Gotcha, I guess I learn something new everyday. So the danger is really running and layer 2 daemon on the same interface as pf and trying to filter it. I guess this would serve as a solution for the time being, I'll tell dhcpd to not listen on rl1, and then:
rdr on rl1 proto udp from any to 10.0.1.0/24 port 67 -> 10.0.0.1 port 67 That seems like it would effectively forward only dhcp server requests to rl0, and should be able to filter and fine-tune. I'll try this out tonight, hopefully will work. Thanks for the help and info guys. Appreciate it. Jason -------Original Message----- From: Can Erkin Acar Sent: Friday 13 February 2004 03:05 To: Jason Subject: Re: PF block arp dhcp requests? On Fri, Feb 13, 2004 at 01:55:07AM -0800, Jason wrote: > I see, so if dhcpd and pf weren't sharing the same interface, then I > wouldn't have this problem. > > I guess limiting dhcpd wouldn't be the best thing, but improving pf. Is > anyone working on adding such a feature to pf to make it block these kinds > of requests? Seems like it'd be helpful. Otherwise, seems like that's > somewhat of a security hole. As Daniel pointed out, not filtering bpf is a design decision. When an application needs to use bpf, that means, it has requirements beyond normal ip-networking capabilities, so bpf filtering would require a different kind of interface/syntax, and would not really mix well with pf. Given that decision, we are aware of the risks of bpf, and are actively working on reducing these risks. The bpf interface was recently made safe for use in non-privileged programs, and as a result pflogd and tcpdump both run privilege-seperated in -current. Work is in progress about making dhclient and dhcpd privilege seperated. Can
