On 7/4/23 11:51, Mark wrote:
Hi again, thanks for your detailed and very informative reply, Zack.
Much appreciated!
I wanted to re-try the fact (memories), on FreeBSD 13.2-RELEASE-p1;
I removed the pass line from my pf.conf;
"pass log quick on $ext_if proto udp from any to any port = 67"
reloaded PF, then dmesg -a showed;
Jul 4 04:59:09 myhost dhclient[18366]: send_packet: Permission denied
Jul 4 04:59:33 myhost syslogd: last message repeated 3 times
Jul 4 05:01:43 myhost syslogd: last message repeated 4 times
Jul 4 05:11:29 myhost syslogd: last message repeated 18 times
Jul 4 05:20:11 myhost syslogd: last message repeated 10 times
I then, enabled the line again:
"pass log quick on $ext_if proto udp from any to any port = 67"
Restarted pf.
the "dhclient: send_packet: Permission denied" messages were gone,
disappeared from "dmesg -a" output, and it wasn't produced anymore.
I tried this, again and again. Obviously PF blocks something.
Just my two cents..
That does indeed appear to refute my claim about FreeBSD. I am now
curious. I know pf in FreeBSD has diverged quite a bit from pf in
OpenBSD, so maybe that is relevant. Here is the @misc thread I was
referring to FYI:
https://marc.info/?l=openbsd-misc&m=167283774627269&w=2
If you are willing to entertain me, can you have pf.conf(5) contain
the following (and only the following):
set block-policy drop
set skip on lo
ext_if = <interface_name>
pass out quick on $ext_if inet proto udp to port 67
pass in quick on $ext_if inet proto udp to port 68
block quick
Does dhclient work fine? If so, after removing the two pass lines what
does the following write:
tcpdump -ntt -i <interface_name> -w pkts.dat 'udp and ip and (dst port 67 or dst
port 68)' &
Obviously verify the syntax and semantics align with tcpdump on OpenBSD
first. Make sure you restart dhclient after you run the above command.
Feel free to continue this privately in the interest of not flooding
@misc especially since this now concerns an entirely different OS.
Zack
