*But what is the practical problem being addressed? Is dhcp not functional with the existing default **ruleset?*
*.... Ken* On 19 January 2014 19:39, Brad Smith <b...@comstyle.com> wrote: > On Sun, Jan 19, 2014 at 04:10:21AM +0100, Claudio Jeker wrote: > > On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote: > > > On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote: > > > > The default PF ruleset as setup by rc is too restrictive. Have the > default > > > > ruleset allow for DHCPv6. > > > > > > Anyone? > > > > Looks good to me. OK claudio@ > > > > Question: should we add the same for inet as well since dhclient may use > > a normal udp socket in some cases? > > Untested on the v4 side but how about something like the following? > > > Index: rc > =================================================================== > RCS file: /home/cvs/src/etc/rc,v > retrieving revision 1.419 > diff -u -p -u -p -r1.419 rc > --- rc 3 Jan 2014 23:24:19 -0000 1.419 > +++ rc 19 Jan 2014 08:32:17 -0000 > @@ -325,11 +325,15 @@ if [ X"${pf}" != X"NO" ]; then > RULES="$RULES\npass in proto tcp from any to any port 22 keep > state" > RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 > keep state" > RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep > state" > + RULES="$RULES\npass out inet proto udp from any port bootpc to any > port bootps" > + RULES="$RULES\npass in inet proto udp from any port bootps to any > port bootpc" > if ifconfig lo0 inet6 >/dev/null 2>&1; then > RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type > neighbrsol" > RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type > neighbradv" > RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type > routersol" > RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type > routeradv" > + RULES="$RULES\npass out inet6 proto udp from any port > dhcpv6-client to any port dhcpv6-server" > + RULES="$RULES\npass in inet6 proto udp from any port > dhcpv6-server to any port dhcpv6-client" > fi > RULES="$RULES\npass proto carp keep state (no-sync)" > case `sysctl vfs.mounts.nfs 2>/dev/null` in > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >