Am 10.04.19 um 10:58 schrieb Otto Moerbeek:
On Wed, Apr 10, 2019 at 10:08:51AM +0200, [email protected] wrote:
Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
On 09.04., [email protected] wrote:
Dear all,
I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
with all 16 patches).
When running dhcpd, some pf rules are seem to not working.
I'm pretty sure, this behaviour is different than in 6.3.
Setup:
+--------+ +--------+ +----------------------+
| Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
+--------+ +--------+ +----------------------+
I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
pf.conf I block traffic on port 67+68 (see below).
When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
---- Schnipp 8< ----
Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
255.255.255.255.67: xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
---- Schnapp 8< ----
When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
---- Schnipp 8< ----
Apr 9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
via em0
Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
00:96:69:96:69:96 via em0
Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
00:96:69:96:69:96 via em0
Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
00:96:69:96:69:96 via em0
---- Schniap 8< ----
.. and this entry via tcpdump:
---- Schnipp 8< ----
Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
10.69.250.1: icmp: echo request
---- Schnapp 8< ----
.. and „Client“ got an ip address!
If you need futher information don't hesistate to contact me.
Please tell me also, if I'm to stupid to understand what happenend ;-)
If you want to know, why I'm running dhcpd and want to block the traffic: We
use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
But this strange behaviour is also present without the bridge-configuration.
Thank you for your help and support
Illya Meyer
Hi Illya
DHCP operates on layer 2 using bpf(4) to receive and send packets.
Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
has done its work before the packets get to pf(4). If you want to make
sure that dhcpd(8) hands out leases only on interface em0 you can tell
it to operate only on this interface:
# rcctl set dhcpd flags em0
Cheers,
Bruno
Hi Bruno,
thank you for the information.
It's strange, that a packet first reachs a daemon and then the packet filter
(thats job it is to protect the machine from unwanted packets!)
Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
Thank you and kind regards,
Illya
What do you think dhcpd uses?
-Otto
Hm, sorry. What do you mean exactly?
In my opinion, it should be possible for a packet filter to block ALL
packets, that arrives from a network, before a daemon (in this case
dhcpd) does its work.
But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
gets the packet on layer 3. So was my understanding. Please see my tests
above, pf doesn't block the dhcp requests when dhcpd runs.
In my scenario, I have a firewall, which works as bridge (so more a
firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
from „Bad net“ (especially dhcp requests).
+---------+ +----------------+ +----------+
| Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
+---------+ +----------------+ +----------+
Only em0 has had an ip address and so dhcpd had to listen on em0. But
some PCs from „Bad net“ got ip addresses from the BSD-Box.
My solution was now to give the BSD-Box a second ip address on em1 and
let dhcpd listens on em1 only. This works with the pf-rules (see above).
When I interpret this article in the right way
(https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables
on Linux works on layer 2, so it should be possible to block dhcp
requests. Other articles said the same (e.g.
https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
But it seems, this is not possible with pf, which works on layer 3.
Kind regards,
Illya
