On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé <oliv...@cochard.me> wrote:
> On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans <wi...@offermans.rompen.nl > > wrote: > >> Hello Luigi and FreeBSD friends, >> >> I do top posting. >> >> So there might be a chance that someting slips through the firewall >> between the start of the firewall and after the bpf traffic of dhclient. >> Once the NIC is configured, traffic is possible in principle. >> Would it be better to start the bpf traffic of dhclient after the firewall >> runs. In the latter case, all will or can work as expected. If yes, how >> should this be set? Should one set >> >> REQUIRE: firewall >> >> in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. >> So >> I'm not sure how this should work. >> >> > I believe that when Luigi says "that acts before the firewall has a chance > to see the packets", he was not speaking of the RC script order, but about > the FreeBSD network stack layer order. > Do you confirm Luigi ? > > correct, it's not a matter of time but of placement of the modules in the stack. injection through bpf goes just above the device driver, so there is no chance to see bpf-generated packets. For incoming traffic, bpf sees a copy, so the original still goes through the stack, but if you want to see it with ipfw you should probably enable layer2 firewalling. cheers luigi _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
