[Fwd: ipf sample rule file]

Giorgos Keramidas keramida at ceid.upatras.gr
Tue Aug 16 10:00:39 GMT 2005

On 2005-08-14 09:03, Dave Webster <dwebman at telus.net> wrote:
> Date: Sun, 14 Aug 2005 07:54:39 -0700
> From: Dave Webster <dwebman at telus.net>
> Subject: ipf sample rule file
> To: "FBSD_IG "@a1poweruser.com
> Thank you for your tremendous guide for FreeBSD newbies.  I am
> confused by:
> # Allow out access to my ISP's DHCP server for cable or DSL networks.
> # This rule is not needed for ‘user ppp’ type connection to the
> # public Internet, so you can delete this whole group.
> # Use the following rule and check log for IP address.
> # Then put IP address in commented out rule & delete first rule
> pass out log quick on dc0 proto udp from any to any port = 67 keep state
> #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep
> state

The comments are mildly confusing, since they state that this entire
block is not necessary, yet the block contains rules.  Seeing the email
address of the forwarded post, I can probably assume that you got this
from the Handbook.

The firewall described in the firewall chapter of the Handbook is
paranoid enough to block all incoming *AND* outgoing traffic.  This
means that if you use it without explicit rules for the services you
plan to use, the firewall will block you from making use of these

Having that in mind, it may be more clear what the comments above mean.
If the FreeBSD machine is used as a DSL gateway and it obtains its
external IP address from your Internet Service Provider with DHCP, you
have to use special rules to unblock the DHCP traffic.  DHCP clients
send broadcast packets directed to port 67 of any listening DHCP server,
so the proper steps for setting up the firewall rules correctly (if we
are to follow the spirit of the existing firewall chapter), would be
something like this:

    1. Start with a DHCP firewall rule that allows any DHCP server
to reply with a DHCP address assignment (and other related information).
This rule would look like this:

    pass out log quick on dc0 proto udp from any to any port = 67 keep state

    2. Connect to your DSL provider at least once.

    3. Look at the system logs (i.e. /var/log/ppp.log) and see which
DHCP server (or servers, if there's more than one) replies with an
address assignment when your machine sends out DHCP requests.  Note the
address of the DHCP server (or all the valid DHCP server addresses, if
there's more than one) down.

    4. Comment out or delete the previous DHCP rule that allowed DHCP
traffic towards *any* DHCP server.

    5. Add special rules that allow DHCP traffic only if it is destined
for one of the valid DHCP server addresses, i.e. if your ISP uses a
single DHCP server with an IP address of ``aa.bb.cc.dd'', your rule
would be:

    pass out log quick on dc0 proto udp from any to aa.bb.cc.dd port = 67 keep state

I am not sure if this will work though.  AFAIK, when a DHCP clients
sends a request for an IP address over the wire, it doesn't send it
towards a specific IP address, so this procedure suggested by the
current firewall chapter is probably broken.  Anyone who uses a FreeBSD
machine as a DSL gateway *AND* uses the rules of Joseph J. Barbish as
they are listed in the Handbook, who can tell us if the specific part of
the rules works correctly?

> my /etc/resolv.conf file is:
> search bc.hsia.telus.net
> nameserver
> nameserver
> nameserver
> nameserver

The resolv.conf file contains options related to the resolution of host
names to IP addresses and vice versa via the DNS protocol.  This is not
related to the internals of DHCP or your firewall.

- Giorgos

More information about the freebsd-questions mailing list