On Wed, Aug 14, 2002 at 04:57:41PM -0500, taproot420 wrote:
[snip]
> We have noticed that on some systems where we are using a packet filter,
> if you set up a firewall that blocks UDP port 67 and 68 entirely,
> packets sent through the packet filter will not be blocked. However,
> unicast packets will be blocked. This can result in strange behaviour,
> particularly on DHCP clients, where the initial packet exchange is
> broadcast, but renewals are unicast - the client will appear to be
> unable to renew until it starts broadcasting its renewals, and then
> suddenly it'll work. The fix is to fix the firewall rules as described
> above.
Actually, if these are the only rules you have, you will end up with a
situation exactly like this where the DHCP client cannot reach the
server to renew.
> pass out quick on sis0 proto udp from 12.242.18.34/32 port = 67 to any
> port = 68
Is this documented as the only DHCP server for you ISP? They may move
it around or have multiple DHCP servers alive at once.
> On my bridge only the sis0 interface is filtered this is why I have
> bi-directional on the sis0 interface as sis1 is unfiltered because this
> is my snort interface; if I want to see all the attacks at my network I
> need to leave this open.
No, you don't. Packets go through the bpf(4) device before hitting
IPFilter. snort will see everything regardless of IPF rules on the
interface on which it listens.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
