On Wed, Apr 10, 2019 at 10:08:51AM +0200, [email protected] wrote:
>
> Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
> > On 09.04., [email protected] wrote:
> > > Dear all,
> > >
> > > I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
> > > with all 16 patches).
> > >
> > > When running dhcpd, some pf rules are seem to not working.
> > > I'm pretty sure, this behaviour is different than in 6.3.
> > >
> > > Setup:
> > > +--------+ +--------+ +----------------------+
> > > | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
> > > +--------+ +--------+ +----------------------+
> > >
> > > I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
> > > pf.conf I block traffic on port 67+68 (see below).
> > >
> > > When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as
> > > expected:
> > > ---- Schnipp 8< ----
> > > Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
> > > 255.255.255.255.67: xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
> > > ---- Schnapp 8< ----
> > >
> > > When dhcpd („dhcpd em0“) is running, I got an entry in
> > > /var/log/daemon.log:
> > > ---- Schnipp 8< ----
> > > Apr 9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from
> > > 00:96:69:96:69:96
> > > via em0
> > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
> > > 00:96:69:96:69:96 via em0
> > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
> > > 00:96:69:96:69:96 via em0
> > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
> > > 00:96:69:96:69:96 via em0
> > > ---- Schniap 8< ----
> > >
> > > .. and this entry via tcpdump:
> > > ---- Schnipp 8< ----
> > > Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
> > > 10.69.250.1: icmp: echo request
> > > ---- Schnapp 8< ----
> > >
> > > .. and „Client“ got an ip address!
> > >
> > > If you need futher information don't hesistate to contact me.
> > >
> > > Please tell me also, if I'm to stupid to understand what happenend ;-)
> > >
> > > If you want to know, why I'm running dhcpd and want to block the traffic:
> > > We
> > > use OpenBSD as bridge and dhcpd should only offer ip-addresses to one
> > > side.
> > > But this strange behaviour is also present without the
> > > bridge-configuration.
> > >
> > > Thank you for your help and support
> > > Illya Meyer
> > >
> >
> > Hi Illya
> >
> > DHCP operates on layer 2 using bpf(4) to receive and send packets.
> > Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
> > has done its work before the packets get to pf(4). If you want to make
> > sure that dhcpd(8) hands out leases only on interface em0 you can tell
> > it to operate only on this interface:
> >
> > # rcctl set dhcpd flags em0
> >
> > Cheers,
> > Bruno
> >
>
> Hi Bruno,
>
> thank you for the information.
>
> It's strange, that a packet first reachs a daemon and then the packet filter
> (thats job it is to protect the machine from unwanted packets!)
>
> Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
>
> Thank you and kind regards,
> Illya
>
What do you think dhcpd uses?
-Otto
