From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 10:33:40 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DAEDDA32 for ; Mon, 5 Jan 2015 10:33:40 +0000 (UTC) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 708271F44 for ; Mon, 5 Jan 2015 10:33:40 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id x13so27227654wgg.5 for ; Mon, 05 Jan 2015 02:33:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=RPHygpaui5Sg21IYNQ7un+IcMNMRjKWLzW7MJYBzBIQ=; b=cgEHYzvYlIJumUQ/RJt22q9J41KSH4hYlZmuqMBYcf5RA2YTrNEPBgbQ9Z00z7bUJS zVDlppSJY5wieyEEWdKQZCpgv5EJ6iYQfGT6fcw6MvLutdhUuHPPb63MIzahjvhp3kFx O+SqjTikaPsy/qCMyRlPdTPp0B/iUBL6k0YnuuVa86V+LEu04eBcrLym3EbSKdR0K0aH qmjNUSWTqdvjKUq3DZYvkRdZwAmtVu2wQ8iKPknkPgDKppa/G5eDfpSNLAhTcKaLg/fo Y+cndiKVBDnO990D6vUKD3/KIPnH50EmkQwNH5VVCU/AbKUNaUjjX92DM5DHbcrBmja8 KbYg== X-Received: by 10.180.88.165 with SMTP id bh5mr24139186wib.77.1420454018790; Mon, 05 Jan 2015 02:33:38 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.194.61.98 with HTTP; Mon, 5 Jan 2015 02:33:18 -0800 (PST) From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Mon, 5 Jan 2015 11:33:18 +0100 X-Google-Sender-Auth: c96rSpF3vtGE-oohvt786Slj5Go Message-ID: Subject: Why ipfw didn't filter neither log DHCP packets ? To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 10:33:40 -0000 I'm using a pretty simple configuration: My rc.conf: ifconfig_sis0="DHCP" firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/ipfw.rules" My /etc/ipfw.rules: #!/bin/sh fwcmd="/sbin/ipfw -q". ${fwcmd} -f flush ${fwcmd} add pass ip from any to any via lo0 ${fwcmd} add deny log ip from any to any But after a reboot this machine is still able to get an IP address by DHCP and nothing (related to DHCP) is logged on the firewall: [root@wrap]~# ifconfig sis0 sis0: flags=8843 metric 0 mtu 1500 options=83808 ether 00:0d:b9:02:76:58 inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255 media: Ethernet autoselect (100baseTX ) status: active [root@wrap]~# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 4 1631 deny log ip from any to any 65535 0 0 deny ip from any to any [root@wrap]~# cat /var/log/security Jan 1 01:16:45 wrap newsyslog[923]: logfile first created Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 192.168.100.255:138 in via sis0 Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 192.168.100.255:138 in via sis0 I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. Are DHCP packets exluded from the filtering/logging engine of ipfw ?