Tim Bradshaw wrote:
A more important question is DHCP. This box is a DHCP server for it's
untrusted network, and I spent a long time trying variations of a rule
like:
pass in quick on elxl1 proto udp from any port = bootpc
to any port = bootps keep state group 20
...
pass out quick on elxl1 proto udp from any port = bootps
to any port = bootpc group 21
Is that the right approach to doing DHCP, or is there something I'm
missing?
You're right, keep state won't work for the initial request. You could
do something like:
pass in quick on elxl1 proto udp from any port = bootpc
to any port = bootps keep state group 20
pass out quick on elxl1 proto udp from any port = bootps
to 255.255.255.255/32 port = bootpc group 21
DHCP requests sent to the server directly would get replies via keep
state. Broadcast DHCP requests would get replies via the explicit out
rule. It's slightly tighter, which is what you seem to want.
--
Carson
