Date: Sun, 6 Aug 2000 02:23:36 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Bigwillie <mvanberk@optonline.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <20000806022335.M66052@184.215.6.64.reflexcom.com> In-Reply-To: <4.2.0.58.20000806014954.00a03cb0@mail-hub.optonline.net>; from mvanberk@optonline.net on Sun, Aug 06, 2000 at 01:52:49AM -0400 References: <4.2.0.58.20000806014954.00a03cb0@mail-hub.optonline.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 06, 2000 at 01:52:49AM -0400, Bigwillie wrote: > I was trying to follow on www.mostgraveconcern.com/freebsd firewall setup, > but I have a DHCP connection to my ISP. How do I set up the simple section > for DHCP. Thanks The set of rules I posted on -stable the other day pass DHCP. DHCP and firewalling can be tricky for a few reasons. These are the rules I have been using, allow udp from ${dhcpc_range} 68 to ${dhcps_range} 67 out xmit ${oif} allow udp from ${dhcps_range} 67 to ${dhcpc_range} 68 in recv ${oif} allow udp from 0.0.0.0 68 to 255.255.255.255 67 out xmit ${oif} allow udp from ${dhcps_range} 67 to 255.255.255.255 68 in recv ${oif} Where 'dhcps_range' is where the DHCP servers live and 'dhcpc_range' is the valid range of addresses your client could be assigned. 'oif' is of course the interface having the address assigned. The less paranoid can always just do, allow udp from any 67 to any 68 in recv ${oif} allow udp from any 68 to any 67 out xmit ${oif} The other thing to remember about DHCP is that you have to be careful about using rules which assume that you know your own IP address. Also, if you started with the ruleset I think you did, it might break DHCP, depending on the ordering, since it will block 0.0.0.0 and 255.255.255.255. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000806022335.M66052>