pf.conf and cable modem

[RW]

On Wed, 28 Feb 2007 18:02:15 +0000
RW <fbsd06 at mlists.homeunix.com> wrote:

> On Wed, 28 Feb 2007 12:44:21 -0500
> alex at schnarff.com wrote:
> 
> > Quoting RW <fbsd06 at mlists.homeunix.com>:
> 
> > > When I used DHCP with PF, I found that it just worked without any
> > > rules at all.
> > 
> > That's been my experience as well (admittedly on OpenBSD, but it's 
> > basically the same PF). Remember, your NIC's initialization
> > sequence, which is where the DHCP request will come, happens before
> > PF is enabled, so you're essentially at a "pass all" sort of a
> > state when the request happens.
> > 
> > The one thing to keep in mind is that if you're doing, say, NAT for 
> > some clients behind the box, you can use a rule like this to deal
> > with any changes in your dynamic IP 
> 
> Not in my experience.
> 
> I was using a half-bridge modem that had a 30 second lease time, which
> was definitely renewing. It would also give me a private address when
> PPPoA went down, and I saw that happen too. 
> 
> I added-in some early static rules to log all the DHCP packets. IIRC I
> never saw any of the lease renewal packets, just some broadcast
> packets. I asked in this list about it but never got a reply.
> 
> I suspect that either DHCP sees the packets directly in some way, or
> PF has some special handling for DHCP. In either case it would make
> sense for PF rules to see the broadcasts, since they might need to be
> bridged. 

Sorry, I misread what you were saying about the rule, but the point
still remains that it's not simply the case that PF is in pass-all mode
when DHCP start.