On 10.4.2019. 11:19, [email protected] wrote: > Am 10.04.19 um 10:58 schrieb Otto Moerbeek: >> On Wed, Apr 10, 2019 at 10:08:51AM +0200, [email protected] wrote: >> >>> >>> Am 10.04.19 um 07:34 schrieb Bruno Flückiger: >>>> On 09.04., [email protected] wrote: >>>>> Dear all, >>>>> >>>>> I discovered a strange problem with OpenBSD 6.4 AMD64 >>>>> (stable(?)-release >>>>> with all 16 patches). >>>>> >>>>> When running dhcpd, some pf rules are seem to not working. >>>>> I'm pretty sure, this behaviour is different than in 6.3. >>>>> >>>>> Setup: >>>>> +--------+ +--------+ +----------------------+ >>>>> | Client |--| Switch |--em0-| OpenBSD (with dhcpd) | >>>>> +--------+ +--------+ +----------------------+ >>>>> >>>>> I try to get an ip address for „Client“ via dhcp from „OpenBSD“, >>>>> but in >>>>> pf.conf I block traffic on port 67+68 (see below). >>>>> >>>>> When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as >>>>> expected: >>>>> ---- Schnipp 8< ---- >>>>> Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 > >>>>> 255.255.255.255.67: xid:0x3f51206f secs:5 [|bootp] [tos 0x10] >>>>> ---- Schnapp 8< ---- >>>>> >>>>> When dhcpd („dhcpd em0“) is running, I got an entry in >>>>> /var/log/daemon.log: >>>>> ---- Schnipp 8< ---- >>>>> Apr 9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from >>>>> 00:96:69:96:69:96 >>>>> via em0 >>>>> Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to >>>>> 00:96:69:96:69:96 via em0 >>>>> Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 >>>>> from >>>>> 00:96:69:96:69:96 via em0 >>>>> Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to >>>>> 00:96:69:96:69:96 via em0 >>>>> ---- Schniap 8< ---- >>>>> >>>>> .. and this entry via tcpdump: >>>>> ---- Schnipp 8< ---- >>>>> Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 > >>>>> 10.69.250.1: icmp: echo request >>>>> ---- Schnapp 8< ---- >>>>> >>>>> .. and „Client“ got an ip address! >>>>> >>>>> If you need futher information don't hesistate to contact me. >>>>> >>>>> Please tell me also, if I'm to stupid to understand what happenend ;-) >>>>> >>>>> If you want to know, why I'm running dhcpd and want to block the >>>>> traffic: We >>>>> use OpenBSD as bridge and dhcpd should only offer ip-addresses to >>>>> one side. >>>>> But this strange behaviour is also present without the >>>>> bridge-configuration. >>>>> >>>>> Thank you for your help and support >>>>> Illya Meyer >>>>> >>>> >>>> Hi Illya >>>> >>>> DHCP operates on layer 2 using bpf(4) to receive and send packets. >>>> Packet filtering takes place on layers 3 and 4. This means that >>>> dhcpd(8) >>>> has done its work before the packets get to pf(4). If you want to make >>>> sure that dhcpd(8) hands out leases only on interface em0 you can tell >>>> it to operate only on this interface: >>>> >>>> # rcctl set dhcpd flags em0 >>>> >>>> Cheers, >>>> Bruno >>>> >>> >>> Hi Bruno, >>> >>> thank you for the information. >>> >>> It's strange, that a packet first reachs a daemon and then the packet >>> filter >>> (thats job it is to protect the machine from unwanted packets!) >>> >>> Maybe it's a good idea to build a bpf-Filter for layer 2 :-) >>> >>> Thank you and kind regards, >>> Illya >>> >> >> What do you think dhcpd uses? >> >> -Otto >> > > Hm, sorry. What do you mean exactly? > > In my opinion, it should be possible for a packet filter to block ALL > packets, that arrives from a network, before a daemon (in this case > dhcpd) does its work. > > But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf > gets the packet on layer 3. So was my understanding. Please see my tests > above, pf doesn't block the dhcp requests when dhcpd runs. > > In my scenario, I have a firewall, which works as bridge (so more a > firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things > from „Bad net“ (especially dhcp requests). > > +---------+ +----------------+ +----------+ > | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net | > +---------+ +----------------+ +----------+ > > Only em0 has had an ip address and so dhcpd had to listen on em0. But > some PCs from „Bad net“ got ip addresses from the BSD-Box. > My solution was now to give the BSD-Box a second ip address on em1 and > let dhcpd listens on em1 only. This works with the pf-rules (see above). > > When I interpret this article in the right way > (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables > on Linux works on layer 2, so it should be possible to block dhcp > requests. Other articles said the same (e.g. > https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address) > > But it seems, this is not possible with pf, which works on layer 3. > > Kind regards, > Illya > >
maybe you could use tcpdump -B fildrop feature, but you need -current to do this .. https://www.mail-archive.com/[email protected]/msg50785.html
