Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
On 09.04., [email protected] wrote:
Dear all,
I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
with all 16 patches).
When running dhcpd, some pf rules are seem to not working.
I'm pretty sure, this behaviour is different than in 6.3.
Setup:
+--------+ +--------+ +----------------------+
| Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
+--------+ +--------+ +----------------------+
I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
pf.conf I block traffic on port 67+68 (see below).
When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
---- Schnipp 8< ----
Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
255.255.255.255.67: xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
---- Schnapp 8< ----
When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
---- Schnipp 8< ----
Apr 9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
via em0
Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
00:96:69:96:69:96 via em0
Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
00:96:69:96:69:96 via em0
Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
00:96:69:96:69:96 via em0
---- Schniap 8< ----
.. and this entry via tcpdump:
---- Schnipp 8< ----
Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
10.69.250.1: icmp: echo request
---- Schnapp 8< ----
.. and „Client“ got an ip address!
If you need futher information don't hesistate to contact me.
Please tell me also, if I'm to stupid to understand what happenend ;-)
If you want to know, why I'm running dhcpd and want to block the traffic: We
use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
But this strange behaviour is also present without the bridge-configuration.
Thank you for your help and support
Illya Meyer
Hi Illya
DHCP operates on layer 2 using bpf(4) to receive and send packets.
Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
has done its work before the packets get to pf(4). If you want to make
sure that dhcpd(8) hands out leases only on interface em0 you can tell
it to operate only on this interface:
# rcctl set dhcpd flags em0
Cheers,
Bruno
Hi Bruno,
thank you for the information.
It's strange, that a packet first reachs a daemon and then the packet
filter (thats job it is to protect the machine from unwanted packets!)
Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
Thank you and kind regards,
Illya
