Re: pf rule help needed

[Hugo Villeneuve <harpagon_(_at_)_jwales_(_dot_)_EINTR_(_dot_)_net>]

On Sat, Feb 12, 2005 at 07:26:10PM -0500, Aaron Jackson wrote:
> On Feb 12, 2005, at 6:50 PM, Jason Opperisano wrote:
> 
> >On Sat, 2005-02-12 at 13:17, steven n fettig wrote:
> >># Allow dhcp traffic to pass through
> >> pass in quick on $wi_if inet proto { tcp, udp } from any to $wi_ip 
> >>port
> >>dhcps keep state
> >> pass in quick on $wi_if inet proto { tcp, udp } from $wi_ip to any 
> >>port
> >>dhpcc keep state
> >
> >i'll admit to not pulling up the RFC for reference, but i'm 99.44% sure
> >that DHCP only uses UDP.
> 
> That is impossible.  You need an ip address before you can send or 
> receive udp packets.  If I remember correctly, and I'm not making any 
> guarantees, DHCP requests are similar to arp requests and therefore are 
> not routable (i.e. DHCP requests usually don't make it past a router 
> unless they are encapsulated first).

Both dhcpd and dhclient opens BPF devices to access directly the
packets on the ethernet interface.

And because BPF has access to packets *before* any pf filtering
happens, DHCP on OpenBSD is unaffected by any pf filtering rules.

You could have a block all policy and dhcp would still work. I put
dhcp rules on my servers to remove the anoying logging it creates
because I block log all.

(DHCP does use udp but it is not completly kosher tcp wise because
the client doesn't have an IP yet. Thus the need to use BPF device
to craft them and read them. Well that's my understanding of the
situation.)

-- 
Hugo Villeneuve <hugo_(_at_)_EINTR_(_dot_)_net>
http://EINTR.net/