Date: Thu, 3 Jul 2003 00:39:48 -0400 From: "Bob Hall" <rjhalljr@starpower.net> To: freebsd-questions@freebsd.org Subject: Re: dhclient Message-ID: <20030703043948.GB7340@kongemord.krig.net> In-Reply-To: <44smpo5p3v.fsf@be-well.ilk.org> References: <20030702220602.GF6061@kongemord.krig.net> <44smpo5p3v.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 02, 2003 at 10:19:16PM -0400, Lowell Gilbert wrote:
> "Bob Hall" <rjhalljr@starpower.net> writes:
> > The firewall is ipfw with the SIMPLE option. The modifications
> > to the firewall script for DHCP were
> > # Accept bootps (dhcp):
> > ${fwcmd} add allow udp from ${oip}/32 68 to 0.0.0.0/0 67 out
> > ${fwcmd} add allow udp from 0.0.0.0/0 67 to ${oip}/32 68 in
>
> That doesn't make any sense.
OK. Could you explain why? ipfw rules are still a bit of a black
art for me.
> How about:
> ${fwcmd} add allow udp from any to any bootps keep-state out via ${oif}
Allow any udp packet from any address to any address, provided it's
going out through oif. Is that correct? Does keep-state tell ipfw to
look for responses and let them in?
> You don't have an IP address yet,
When I run "ipfw show", the proper IP address is displayed in the two
rules. For example:
allow udp from <my external IP address> 68 to any 67 out
I take this to mean that I do have an IP address. Am I wrong?
> so you can't put an IP address into
> the rule, and the all-zeros address would be what *your* machine is
> using. You don't know the address of the server, so you have to leave
> that unspecified.
Thanks for the help. I will try replacing my rules with your suggestion,
as soon as I can disable the server briefly.
Bob Hall
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030703043948.GB7340>