Re: allow dhcpd with pf
On Tue, 24 Nov 2009 08:38:07 -0700 Theo de Raadt dera...@cvs.openbsd.org wrote: Damn right it will. Where is it written up? In the manual pages. I can't believe we are here in 2009 and people still believe they can get away with being an idiot because they believe they are above doing research: Not really sure how to com this without starting a ruckuss.. Fact of the matter is that you are seeing time compression here: you've been at this, what 20-odd years? Every generation will ask the same questions ... we all come from the same place, ya know. Dhu
allow dhcpd with pf
Hello, I installed openbsd 4.5, with 2 NICs : rl0 ; rl1 rl0 connected directly with internet rl1 our network. I configured dhcp and and added it in my rc.conf.local. Restarted the openbsd box. In my pf.conf, i added this line : pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 67 keep state All works but machines in network can't have address from my dhcp server (openbsd Gateway). How to allow dhcp in pf.conf ? Thank's
Re: allow dhcpd with pf
On Tue, Nov 24, 2009 at 12:16 PM, open...@e-solutions.re wrote: pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 67 keep state Hello, you're also missing 68. Just as a point, you shouldn't need tcp at all, all 67,68 is udp, also keep state is implied now. Cheers, Steph
Re: allow dhcpd with pf
On Tue, Nov 24, 2009 at 04:16:06PM +0400, open...@e-solutions.re wrote: Hello, I installed openbsd 4.5, with 2 NICs : rl0 ; rl1 rl0 connected directly with internet rl1 our network. I configured dhcp and and added it in my rc.conf.local. Restarted the openbsd box. In my pf.conf, i added this line : pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 67 keep state Do you have a pass out rule for that if? All works but machines in network can't have address from my dhcp server (openbsd Gateway). How to allow dhcp in pf.conf ? Thank's What does your /etc/dhcpd.conf and your /etc.hostname/rl1 look like? I'm assuming you looked at the networking FAQ (#6).
Re: allow dhcpd with pf
On Tue, Nov 24, 2009 at 04:16:06PM +0400, open...@e-solutions.re wrote: Hello, I installed openbsd 4.5, with 2 NICs : rl0 ; rl1 rl0 connected directly with internet rl1 our network. I configured dhcp and and added it in my rc.conf.local. Restarted the openbsd box. In my pf.conf, i added this line : pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 67 keep state All works but machines in network can't have address from my dhcp server (openbsd Gateway). How to allow dhcp in pf.conf ? Neither dhcpd nor dhclient need any pass rules in pf. Both tools use bpf to steal the packets before they're checked by pf. -- :wq Claudio
Re: allow dhcpd with pf
Claudio Jeker wrote: Neither dhcpd nor dhclient need any pass rules in pf. Both tools use bpf to steal the packets before they're checked by pf. I see that has been there for a while. Now that I look I see that dhcpd can add addresses to a PF table using the argument -L. Useful! Where are the details written up for how pf is bypassed by dhcpd and dhclient? Would that mean that the machine with dhcpd could still serve dhcp requests despite a filter ruleset like this: block in all pass out all Regards, /Lars
Re: allow dhcpd with pf
On Tue, Nov 24, 2009 at 04:45:25PM +0200, Lars Nooden wrote: Claudio Jeker wrote: Neither dhcpd nor dhclient need any pass rules in pf. Both tools use bpf to steal the packets before they're checked by pf. I see that has been there for a while. Now that I look I see that dhcpd can add addresses to a PF table using the argument -L. Useful! Where are the details written up for how pf is bypassed by dhcpd and dhclient? dhclient mentions the use of bpf and bpf is bypassing everything in the network stack. Would that mean that the machine with dhcpd could still serve dhcp requests despite a filter ruleset like this: block in all pass out all Yes. It would even work with a block all. -- :wq Claudio
Re: allow dhcpd with pf
Where are the details written up for how pf is bypassed by dhcpd and dhclient? Would that mean that the machine with dhcpd could still serve dhcp requests despite a filter ruleset like this: block in all pass out all Damn right it will. Where is it written up? In the manual pages. I can't believe we are here in 2009 and people still believe they can get away with being an idiot because they believe they are above doing research: From the dhclient manual page: You must have the Berkeley Packet Filter (BPF) configured in your kernel. dhclient requires at least one /dev/bpf* file for each broadcast network interface that is attached to your system. See bpf(4) for more informa- tion. See that last sentence? From the bpf manual page: The Berkeley Packet Filter provides a raw interface to data link layers in a protocol-independent fashion. All packets on the network, even those destined for other hosts, are accessible through this mechanism. See that last sentence? All packets on the network.
Re: allow dhcpd with pf
On Tue, Nov 24, 2009 at 7:38 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: Where is it written up? B In the manual pages. B I can't believe we are here in 2009 and people still believe they can get away with being an idiot because they believe they are above doing research: For the record: Thanks to this thread I discovered another idiot in this very cubicle who failed to perform proper research and was sometimes setting pf rules to pass dhcp messages. Particularly when troubleshooting a dhcp problem. I beat him severely, but it probably won't help. I constantly catch him making mistakes. He is so lazy.
Re: allow dhcpd with pf
On Tue, Nov 24, 2009 at 10:54:54AM -0800, Gerald Chudyk wrote: On Tue, Nov 24, 2009 at 7:38 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: Where is it written up? B In the manual pages. B I can't believe we are here in 2009 and people still believe they can get away with being an idiot because they believe they are above doing research: For the record: Thanks to this thread I discovered another idiot in this very cubicle who failed to perform proper research and was sometimes setting pf rules to pass dhcp messages. Particularly when troubleshooting a dhcp problem. I beat him severely, but it probably won't help. I constantly catch him making mistakes. He is so lazy. Just to make everything a bit more crazy dhcrelay uses a normal UDP socket to forward the dhcp requests to the server. So in that case you need to adjust your pf.conf file. But only to allow the packets from the relay to the server. dhcrelay also uses bpf on the interface to intercept the packets. Funky isn't it? :) -- :wq Claudio
Re: allow dhcpd with pf
Theo de Raadt wrote: Where are the details written up for how pf is bypassed by dhcpd and dhclient? Would that mean that the machine with dhcpd could still serve dhcp requests despite a filter ruleset like this: block in all pass out all Damn right it will. Where is it written up? In the manual pages. I can't believe we are here in 2009 and people still believe they can get away with being an idiot because they believe they are above doing research: From the dhclient manual page: You must have the Berkeley Packet Filter (BPF) configured in your kernel. dhclient requires at least one /dev/bpf* file for each broadcast network interface that is attached to your system. See bpf(4) for more informa- tion. See that last sentence? From the bpf manual page: The Berkeley Packet Filter provides a raw interface to data link layers in a protocol-independent fashion. All packets on the network, even those destined for other hosts, are accessible through this mechanism. See that last sentence? All packets on the network. Maybe it should read, All packets on the network, even those filtered by pf, and those caused by sunspots, and those sent from the planet that has sent their ambassador Linus to live among us, and those coming from Theo himself, and... Seriously, I never gave much thought to the fact that dhcp worked regardless of pf until reading this thread. But I did know that it uses bpf, and what bpf is, so Claudio's explanation makes perfect sense. One thing I'll say about debugging connectivity problems in general is that you can go nuts trying to tweak your pf.conf when the problem isn't pf. I try to refrain from modifying my ruleset unless I can prove pf is blocking packets by examining the logs and/or using tcpdump. Corey
Re: allow dhcpd with pf
Gerald Chudyk wrote: For the record: Thanks to this thread I discovered another idiot in this very cubicle who failed to perform proper research and was sometimes setting pf rules to pass dhcp messages. Particularly when troubleshooting a dhcp problem. I beat him severely, but it probably won't help. I constantly catch him making mistakes. He is so lazy. I'll just mention this in case it helps someone in the future: Whenever I use a default block *log* rule to keep an eye on things, it can be noisy. To help a bit (even though they don't actually do anything), I use rules like this just to keep it out of the pf logs: block in quick on $int2_if inet proto udp to any port { 67, 68, 135:139 } -- -RSM http://www.erratic.ca
logging (was Re: allow dhcpd with pf)
Red Midnight wrote: Whenever I use a default block *log* rule to keep an eye on things, it can be noisy. To help a bit (even though they don't actually do anything), I use rules like this just to keep it out of the pf logs That can be way too noisy. You can do 'regular' logging to pflog0 as normal but create another interface for the catchall, e.g: block in log (to pflog5) Set pflog to listen. pflogd -i pflog5 -f /var/log/pflog5 -p pflog5 [I need to test if a single instance of pflogd could be used instead.] Then set newsyslog.conf to was less space with it. /var/log/pflog5 root:wheel 640 3 50 * ZB /var/run/pflogd5.pid Regards, /Lars