On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé <[email protected]> wrote:
> On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans <[email protected] > > wrote: > >> Hello Luigi and FreeBSD friends, >> >> I do top posting. >> >> So there might be a chance that someting slips through the firewall >> between the start of the firewall and after the bpf traffic of dhclient. >> Once the NIC is configured, traffic is possible in principle. >> Would it be better to start the bpf traffic of dhclient after the firewall >> runs. In the latter case, all will or can work as expected. If yes, how >> should this be set? Should one set >> >> REQUIRE: firewall >> >> in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. >> So >> I'm not sure how this should work. >> >> > I believe that when Luigi says "that acts before the firewall has a chance > to see the packets", he was not speaking of the RC script order, but about > the FreeBSD network stack layer order. > Do you confirm Luigi ? > > correct, it's not a matter of time but of placement of the modules in the stack. injection through bpf goes just above the device driver, so there is no chance to see bpf-generated packets. For incoming traffic, bpf sees a copy, so the original still goes through the stack, but if you want to see it with ipfw you should probably enable layer2 firewalling. cheers luigi _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
