Date: Sat, 12 Oct 2002 13:48:37 -0600 From: John Nielsen <john@jnielsen.net> To: ipfw@freebsd.org Subject: net.link.ether.ipfw + DHCP Message-ID: <200210121348.37931.john@jnielsen.net>
next in thread | raw e-mail | index | archive | help
I've been experimenting with ipfw2 rules to filter access based on both IP address and MAC address. I'm using ipfw2 on 4.7-RELEASE, and the kernel has DEFAULT_TO_DENY. This particular server uses DHCP to obtain an IP address from my cable provider. I've run into a bit of a catch-22 and wanted to see if any of you have any suggestions (and I also want to verify that my analysis of the problem is correct). Basically, it seems that having net.link.ether.ipfw=1 in /etc/sysctl.conf will prevent DHCP from working on a DEFAULT_TO_DENY firewall, due to the order of the startup scripts. dhclient is being run after sysctl.conf is processed, but before the firewall script is run. So even though I have an "add allow layer2 not mac-type ip" rule at the beginning of my ruleset, dhclient is blocked by the default deny rule of the firewall. Setting net.link.ether.ipfw from rc.local is probably an acceptable workarount, but I'd still like to hear if you have any comments or suggestions. Thanks, JN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210121348.37931.john>