From owner-freebsd-questions@FreeBSD.ORG Wed Jul 2 21:43:06 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 269A137B404 for ; Wed, 2 Jul 2003 21:43:06 -0700 (PDT) Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net [207.172.4.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6840944005 for ; Wed, 2 Jul 2003 21:43:05 -0700 (PDT) (envelope-from rjhalljr@starpower.net) Received: from 66-44-55-123.s377.tnt1.lnhva.md.dialup.rcn.com ([66.44.55.123] helo=svold.krig.net) by smtp02.mrf.mail.rcn.net with smtp (Exim 3.35 #4) id 19Xvw0-0002l4-00 for freebsd-questions@freebsd.org; Thu, 03 Jul 2003 00:43:05 -0400 Received: by svold.krig.net (sSMTP sendmail emulation); Thu, 3 Jul 2003 00:39:48 -0400 From: "Bob Hall" Date: Thu, 3 Jul 2003 00:39:48 -0400 To: freebsd-questions@freebsd.org Message-ID: <20030703043948.GB7340@kongemord.krig.net> Mail-Followup-To: freebsd-questions@freebsd.org References: <20030702220602.GF6061@kongemord.krig.net> <44smpo5p3v.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44smpo5p3v.fsf@be-well.ilk.org> User-Agent: Mutt/1.4.1i Subject: Re: dhclient X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2003 04:43:06 -0000 On Wed, Jul 02, 2003 at 10:19:16PM -0400, Lowell Gilbert wrote: > "Bob Hall" writes: > > The firewall is ipfw with the SIMPLE option. The modifications > > to the firewall script for DHCP were > > # Accept bootps (dhcp): > > ${fwcmd} add allow udp from ${oip}/32 68 to 0.0.0.0/0 67 out > > ${fwcmd} add allow udp from 0.0.0.0/0 67 to ${oip}/32 68 in > > That doesn't make any sense. OK. Could you explain why? ipfw rules are still a bit of a black art for me. > How about: > ${fwcmd} add allow udp from any to any bootps keep-state out via ${oif} Allow any udp packet from any address to any address, provided it's going out through oif. Is that correct? Does keep-state tell ipfw to look for responses and let them in? > You don't have an IP address yet, When I run "ipfw show", the proper IP address is displayed in the two rules. For example: allow udp from 68 to any 67 out I take this to mean that I do have an IP address. Am I wrong? > so you can't put an IP address into > the rule, and the all-zeros address would be what *your* machine is > using. You don't know the address of the server, so you have to leave > that unspecified. Thanks for the help. I will try replacing my rules with your suggestion, as soon as I can disable the server briefly. Bob Hall