I don't know about it being the only one, but it's the only one I have seen showing up in the lease on any machine I have used dhcp on for about 3 mo.
" Actually, if these are the only rules you have, you will end up with a situation exactly like this where the DHCP client cannot reach the server to renew." Remember, pass "OUT" on the sis0 interface, on this bridge, is from the internet so the rule- pass out quick on sis0 proto udp from 12.242.18.34/32 port = 67 to any port = 68 ...lets the dhcp server with ip address 12.242.18.34 communicate with the box and renew its lease. Before I had this rule, the internet connection would go down after 12 or so hrs. The box has been up now for about 3 days, with the same ip, and is still kicking. pass out quick on sis0 proto udp from 12.242.18.34/32 port = 67 to any port = 68 #pass in is coming from the inside, which is connected-via crossover cable- to the xl1 interface of the nat/rtr which is broadcasting the dhcpdiscovery. pass in quick on sis0 proto udp from 0.0.0.0 to 255.255.255.255 port = 67 keep state All I can say is the rules are working fine here. Now if my isp dhcp server mentioned above goes down or they change ip's or something I will have a problem. I would rather spend 10-15 mins. If this ever happened and figure out the new ip or what ever had to be done then allow any ip to broadcast dhcp upd packets. Anyway thanks for the advice on snort. I though if you filtered the interface for ex. Drop scans, telnet etc... and someone tried snort would not see it. thanks for the advice. -----Original Message----- From: Crist J. Clark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 14, 2002 5:25 PM To: taproot420 Cc: 'James A. Robbins'; [EMAIL PROTECTED] Subject: Re: cant get dhcp to pass through bridge. ! please help On Wed, Aug 14, 2002 at 04:57:41PM -0500, taproot420 wrote: [snip] > We have noticed that on some systems where we are using a packet filter, > if you set up a firewall that blocks UDP port 67 and 68 entirely, > packets sent through the packet filter will not be blocked. However, > unicast packets will be blocked. This can result in strange behaviour, > particularly on DHCP clients, where the initial packet exchange is > broadcast, but renewals are unicast - the client will appear to be > unable to renew until it starts broadcasting its renewals, and then > suddenly it'll work. The fix is to fix the firewall rules as described > above. Actually, if these are the only rules you have, you will end up with a situation exactly like this where the DHCP client cannot reach the server to renew. > pass out quick on sis0 proto udp from 12.242.18.34/32 port = 67 to any > port = 68 Is this documented as the only DHCP server for you ISP? They may move it around or have multiple DHCP servers alive at once. > On my bridge only the sis0 interface is filtered this is why I have > bi-directional on the sis0 interface as sis1 is unfiltered because this > is my snort interface; if I want to see all the attacks at my network I > need to leave this open. No, you don't. Packets go through the bpf(4) device before hitting IPFilter. snort will see everything regardless of IPF rules on the interface on which it listens. -- Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
