From owner-freebsd-questions@FreeBSD.ORG Wed Feb 28 18:19:16 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B60916A400 for ; Wed, 28 Feb 2007 18:19:16 +0000 (UTC) (envelope-from alex@schnarff.com) Received: from outbound.mailhop.org (outbound.mailhop.org [63.208.196.171]) by mx1.freebsd.org (Postfix) with ESMTP id 3F83613C478 for ; Wed, 28 Feb 2007 18:19:16 +0000 (UTC) (envelope-from alex@schnarff.com) Received: from c-68-49-149-185.hsd1.va.comcast.net ([68.49.149.185] helo=schnarff.com) by outbound.mailhop.org with esmtpa (Exim 4.63) (envelope-from ) id 1HMTOU-0000eA-Bb for freebsd-questions@freebsd.org; Wed, 28 Feb 2007 13:19:14 -0500 Received: (qmail 9522 invoked by uid 67); 28 Feb 2007 18:19:13 -0000 Received: from 192.168.2.68 ([192.168.2.68]) by mail.schnarff.com (Horde) with HTTP for ; Wed, 28 Feb 2007 13:19:13 -0500 X-Mail-Handler: MailHop Outbound by DynDNS X-Originating-IP: 68.49.149.185 X-Report-Abuse-To: abuse@dyndns.com (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information) X-MHO-User: schnarff Message-ID: <20070228131913.y8awi6yt74c88084@mail.schnarff.com> Date: Wed, 28 Feb 2007 13:19:13 -0500 From: alex@schnarff.com To: freebsd-questions@freebsd.org References: <200702272248.l1RMmD81013215@cheyenne.sixcompanies.com> <8cb6106e0702271455w5be91292vfce007b8ed439e1d@mail.gmail.com> <20070228173517.5a044300@gumby.homeunix.com> <20070228124421.j73ex8x4ow0g0o8k@mail.schnarff.com> <20070228180215.03fcd926@gumby.homeunix.com> In-Reply-To: <20070228180215.03fcd926@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.4) Subject: Re: pf.conf and cable modem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2007 18:19:16 -0000 Quoting RW : > On Wed, 28 Feb 2007 12:44:21 -0500 > alex@schnarff.com wrote: > >> Quoting RW : > >> > When I used DHCP with PF, I found that it just worked without any >> > rules at all. >> >> That's been my experience as well (admittedly on OpenBSD, but it's >> basically the same PF). Remember, your NIC's initialization sequence, >> which is where the DHCP request will come, happens before PF is >> enabled, so you're essentially at a "pass all" sort of a state when >> the request happens. >> >> The one thing to keep in mind is that if you're doing, say, NAT for >> some clients behind the box, you can use a rule like this to deal >> with any changes in your dynamic IP > > Not in my experience. > > I was using a half-bridge modem that had a 30 second lease time, which > was definitely renewing. It would also give me a private address when > PPPoA went down, and I saw that happen too. Are you sure it was a 30 *second* lease time? No sane ISP would set such a low value -- that's a surefire way to overwhelm their DHCP servers. It sounds like either a) there was something misconfigured on one end of the connection (and I make no value judgement as to which end it was, given the lack of evidence), or b) you had an incredibly stupid ISP that I'd like the name of, so that I can avoid them at all costs. > I added-in some early static rules to log all the DHCP packets. IIRC I > never saw any of the lease renewal packets, just some broadcast > packets. I asked in this list about it but never got a reply. What were the rules? I'd be curious to see them. > I suspect that either DHCP sees the packets directly in some way, or PF > has some special handling for DHCP. In either case it would make sense > for PF rules to see the broadcasts, since they might need to be > bridged. Given this thread: http://marc.theaimsgroup.com/?l=openbsd-pf&m=115702991719970&w=2 I'd say that DHCP goes on at a level below PF, at least on OpenBSD (which, again, should be largely similar, if not identical, on FreeBSD). In any case, the OP shouldn't have to do anything special to let DHCP through, especially if he's got something like: pass out quick on $ext_if proto udp all keep state in his ruleset, which probably makes sense anyway. Alex Kirk