Date: Mon, 10 Jan 2005 15:07:25 -0500 From: Bob Hall <rjhjr@cox.net> To: freebsd-questions@freebsd.org Subject: Re: dhclient: send_packet: Permission denied Message-ID: <20050110200725.GA16977@kongemord.krig.net> In-Reply-To: <20050109012539.GA5042@kongemord.krig.net> References: <20050106213433.GA1699@kongemord.krig.net> <20050109012539.GA5042@kongemord.krig.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 08, 2005 at 08:25:39PM -0500, Bob Hall wrote:
> I keep getting the message
> dhclient: send_packet: Permission denied
This stopped when I added
${fwcmd} add allow udp from ${router} bootps to ${bcast} bootpc
in via ${oif}
to my rule set.
My dhclient was broadcasting packets but the firewall wasn't letting the
broadcast responses from the router in. Once dhclient could read the
responses (which included the DHCP server address), it stopped trying to
send the packets that were being blocked.
I'm using a modified version of the SIMPLE rule set for IPFW. If the
DHCP rules are anywhere after the NAT divert rule, they are never
triggered. Something else is denying or allowing the DHCP packets. This
doesn't make any sense to me, but I moved the DHCP rules to the
beginning of the rule set and all is well.
For anyone who's interested, here's the rules I added to handle DHCP
packets. They allow direct traffic between my host (oip) and the DHCP
server (dhcps), and between oip and the subnet router (router). They
also allow broadcast packets from dhcps, router, and oip, provided they
come from and are directed to the correct bootp ports. These rules
should follow the "setup_loopback" call, unless you explicity assign
rule numbers.
In addition, dhcps sends an echo request to an address before assigning
it, to check if it's already in use. Since I don't honor echo requests,
I added two rules to to respond to dhcps's echo requests. A DHCP client
should should double check before accepting an IP address by sending an
ARP packet, but it's not required and doesn't always happen. My ISP
changed my IP address while I was testing this because I failed to
respond to the server's echo request and the client that got my old
address didn't check to see if it was in use.
########################################################
## DHCP server IP address
#########################################################
search_text="dhcp-server-identifier"
file_path=`ls /var/db/dhclient.leases`
if [ -z `echo ${file_path} | grep 'No such file or directory'` ]
then
dhcps=`grep ${search_text} ${file_path} | sed 's/.* \([0-9.]*\);/\1/'`
fi
if [ -z "${dhcps}" ]
then
dhcps="any"
fi
########################################################
## DHCP router IP address
#########################################################
if [ -z `echo ${file_path} | grep 'No such file or directory'` ]
then
# If > 1 router is listed, get the last one.
router=`grep "routers" ${file_path} | sed 's/.*[^0-9.]\([0-9.]*\);/\1/'`
fi
if [ -z "${router}" ]
then
router="any"
fi
## Broadcast address
bcast="255.255.255.255"
#####################################################
## DHCP section (Immediately following "setup_loopback")
######################################################
${fwcmd} add allow udp from ${dhcps} bootps to ${oip} bootpc in via ${oif}
${fwcmd} add allow udp from ${oip} bootpc to ${dhcps} bootps out via ${oif}
${fwcmd} add allow udp from ${router} bootps to ${oip} bootpc in via ${oif}
${fwcmd} add allow udp from ${oip} bootpc to ${router} bootps out via ${oif}
${fwcmd} add allow udp from ${dhcps} bootps to ${bcast} bootpc in via ${oif}
${fwcmd} add allow udp from ${router} bootps to ${bcast} bootpc in via ${oif}
${fwcmd} add allow udp from ${oip} bootps to ${bcast} bootpc out via ${oif}
#######################################################
## ICMP section
######################################################
...
${fwcmd} add pass log icmp from ${dhcps} to ${oip} icmptype 8 in via ${oif}
${fwcmd} add pass log icmp from ${oip} to ${dhcps} icmptype 0 out via ${oif}
Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050110200725.GA16977>