Why ipfw didn't filter neither log DHCP packets ?

Willy Offermans Willy at Offermans.Rompen.nl
Mon Jan 5 12:28:26 UTC 2015 

Hello Luigi and FreeBSD friends,

I do top posting.

So there might be a chance that someting slips through the firewall 
between the start of the firewall and after the bpf traffic of dhclient.
Once the NIC is configured, traffic is possible in principle.
Would it be better to start the bpf traffic of dhclient after the firewall
runs. In the latter case, all will or can work as expected. If yes, how
should this be set? Should one set

 REQUIRE: firewall

in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So
I'm not sure how this should work.

On Mon, Jan 05, 2015 at 01:04:58PM +0100, Luigi Rizzo wrote:
> dhclient uses bpf to send and receive traffic,
> and that acts before the firewall has a chance
> to see the packets.
> 
> There is a chance that incoming packets are
> also passed to the network stack, but they
> are probably discarded before the firewall
> because the interface does not have an address yet.
> 
> cheers
> luigi
> 
> 
> On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé <olivier at cochard.me>
> wrote:
> 
> > I'm using a pretty simple configuration:
> >
> > My rc.conf:
> > ifconfig_sis0="DHCP"
> > firewall_enable="YES"
> > firewall_logging="YES"
> > firewall_script="/etc/ipfw.rules"
> >
> > My /etc/ipfw.rules:
> > #!/bin/sh
> > fwcmd="/sbin/ipfw -q".
> > ${fwcmd} -f flush
> > ${fwcmd} add pass ip from any to any via lo0
> > ${fwcmd} add deny log ip from any to any
> >
> > But after a reboot this machine is still able to get an IP address by DHCP
> > and nothing (related to DHCP) is logged on the firewall:
> >
> > [root at wrap]~# ifconfig sis0
> > sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> >         options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
> >         ether 00:0d:b9:02:76:58
> >         inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
> >         media: Ethernet autoselect (100baseTX <full-duplex>)
> >         status: active
> >
> > [root at wrap]~# ipfw show
> > 00100 0    0 allow ip from any to any via lo0
> > 00200 4 1631 deny log ip from any to any
> > 65535 0    0 deny ip from any to any
> >
> > [root at wrap]~# cat /var/log/security
> > Jan  1 01:16:45 wrap newsyslog[923]: logfile first created
> > Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> > 192.168.100.255:138 in via sis0
> > Jan  1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> > 192.168.100.255:138 in via sis0
> >
> > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
> >
> > Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> > _______________________________________________
> > freebsd-ipfw at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> >
> 
> 
> 
> -- 
> -----------------------------------------+-------------------------------
>  Prof. Luigi RIZZO, rizzo at iet.unipi.it  . Dip. di Ing. dell'Informazione
>  http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
>  TEL      +39-050-2211611               . via Diotisalvi 2
>  Mobile   +39-338-6809875               . 56122 PISA (Italy)
> -----------------------------------------+-------------------------------
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Wiel

*************************************
 W.K. Offermans

More information about the freebsd-ipfw mailing list