Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Aug 2000 02:23:36 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Bigwillie <mvanberk@optonline.net>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Firewall Rules
Message-ID:  <20000806022335.M66052@184.215.6.64.reflexcom.com>
In-Reply-To: <4.2.0.58.20000806014954.00a03cb0@mail-hub.optonline.net>; from mvanberk@optonline.net on Sun, Aug 06, 2000 at 01:52:49AM -0400
References:  <4.2.0.58.20000806014954.00a03cb0@mail-hub.optonline.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Aug 06, 2000 at 01:52:49AM -0400, Bigwillie wrote:
> I was trying to follow on www.mostgraveconcern.com/freebsd firewall setup, 
> but I have a DHCP connection to my ISP.  How do I set up the simple section 
> for DHCP.  Thanks

The set of rules I posted on -stable the other day pass DHCP. DHCP and
firewalling can be tricky for a few reasons. These are the rules I
have been using,

  allow udp from ${dhcpc_range} 68 to ${dhcps_range} 67 out xmit ${oif}
  allow udp from ${dhcps_range} 67 to ${dhcpc_range} 68 in recv ${oif}
  allow udp from 0.0.0.0 68 to 255.255.255.255 67 out xmit ${oif}
  allow udp from ${dhcps_range} 67 to 255.255.255.255 68 in recv ${oif}

Where 'dhcps_range' is where the DHCP servers live and 'dhcpc_range'
is the valid range of addresses your client could be assigned. 'oif'
is of course the interface having the address assigned. The less
paranoid can always just do,

  allow udp from any 67 to any 68 in recv ${oif}
  allow udp from any 68 to any 67 out xmit ${oif}

The other thing to remember about DHCP is that you have to be careful
about using rules which assume that you know your own IP
address. Also, if you started with the ruleset I think you did, it
might break DHCP, depending on the ordering, since it will block
0.0.0.0 and 255.255.255.255.
-- 
Crist J. Clark                           cjclark@alum.mit.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000806022335.M66052>