Why ipfw didn't filter neither log DHCP packets ?
I'm using a pretty simple configuration: My rc.conf: ifconfig_sis0="DHCP" firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/ipfw.rules" My /etc/ipfw.rules: #!/bin/sh fwcmd="/sbin/ipfw -q". ${fwcmd} -f flush ${fwcmd} add pass ip from any to any via lo0 ${fwcmd} add deny log ip from any to any But after a reboot this machine is still able to get an IP address by DHCP and nothing (related to DHCP) is logged on the firewall: [root@wrap]~# ifconfig sis0 sis0: flags=8843 metric 0 mtu 1500 options=83808 ether 00:0d:b9:02:76:58 inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255 media: Ethernet autoselect (100baseTX ) status: active [root@wrap]~# ipfw show 00100 00 allow ip from any to any via lo0 00200 4 1631 deny log ip from any to any 65535 00 deny ip from any to any [root@wrap]~# cat /var/log/security Jan 1 01:16:45 wrap newsyslog[923]: logfile first created Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 192.168.100.255:138 in via sis0 Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 192.168.100.255:138 in via sis0 I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. Are DHCP packets exluded from the filtering/logging engine of ipfw ? ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
Hi. Have the same problem, but with wlan. With rule like below Ipfw add deny log all from any to any i do not see any packets in ipfw -d show output. LAN behind wlan interface gets ip-addr, but inet is blocked, of course. Vitaliy --- Original Message --- From: "Olivier Cochard-Labbé" Date: 5 January 2015, 12:33:46 > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 0 0 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > ___ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" > ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
Hello Olivier and FreeBSD friends, On Mon, Jan 05, 2015 at 11:33:18AM +0100, Olivier Cochard-Labbé wrote: > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 00 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 00 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > ___ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" I guess that dhcp daemon is started before firewall is started or, better, firewall rules are applied. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 Mobile: +49 1575 414 60 55 e-mail: wi...@offermans.rompen.nl ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
dhclient uses bpf to send and receive traffic, and that acts before the firewall has a chance to see the packets. There is a chance that incoming packets are also passed to the network stack, but they are probably discarded before the firewall because the interface does not have an address yet. cheers luigi On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé wrote: > I'm using a pretty simple configuration: > > My rc.conf: > ifconfig_sis0="DHCP" > firewall_enable="YES" > firewall_logging="YES" > firewall_script="/etc/ipfw.rules" > > My /etc/ipfw.rules: > #!/bin/sh > fwcmd="/sbin/ipfw -q". > ${fwcmd} -f flush > ${fwcmd} add pass ip from any to any via lo0 > ${fwcmd} add deny log ip from any to any > > But after a reboot this machine is still able to get an IP address by DHCP > and nothing (related to DHCP) is logged on the firewall: > > [root@wrap]~# ifconfig sis0 > sis0: flags=8843 metric 0 mtu 1500 > options=83808 > ether 00:0d:b9:02:76:58 > inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255 > media: Ethernet autoselect (100baseTX ) > status: active > > [root@wrap]~# ipfw show > 00100 00 allow ip from any to any via lo0 > 00200 4 1631 deny log ip from any to any > 65535 00 deny ip from any to any > > [root@wrap]~# cat /var/log/security > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > 192.168.100.255:138 in via sis0 > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > ___ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" > -- -+--- Prof. Luigi RIZZO, ri...@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/. Universita` di Pisa TEL +39-050-2211611 . via Diotisalvi 2 Mobile +39-338-6809875 . 56122 PISA (Italy) -+--- ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
Hello Luigi and FreeBSD friends, I do top posting. So there might be a chance that someting slips through the firewall between the start of the firewall and after the bpf traffic of dhclient. Once the NIC is configured, traffic is possible in principle. Would it be better to start the bpf traffic of dhclient after the firewall runs. In the latter case, all will or can work as expected. If yes, how should this be set? Should one set REQUIRE: firewall in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So I'm not sure how this should work. On Mon, Jan 05, 2015 at 01:04:58PM +0100, Luigi Rizzo wrote: > dhclient uses bpf to send and receive traffic, > and that acts before the firewall has a chance > to see the packets. > > There is a chance that incoming packets are > also passed to the network stack, but they > are probably discarded before the firewall > because the interface does not have an address yet. > > cheers > luigi > > > On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé > wrote: > > > I'm using a pretty simple configuration: > > > > My rc.conf: > > ifconfig_sis0="DHCP" > > firewall_enable="YES" > > firewall_logging="YES" > > firewall_script="/etc/ipfw.rules" > > > > My /etc/ipfw.rules: > > #!/bin/sh > > fwcmd="/sbin/ipfw -q". > > ${fwcmd} -f flush > > ${fwcmd} add pass ip from any to any via lo0 > > ${fwcmd} add deny log ip from any to any > > > > But after a reboot this machine is still able to get an IP address by DHCP > > and nothing (related to DHCP) is logged on the firewall: > > > > [root@wrap]~# ifconfig sis0 > > sis0: flags=8843 metric 0 mtu 1500 > > options=83808 > > ether 00:0d:b9:02:76:58 > > inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255 > > media: Ethernet autoselect (100baseTX ) > > status: active > > > > [root@wrap]~# ipfw show > > 00100 00 allow ip from any to any via lo0 > > 00200 4 1631 deny log ip from any to any > > 65535 00 deny ip from any to any > > > > [root@wrap]~# cat /var/log/security > > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created > > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > > 192.168.100.255:138 in via sis0 > > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138 > > 192.168.100.255:138 in via sis0 > > > > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821. > > > > Are DHCP packets exluded from the filtering/logging engine of ipfw ? > > ___ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" > > > > > > -- > -+--- > Prof. Luigi RIZZO, ri...@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/. Universita` di Pisa > TEL +39-050-2211611 . via Diotisalvi 2 > Mobile +39-338-6809875 . 56122 PISA (Italy) > -+--- > ___ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans wrote: > Hello Luigi and FreeBSD friends, > > I do top posting. > > So there might be a chance that someting slips through the firewall > between the start of the firewall and after the bpf traffic of dhclient. > Once the NIC is configured, traffic is possible in principle. > Would it be better to start the bpf traffic of dhclient after the firewall > runs. In the latter case, all will or can work as expected. If yes, how > should this be set? Should one set > > REQUIRE: firewall > > in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So > I'm not sure how this should work. > > I believe that when Luigi says "that acts before the firewall has a chance to see the packets", he was not speaking of the RC script order, but about the FreeBSD network stack layer order. Do you confirm Luigi ? Because I've tryed to fix ifpw's RC script order by changing: - /etc/rc.d/ipfw: replaced "REQUIRE: ppp" by "REQUIRE: FILESYSTEMS" (like /etc/rc.d/ipfilter) - /etc/rc.d/netif: Add "ipfw" in the REQUIRE list But no change: DHCP is still allowed. Then, why there are specific DHCP-clients rules in /etc/rc.firewall script (like in WORKSTATION mode) if there are useless ? ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé wrote: > On Mon, Jan 5, 2015 at 1:28 PM, Willy Offermans > wrote: > >> Hello Luigi and FreeBSD friends, >> >> I do top posting. >> >> So there might be a chance that someting slips through the firewall >> between the start of the firewall and after the bpf traffic of dhclient. >> Once the NIC is configured, traffic is possible in principle. >> Would it be better to start the bpf traffic of dhclient after the firewall >> runs. In the latter case, all will or can work as expected. If yes, how >> should this be set? Should one set >> >> REQUIRE: firewall >> >> in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. >> So >> I'm not sure how this should work. >> >> > I believe that when Luigi says "that acts before the firewall has a chance > to see the packets", he was not speaking of the RC script order, but about > the FreeBSD network stack layer order. > Do you confirm Luigi ? > > correct, it's not a matter of time but of placement of the modules in the stack. injection through bpf goes just above the device driver, so there is no chance to see bpf-generated packets. For incoming traffic, bpf sees a copy, so the original still goes through the stack, but if you want to see it with ipfw you should probably enable layer2 firewalling. cheers luigi ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
On 1/5/15 9:51 PM, Luigi Rizzo wrote: On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé wrote: I believe that when Luigi says "that acts before the firewall has a chance to see the packets", he was not speaking of the RC script order, but about the FreeBSD network stack layer order. Do you confirm Luigi ? correct, it's not a matter of time but of placement of the modules in the stack. injection through bpf goes just above the device driver, so there is no chance to see bpf-generated packets. For incoming traffic, bpf sees a copy, so the original still goes through the stack, but if you want to see it with ipfw you should probably enable layer2 firewalling. the ordering of the various "special" packet intercepts has always been an 'unsolved problem'. Packets may be intercepted by several different agents in the networkng code. There are (at least): bpf/tcpdump divert netgraph ipfw/pf/ipf if_bridge vlan handling And maybe others I didn't think of in the 20 seconds it took to write this. Each of these has an equivalent outgoing injection point as well. It is possible to make arguments for several different orders in which packets should hit these. For example: It makes perfect sense for tcpdump to see everything on the wire regardless of what else is going on, however it may also make sense to filter what gets to dhclient. Unfortunately, they both use the same way of getting packets. Maybe the answer is to change dhclient to use a different method. When it was originally done only bpf existed. cheers luigi ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"