Date: Sat, 12 Oct 2002 13:48:37 -0600 From: John Nielsen <john@jnielsen.net> To: ipfw@freebsd.org Subject: net.link.ether.ipfw + DHCP Message-ID: <200210121348.37931.john@jnielsen.net>
next in thread | raw e-mail | index | archive | help
I've been experimenting with ipfw2 rules to filter access based on both I= P=20 address and MAC address. I'm using ipfw2 on 4.7-RELEASE, and the kernel=20 has DEFAULT_TO_DENY. This particular server uses DHCP to obtain an IP=20 address from my cable provider. I've run into a bit of a catch-22 and=20 wanted to see if any of you have any suggestions (and I also want to veri= fy=20 that my analysis of the problem is correct). Basically, it seems that having net.link.ether.ipfw=3D1 in /etc/sysctl.co= nf=20 will prevent DHCP from working on a DEFAULT_TO_DENY firewall, due to the=20 order of the startup scripts. dhclient is being run after sysctl.conf is= =20 processed, but before the firewall script is run. So even though I have = an=20 "add allow layer2 not mac-type ip" rule at the beginning of my ruleset,=20 dhclient is blocked by the default deny rule of the firewall. Setting net.link.ether.ipfw from rc.local is probably an acceptable=20 workarount, but I'd still like to hear if you have any comments or=20 suggestions. Thanks, JN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210121348.37931.john>