On Fri, Feb 13, 2004 at 01:55:07AM -0800, Jason wrote: > I guess limiting dhcpd wouldn't be the best thing, but improving pf. Is > anyone working on adding such a feature to pf to make it block these kinds of > requests? Seems like it'd be helpful. Otherwise, seems like that's somewhat > of a security hole.
It's not a security hole, but rather an intentional design decision, you just have to know about it. bpf listeners on the firewall see traffic unfiltered. Also, pf filters on IP level, so any traffic below that level (ethernet, other protocols) are just not affected by pf. I think other packet filters operate the same way, so this shouldn't come as a surprise. If bpf would see packets only after filtering, debugging (usually done with tcpdump through bpf) would become nearly impossible. And the fact that you see packets before they get dropped by pf with tcpdump should make it obvious that other bpf listeners work the same way. Not that you should necessarily run bpf listeners on the firewall itself, if you don't trust them... Daniel