From owner-freebsd-questions@FreeBSD.ORG Tue Aug 16 10:00:39 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D8DD16A41F for ; Tue, 16 Aug 2005 10:00:39 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7453043D55 for ; Tue, 16 Aug 2005 10:00:37 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with SMTP id j7GA0FNS024871; Tue, 16 Aug 2005 13:00:16 +0300 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id j7GA63Wg000920; Tue, 16 Aug 2005 13:06:03 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id j7FNYb9A065243; Tue, 16 Aug 2005 02:34:37 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 16 Aug 2005 02:34:37 +0300 From: Giorgos Keramidas To: Dave Webster Message-ID: <20050815233437.GA64455@flame.pc> References: <1124035405.726.0.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-7 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1124035405.726.0.camel@localhost> Cc: freebsd-questions@freebsd.org Subject: Re: [Fwd: ipf sample rule file] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 10:00:39 -0000 On 2005-08-14 09:03, Dave Webster wrote: > Date: Sun, 14 Aug 2005 07:54:39 -0700 > From: Dave Webster > Subject: ipf sample rule file > To: "FBSD_IG "@a1poweruser.com > > Thank you for your tremendous guide for FreeBSD newbies. I am > confused by: > # Allow out access to my ISP's DHCP server for cable or DSL networks. > # This rule is not needed for Ħuser ppp˘ type connection to the > # public Internet, so you can delete this whole group. > # Use the following rule and check log for IP address. > # Then put IP address in commented out rule & delete first rule > pass out log quick on dc0 proto udp from any to any port = 67 keep state > #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep > state The comments are mildly confusing, since they state that this entire block is not necessary, yet the block contains rules. Seeing the email address of the forwarded post, I can probably assume that you got this from the Handbook. The firewall described in the firewall chapter of the Handbook is paranoid enough to block all incoming *AND* outgoing traffic. This means that if you use it without explicit rules for the services you plan to use, the firewall will block you from making use of these services. Having that in mind, it may be more clear what the comments above mean. If the FreeBSD machine is used as a DSL gateway and it obtains its external IP address from your Internet Service Provider with DHCP, you have to use special rules to unblock the DHCP traffic. DHCP clients send broadcast packets directed to port 67 of any listening DHCP server, so the proper steps for setting up the firewall rules correctly (if we are to follow the spirit of the existing firewall chapter), would be something like this: 1. Start with a DHCP firewall rule that allows any DHCP server to reply with a DHCP address assignment (and other related information). This rule would look like this: pass out log quick on dc0 proto udp from any to any port = 67 keep state 2. Connect to your DSL provider at least once. 3. Look at the system logs (i.e. /var/log/ppp.log) and see which DHCP server (or servers, if there's more than one) replies with an address assignment when your machine sends out DHCP requests. Note the address of the DHCP server (or all the valid DHCP server addresses, if there's more than one) down. 4. Comment out or delete the previous DHCP rule that allowed DHCP traffic towards *any* DHCP server. 5. Add special rules that allow DHCP traffic only if it is destined for one of the valid DHCP server addresses, i.e. if your ISP uses a single DHCP server with an IP address of ``aa.bb.cc.dd'', your rule would be: pass out log quick on dc0 proto udp from any to aa.bb.cc.dd port = 67 keep state I am not sure if this will work though. AFAIK, when a DHCP clients sends a request for an IP address over the wire, it doesn't send it towards a specific IP address, so this procedure suggested by the current firewall chapter is probably broken. Anyone who uses a FreeBSD machine as a DSL gateway *AND* uses the rules of Joseph J. Barbish as they are listed in the Handbook, who can tell us if the specific part of the rules works correctly? > my /etc/resolv.conf file is: > search bc.hsia.telus.net > nameserver 154.11.128.187 > nameserver 154.11.128.59 > nameserver 64.114.195.135 > nameserver 64.114.195.136 The resolv.conf file contains options related to the resolution of host names to IP addresses and vice versa via the DNS protocol. This is not related to the internals of DHCP or your firewall. - Giorgos