From owner-freebsd-questions Tue May 15 11:24:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from istar.ca (d141-119-162.home.cgocable.net [24.141.119.162]) by hub.freebsd.org (Postfix) with ESMTP id 337C137B423 for ; Tue, 15 May 2001 11:24:10 -0700 (PDT) (envelope-from genisis@istar.ca) Received: (from genisis@localhost) by istar.ca (8.11.1/8.11.1) id f4FIRi111553; Tue, 15 May 2001 14:27:44 -0400 (EDT) (envelope-from genisis) Date: Tue, 15 May 2001 14:27:44 -0400 (EDT) From: Dru To: Neil Darlow Cc: freebsd-questions@FreeBSD.ORG Subject: Re: dhclient-ipfw oddity In-Reply-To: <20010515.17561600@ideal.darlow.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi Neil, What is the output of "ipfw show"? Dru On Tue, 15 May 2001, Neil Darlow wrote: > Hi All, > > I've researched this through the mailing list archives and not > found anything relevant. > > I'm running freebsd-4.2 using dhclient to request dynamic IPs for > a cable modem driven connection. > > I have firewalled the setup using the "simple" settings in the > rc.firewall script with changes to use ${oif} in place of ${oip}. > > It is my understanding that dhclient talks on port 67 and listens > on port 68 with the DHCP server doing the reverse. > > I am puzzled by two facets of this configuration e.g.: > > 1) There are no explicit (or implied) rules to allow udp traffic > in/out on ports 68/67 in the "simple" firewall setup but I do see > dynamic IP configuration in /var/log/messages at intervals. How is > this possible? > > 2) natd is complaining that it can't write back packets due to a > permission denied condition. Replacing the final "deny all" rule in > the firewall with a "deny and log" gives the following output: > > 3800 deny udp xx.xx.xx.xx:67 xx.xx.xx.xx:68 out via ed0 > > where xx.xx.xx.xx is my dynamic IP and ed0 is the external NIC. > This gives the impression that dhclient is trying to talk to itself > which seems somewhat odd. Can anyone comment on this? > > Regards, > Neil Darlow. > > -- > 1024D/531F9048 1999-09-11 Neil Darlow > Key fingerprint = 359D B8FF 6273 6C32 BEAA 43F9 E579 E24A 531F 9048 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message