*But what is the practical problem being addressed? Is dhcp not functional
with the existing default **ruleset?*

*.... Ken*


On 19 January 2014 19:39, Brad Smith <b...@comstyle.com> wrote:

> On Sun, Jan 19, 2014 at 04:10:21AM +0100, Claudio Jeker wrote:
> > On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote:
> > > On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> > > > The default PF ruleset as setup by rc is too restrictive. Have the
> default
> > > > ruleset allow for DHCPv6.
> > >
> > > Anyone?
> >
> > Looks good to me. OK claudio@
> >
> > Question: should we add the same for inet as well since dhclient may use
> > a normal udp socket in some cases?
>
> Untested on the v4 side but how about something like the following?
>
>
> Index: rc
> ===================================================================
> RCS file: /home/cvs/src/etc/rc,v
> retrieving revision 1.419
> diff -u -p -u -p -r1.419 rc
> --- rc  3 Jan 2014 23:24:19 -0000       1.419
> +++ rc  19 Jan 2014 08:32:17 -0000
> @@ -325,11 +325,15 @@ if [ X"${pf}" != X"NO" ]; then
>         RULES="$RULES\npass in proto tcp from any to any port 22 keep
> state"
>         RULES="$RULES\npass out proto { tcp, udp } from any to any port 53
> keep state"
>         RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
> state"
> +       RULES="$RULES\npass out inet proto udp from any port bootpc to any
> port bootps"
> +       RULES="$RULES\npass in inet proto udp from any port bootps to any
> port bootpc"
>         if ifconfig lo0 inet6 >/dev/null 2>&1; then
>                 RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> neighbrsol"
>                 RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> neighbradv"
>                 RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> routersol"
>                 RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> routeradv"
> +               RULES="$RULES\npass out inet6 proto udp from any port
> dhcpv6-client to any port dhcpv6-server"
> +               RULES="$RULES\npass in inet6 proto udp from any port
> dhcpv6-server to any port dhcpv6-client"
>         fi
>         RULES="$RULES\npass proto carp keep state (no-sync)"
>         case `sysctl vfs.mounts.nfs 2>/dev/null` in
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

Reply via email to