Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate
dhcp request although there are no rules that allow this operation.
If I issue a 'dhclient vr0' I get the following:
$sudo dhclient vr0
DHCPREQUEST on vr0 to 255.255.255.255 port 67
DHCPACK from 190.18.xx.yy
bound to 190.18.xx.yy -- renewal in 10628 seconds.
Here's my testing ruleset (I've flushed everything before loading it):
### MACROS ###
extif = "vr0"
intif = "vr1"
loop = "lo0"
### OPTIONS #
set block-policy return
set loginterface $extif
set skip on $loop
### SCRUB ###
scrub in on $extif all fragment reassemble min-ttl 15 max-mss 1400 no-df
scrub out on $extif all fragment reassemble random-id no-df
### PACKET FILTERING RULES ###
antispoof log quick for { $extif $intif $loop }
block log all
##### HOST:::PFIRE #####
# VR1:INBOUND:TCP
pass in on $intif inet proto tcp from $intif:network to 192.168.1.1 port 22
(EOF)
So, why isn't the broadcast blocked by 'block all' ?
Thanks for answering (probably) this silly question.
JC.