From owner-freebsd-ipfw  Sat Oct 12 12:45:44 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BA54837B401
	for <ipfw@freebsd.org>; Sat, 12 Oct 2002 12:45:43 -0700 (PDT)
Received: from smurf.jnielsen.net (12-254-140-119.client.attbi.com [12.254.140.119])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 275B643ED4
	for <ipfw@freebsd.org>; Sat, 12 Oct 2002 12:45:43 -0700 (PDT)
	(envelope-from john@jnielsen.net)
Received: from buff.local (buff.local [192.168.0.10])
	by smurf.jnielsen.net (8.12.6/8.12.6) with ESMTP id g9CJjYtu000248
	for <ipfw@freebsd.org>; Sat, 12 Oct 2002 13:45:35 -0600 (MDT)
	(envelope-from john@jnielsen.net)
Content-Type: text/plain;
  charset="us-ascii"
From: John Nielsen <john@jnielsen.net>
To: ipfw@freebsd.org
Subject: net.link.ether.ipfw + DHCP
Date: Sat, 12 Oct 2002 13:48:37 -0600
User-Agent: KMail/1.4.3
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200210121348.37931.john@jnielsen.net>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

I've been experimenting with ipfw2 rules to filter access based on both I=
P=20
address and MAC address.  I'm using ipfw2 on 4.7-RELEASE, and the kernel=20
has DEFAULT_TO_DENY.  This particular server uses DHCP to obtain an IP=20
address from my cable provider.  I've run into a bit of a catch-22 and=20
wanted to see if any of you have any suggestions (and I also want to veri=
fy=20
that my analysis of the problem is correct).

Basically, it seems that having net.link.ether.ipfw=3D1 in /etc/sysctl.co=
nf=20
will prevent DHCP from working on a DEFAULT_TO_DENY firewall, due to the=20
order of the startup scripts.  dhclient is being run after sysctl.conf is=
=20
processed, but before the firewall script is run.  So even though I have =
an=20
"add allow layer2 not mac-type ip" rule at the beginning of my ruleset,=20
dhclient is blocked by the default deny rule of the firewall.

Setting net.link.ether.ipfw from rc.local is probably an acceptable=20
workarount, but I'd still like to hear if you have any comments or=20
suggestions.

Thanks,

JN

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message