Why ipfw didn't filter neither log DHCP packets ?

Luigi Rizzo rizzo at iet.unipi.it
Mon Jan 5 12:05:01 UTC 2015 

dhclient uses bpf to send and receive traffic,
and that acts before the firewall has a chance
to see the packets.

There is a chance that incoming packets are
also passed to the network stack, but they
are probably discarded before the firewall
because the interface does not have an address yet.

cheers
luigi


On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé <olivier at cochard.me>
wrote:

> I'm using a pretty simple configuration:
>
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
>
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
>
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
>
> [root at wrap]~# ifconfig sis0
> sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
>         ether 00:0d:b9:02:76:58
>         inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>
> [root at wrap]~# ipfw show
> 00100 0    0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0    0 deny ip from any to any
>
> [root at wrap]~# cat /var/log/security
> Jan  1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
>
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
>
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>



-- 
-----------------------------------------+-------------------------------
 Prof. Luigi RIZZO, rizzo at iet.unipi.it  . Dip. di Ing. dell'Informazione
 http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
 TEL      +39-050-2211611               . via Diotisalvi 2
 Mobile   +39-338-6809875               . 56122 PISA (Italy)
-----------------------------------------+-------------------------------

More information about the freebsd-ipfw mailing list