Re: pf.conf and cable modem

Quoting RW <fbsd06@xxxxxxxxxxxxxxxxxxx>:

On Wed, 28 Feb 2007 12:44:21 -0500
alex@xxxxxxxxxxxx wrote:

Quoting RW <fbsd06@xxxxxxxxxxxxxxxxxxx>:

> When I used DHCP with PF, I found that it just worked without any
> rules at all.

That's been my experience as well (admittedly on OpenBSD, but it's
basically the same PF). Remember, your NIC's initialization sequence,
which is where the DHCP request will come, happens before PF is
enabled, so you're essentially at a "pass all" sort of a state when
the request happens.

The one thing to keep in mind is that if you're doing, say, NAT for
some clients behind the box, you can use a rule like this to deal
with any changes in your dynamic IP

Not in my experience.

I was using a half-bridge modem that had a 30 second lease time, which
was definitely renewing. It would also give me a private address when
PPPoA went down, and I saw that happen too.

Are you sure it was a 30 *second* lease time? No sane ISP would set such a low value -- that's a surefire way to overwhelm their DHCP servers. It sounds like either a) there was something misconfigured on one end of the connection (and I make no value judgement as to which end it was, given the lack of evidence), or b) you had an incredibly stupid ISP that I'd like the name of, so that I can avoid them at all costs.

I added-in some early static rules to log all the DHCP packets. IIRC I
never saw any of the lease renewal packets, just some broadcast
packets. I asked in this list about it but never got a reply.

What were the rules? I'd be curious to see them.

I suspect that either DHCP sees the packets directly in some way, or PF
has some special handling for DHCP. In either case it would make sense
for PF rules to see the broadcasts, since they might need to be
bridged.

Given this thread:

http://marc.theaimsgroup.com/?l=openbsd-pf&m=115702991719970&w=2

I'd say that DHCP goes on at a level below PF, at least on OpenBSD (which, again, should be largely similar, if not identical, on FreeBSD). In any case, the OP shouldn't have to do anything special to let DHCP through, especially if he's got something like:

pass out quick on $ext_if proto udp all keep state

in his ruleset, which probably makes sense anyway.

Alex Kirk

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • DHCP relay
    ... DHCP server which is located on another network, ... while intermediate routers are cisco and openbsd boxes.. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: dhclient-exit-hooks in 3.4
    ... > decided to upgrade the machine and also upgrade OpenBSD to 3.4. ... that dhclient worked with the dhclient-exit-hooks script. ... I had DHCP problems with the ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Windows Vista SP1 client not getting ip address from 3750
    ... It might be this technet article I found concerning the broadcast flags. ... I hastily tried these registry edits, ... My work laptop does will not get a dhcp address from this switch but will from our QIP DHCP server and from my broadband router. ... Windows Vista will start with BROADCASTflag set to 1 which means DHCP Server or relay agent has to send reply to broadcast address. ...
    (comp.dcom.sys.cisco)
  • Solaris 10 x86 & DHCP server
    ... I am trying to create a jumpstart server to install some IBM HS20 ... starting by the DHCP server! ... 4219f200: Broadcast: 172.30.255.255 ... 4219f24e: Total Packets Transmitted: 3 ...
    (comp.unix.solaris)
  • Cant get past PXE / DHCP (Solaris 10 x86)... (limited broadcast prob)
    ... trouble getting past the DHCP part though. ... "437a4775: Datagram received on network device: iprb0(limited ... 437a4718: Broadcast: 192.168.1.255 ... 437a479e: Total Packets Transmitted: 0 ...
    (comp.unix.solaris)