From owner-freebsd-questions@FreeBSD.ORG Wed Feb 28 18:02:19 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1744216A400 for ; Wed, 28 Feb 2007 18:02:19 +0000 (UTC) (envelope-from fbsd06@mlists.homeunix.com) Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178]) by mx1.freebsd.org (Postfix) with ESMTP id E0AE413C46B for ; Wed, 28 Feb 2007 18:02:18 +0000 (UTC) (envelope-from fbsd06@mlists.homeunix.com) Received: from gumby.homeunix.com (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id C8168519B4 for ; Wed, 28 Feb 2007 13:02:17 -0500 (EST) Date: Wed, 28 Feb 2007 18:02:15 +0000 From: RW To: freebsd-questions@freebsd.org Message-ID: <20070228180215.03fcd926@gumby.homeunix.com> In-Reply-To: <20070228124421.j73ex8x4ow0g0o8k@mail.schnarff.com> References: <200702272248.l1RMmD81013215@cheyenne.sixcompanies.com> <8cb6106e0702271455w5be91292vfce007b8ed439e1d@mail.gmail.com> <20070228173517.5a044300@gumby.homeunix.com> <20070228124421.j73ex8x4ow0g0o8k@mail.schnarff.com> X-Mailer: Claws Mail 2.7.2 (GTK+ 2.10.9; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: pf.conf and cable modem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2007 18:02:19 -0000 On Wed, 28 Feb 2007 12:44:21 -0500 alex@schnarff.com wrote: > Quoting RW : > > When I used DHCP with PF, I found that it just worked without any > > rules at all. > > That's been my experience as well (admittedly on OpenBSD, but it's > basically the same PF). Remember, your NIC's initialization sequence, > which is where the DHCP request will come, happens before PF is > enabled, so you're essentially at a "pass all" sort of a state when > the request happens. > > The one thing to keep in mind is that if you're doing, say, NAT for > some clients behind the box, you can use a rule like this to deal > with any changes in your dynamic IP Not in my experience. I was using a half-bridge modem that had a 30 second lease time, which was definitely renewing. It would also give me a private address when PPPoA went down, and I saw that happen too. I added-in some early static rules to log all the DHCP packets. IIRC I never saw any of the lease renewal packets, just some broadcast packets. I asked in this list about it but never got a reply. I suspect that either DHCP sees the packets directly in some way, or PF has some special handling for DHCP. In either case it would make sense for PF rules to see the broadcasts, since they might need to be bridged.