From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 13:42:09 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4561B3C3 for ; Mon, 5 Jan 2015 13:42:09 +0000 (UTC) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C7EE564442 for ; Mon, 5 Jan 2015 13:42:08 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id x12so27408350wgg.25 for ; Mon, 05 Jan 2015 05:42:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=zFYR6TU8PEKtrWDgCzYiZE7j+SPBLf/DafLoU1frgqE=; b=owwiNXT38rDYEwf8aGBxxi/zzpdInOicQq7i408CitOEBmIE3l+3OWV8zgSgJS5Oke 29HwAUkU9DBQw3CkoZDUs+TeLCI+p5ghs8kVcW3jt3ln7jQH4JpLb0MLdb1IEuquC0iS kwgplrJcAq9OlHvX1wDdyOueWAT1O2AwQVFwArmDHqai2h5Kbyz0Dpib2HpagRDE5kDb PwiOmd9m2BM4ZnVA9GzE0aG736CP9T+qaVn2t5hHfqfZBLIqwniAdTNt9lU6sjhXzY3C I6yy7HJEOF30AcX7c3DCYOQTqNiTxTJ3crNATtbo9BCgMDcsiiSrq/4VrxcaMnN1dNjQ u9AQ== X-Received: by 10.180.101.200 with SMTP id fi8mr25743575wib.77.1420465327182; Mon, 05 Jan 2015 05:42:07 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.194.61.98 with HTTP; Mon, 5 Jan 2015 05:41:47 -0800 (PST) In-Reply-To: <20150105122809.GD31058@vpn.offrom.nl> References: <20150105122809.GD31058@vpn.offrom.nl> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Mon, 5 Jan 2015 14:41:47 +0100 X-Google-Sender-Auth: 4jgSFjK8bKkYOIQRay_Ympq52wo Message-ID: Subject: Re: Why ipfw didn't filter neither log DHCP packets ? To: Willy@offermans.rompen.nl Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-ipfw@freebsd.org" , Luigi Rizzo X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2015 13:42:09 -0000 On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans wrote: > Hello Luigi and FreeBSD friends, > > I do top posting. > > So there might be a chance that someting slips through the firewall > between the start of the firewall and after the bpf traffic of dhclient. > Once the NIC is configured, traffic is possible in principle. > Would it be better to start the bpf traffic of dhclient after the firewall > runs. In the latter case, all will or can work as expected. If yes, how > should this be set? Should one set > > REQUIRE: firewall > > in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So > I'm not sure how this should work. > > I believe that when Luigi says "that acts before the firewall has a chance to see the packets", he was not speaking of the RC script order, but about the FreeBSD network stack layer order. Do you confirm Luigi ? Because I've tryed to fix ifpw's RC script order by changing: - /etc/rc.d/ipfw: replaced "REQUIRE: ppp" by "REQUIRE: FILESYSTEMS" (like /etc/rc.d/ipfilter) - /etc/rc.d/netif: Add "ipfw" in the REQUIRE list But no change: DHCP is still allowed. Then, why there are specific DHCP-clients rules in /etc/rc.firewall script (like in WORKSTATION mode) if there are useless ?