From owner-freebsd-questions@FreeBSD.ORG  Thu Mar 10 21:11:33 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 24DFF16A4CE
	for <freebsd-questions@freebsd.org>;
	Thu, 10 Mar 2005 21:11:33 +0000 (GMT)
Received: from web88007.mail.re2.yahoo.com (web88007.mail.re2.yahoo.com
	[206.190.37.194])
	by mx1.FreeBSD.org (Postfix) with SMTP id 6EDCC43D2D
	for <freebsd-questions@freebsd.org>;
	Thu, 10 Mar 2005 21:11:32 +0000 (GMT)
	(envelope-from gbell72@rogers.com)
Message-ID: <20050310211131.8098.qmail@web88007.mail.re2.yahoo.com>
Received: from [70.24.145.136] by web88007.mail.re2.yahoo.com via HTTP;
	Thu, 10 Mar 2005 16:11:31 EST
Date: Thu, 10 Mar 2005 16:11:31 -0500 (EST)
From: Gardner Bell <gbell72@rogers.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Problem with pf.conf
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2005 21:11:33 -0000

Hello all,

I'm trying to reconfigure a more restrictive packet filtering firewall
for my home network but am running into some trouble.  When I run
dhclient dc0 at an attempt to obtain an IP address from my ISP I
receive the normal:

DHCPREQUEST on dc0 to 255.255.255.255 port 67
DHCPDISCOVER on dc0 to 255.255.255.255 port 67

DHCPDISCOVER eventually fails after the fourth or fifth try.  When I
run tcpdump at the same time as dhclient dc0 I receive the following
arp requests.  The 70.xxx.xxx.x is my gateway I'm trying to communicate
with.

14:59 arp who-has 7.x.xxx.xxx tell 70.xxx.xxx.x
...  I see about 3-400 of these.

Here is a partial excerpt of my pf.conf with what I believe to be the
most relevant sections needed to obtain an ISP on the WAN nic.

pass out on $ext_if proto tcp from any to x.x.x.x port 53 keep state
pass out on $ext_if proto udp from any to x.x.x.x port 53 keep state

The above lines are duplicated as I have two nameservers that I am able
to use.

To contact my ISPs DHCP I use the following

pass out on $ext_if proto udp from any to x.x.x.x port 68 keep state
pass in on $ext_if from x.x.x.x to any port 68 keep state

I also seem to be having a problem with the same NAT directive I've
used on less restrictive firewalls.

nat on $ext_if from $int_if:network to any -> ($ext_if)

Any help is greatly appreciated

Reagrds,

Gardner