked at the firewall rules and figured it was because there wasn't a > specific way to > handle port 67 data (if should be handled by the internal interface of > the freebsd box. > > With the firewall disabled Lan machines can get an IP address, but cant > surf the net, > with the firewall enabled they can surf the net, but cant get a dhcp > address. That's an easy one if you know what's going on on the wire: - let udp/bootps and udp/bootpc pass your fw rules - DO NOT filter for IP address ranges for these rules! A DHCP request arrives at your machine w/o any IP address assigned or it may arrive with an IP address not known to your machine (169.anything - Windows does this for example). So you should not filter like: pass on $int_if proto udp from 192.168.1.0/24 to self port bootps keep state but instead: pass in log on $int_if proto udp from any to self port bootps keep state In my rules I'm additionally using these rules: pass in log on $int_if proto udp from any to any port bootpc keep state pass in log on $int_if proto udp from any port bootpc to any keep state but I don't think they're necessary as the very first rule ("...to self port bootps...") should match. That should be all. You should watch the packet flow using tcpdump (either on pflog0 or your real network NIC). HTH, Volker