Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Apr 2007 23:22:05 -0400
From:      "Dave" <dmehler26@woh.rr.com>
To:        <freebsd-pf@freebsd.org>
Subject:   pf rules for dhcp servers and clients
Message-ID:  <000301c7759f$416d7210$0200a8c0@satellite>
next in thread | raw e-mail | index | archive | help 
Hello,
    I'm reconfiguring my pf firewalls updating to 6.2. I'm having an issue 
with dhcp, getting the rules right. I've included the rules below, can 
anyone comment if they're accurate or if you have working ones?
Thanks.
Dave.

This first snipet is from the network dhcp server, contacting the isp's dhcp 
server so it can get an ip, and providing dhcp leases to other network 
clients:

ext_if = "rl0"
# Allow dhcp
pass quick on $ext_if inet proto udp from any port bootps to { 
255.255.255.255 ($ext_if) } port bootpc $keep_state
# Allow UDP requests to port 67 from firewall to exit ext_if

# allow DNS requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
# allow UDP requests to port 123 from firewall to exit ext_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass quick on $ext_if inet proto { tcp,udp } from ($ext_if) to any port { 
ntp, domain } queue interact $keep_state

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this 
connection)
pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port 
domain $keep_state

# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter 
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass quick on $int_if inet proto { tcp, udp } from { $int_net, 
255.255.255.255 } to $int_if port { bootpc, bootps } $keep_state
pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port 
ntp $keep_state

This next is for a lan network client contacting the lan router for dhcp and 
dns
ext_if = "vr0"
udp_services = "{ domain, bootpc, ntp  }"

# allow in udp services (dhcp, dns, ntp etc)
pass quick on $ext_if inet proto { tcp, udp } from any to any port 
$udp_services keep state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000301c7759f$416d7210$0200a8c0>