--- On Mon, 1/28/13, Andres Perera <andre...@zoho.com> wrote: > more than that, really, why should you or anybody care > > using bpf or not should be an implementation detail. no one should > be making decisions as far as their pf config goes based upon > whether dhclient uses bpf or not
Thanks for your comments on the source code. I briefly looked thru /usr/src/sbin/dhclient, but there were 6289 lines of *.c code there. I'm not that familiar with networking code so there was too much for me to easily comprehend. I agree that bpf is simply an implementation technique; I don't really care *how* dhclient does what it does. But I want to understand the required pf rules for two reasons: 1) there have been people who have said (e.g. in the thread I quoted): "Using DHCP is not possible, pf block it, and i don't understand why" Missing pf rules are one reason why dhcp would fail. Many people search for similar problems years later; I don't want them to be confused as I was. 2) This is the important one for me. I want to be a "good Internet citizen". So I try to write my pf rules to be as restrictive as possible. I want to keep machines behind my firewall from being "bad Internet citizens". Right now my outgoing UDP below port 1024 is restricted to ports domain, kerberos, and ntp. I will add dhcp to that list. I know I'm being a little quixotic (or perhaps pedantic) here. If there's a misbehaving machine behind my firewall, I don't think that restricting its UDP ports is going to make a whole lot of difference to the Internet at large. But I'm trying to do what I can.