Date: Mon, 5 Jan 2015 14:41:47 +0100 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: Willy@offermans.rompen.nl Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, Luigi Rizzo <rizzo@iet.unipi.it> Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <CA%2Bq%2BTcoX7_0%2B%2BG8b77T-CXGDzmNZhww8hGXVsJxL0C0Qf5cQ7Q@mail.gmail.com> In-Reply-To: <20150105122809.GD31058@vpn.offrom.nl> References: <CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com> <CA%2BhQ2%2Bgt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com> <20150105122809.GD31058@vpn.offrom.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans <Willy@offermans.rompen.nl> wrote: > Hello Luigi and FreeBSD friends, > > I do top posting. > > So there might be a chance that someting slips through the firewall > between the start of the firewall and after the bpf traffic of dhclient. > Once the NIC is configured, traffic is possible in principle. > Would it be better to start the bpf traffic of dhclient after the firewall > runs. In the latter case, all will or can work as expected. If yes, how > should this be set? Should one set > > REQUIRE: firewall > > in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So > I'm not sure how this should work. > > I believe that when Luigi says "that acts before the firewall has a chance to see the packets", he was not speaking of the RC script order, but about the FreeBSD network stack layer order. Do you confirm Luigi ? Because I've tryed to fix ifpw's RC script order by changing: - /etc/rc.d/ipfw: replaced "REQUIRE: ppp" by "REQUIRE: FILESYSTEMS" (like /etc/rc.d/ipfilter) - /etc/rc.d/netif: Add "ipfw" in the REQUIRE list But no change: DHCP is still allowed. Then, why there are specific DHCP-clients rules in /etc/rc.firewall script (like in WORKSTATION mode) if there are useless ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcoX7_0%2B%2BG8b77T-CXGDzmNZhww8hGXVsJxL0C0Qf5cQ7Q>