On Wed, Apr 10, 2019 at 11:19:18AM +0200, [email protected] wrote:
> Am 10.04.19 um 10:58 schrieb Otto Moerbeek:
> > On Wed, Apr 10, 2019 at 10:08:51AM +0200, [email protected] wrote:
> >
> > >
> > > Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
> > > > On 09.04., [email protected] wrote:
> > > > > Dear all,
> > > > >
> > > > > I discovered a strange problem with OpenBSD 6.4 AMD64
> > > > > (stable(?)-release
> > > > > with all 16 patches).
> > > > >
> > > > > When running dhcpd, some pf rules are seem to not working.
> > > > > I'm pretty sure, this behaviour is different than in 6.3.
> > > > >
> > > > > Setup:
> > > > > +--------+ +--------+ +----------------------+
> > > > > | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
> > > > > +--------+ +--------+ +----------------------+
> > > > >
> > > > > I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but
> > > > > in
> > > > > pf.conf I block traffic on port 67+68 (see below).
> > > > >
> > > > > When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as
> > > > > expected:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
> > > > > 255.255.255.255.67: xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
> > > > > ---- Schnapp 8< ----
> > > > >
> > > > > When dhcpd („dhcpd em0“) is running, I got an entry in
> > > > > /var/log/daemon.log:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from
> > > > > 00:96:69:96:69:96
> > > > > via em0
> > > > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
> > > > > 00:96:69:96:69:96 via em0
> > > > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1
> > > > > from
> > > > > 00:96:69:96:69:96 via em0
> > > > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
> > > > > 00:96:69:96:69:96 via em0
> > > > > ---- Schniap 8< ----
> > > > >
> > > > > .. and this entry via tcpdump:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
> > > > > 10.69.250.1: icmp: echo request
> > > > > ---- Schnapp 8< ----
> > > > >
> > > > > .. and „Client“ got an ip address!
> > > > >
> > > > > If you need futher information don't hesistate to contact me.
> > > > >
> > > > > Please tell me also, if I'm to stupid to understand what happenend ;-)
> > > > >
> > > > > If you want to know, why I'm running dhcpd and want to block the
> > > > > traffic: We
> > > > > use OpenBSD as bridge and dhcpd should only offer ip-addresses to one
> > > > > side.
> > > > > But this strange behaviour is also present without the
> > > > > bridge-configuration.
> > > > >
> > > > > Thank you for your help and support
> > > > > Illya Meyer
> > > > >
> > > >
> > > > Hi Illya
> > > >
> > > > DHCP operates on layer 2 using bpf(4) to receive and send packets.
> > > > Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
> > > > has done its work before the packets get to pf(4). If you want to make
> > > > sure that dhcpd(8) hands out leases only on interface em0 you can tell
> > > > it to operate only on this interface:
> > > >
> > > > # rcctl set dhcpd flags em0
> > > >
> > > > Cheers,
> > > > Bruno
> > > >
> > >
> > > Hi Bruno,
> > >
> > > thank you for the information.
> > >
> > > It's strange, that a packet first reachs a daemon and then the packet
> > > filter
> > > (thats job it is to protect the machine from unwanted packets!)
> > >
> > > Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
> > >
> > > Thank you and kind regards,
> > > Illya
> > >
> >
> > What do you think dhcpd uses?
> >
> > -Otto
> >
>
> Hm, sorry. What do you mean exactly?
>
> In my opinion, it should be possible for a packet filter to block ALL
> packets, that arrives from a network, before a daemon (in this case dhcpd)
> does its work.
>
> But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
> gets the packet on layer 3. So was my understanding. Please see my tests
> above, pf doesn't block the dhcp requests when dhcpd runs.
>
> In my scenario, I have a firewall, which works as bridge (so more a
> firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
> from „Bad net“ (especially dhcp requests).
>
> +---------+ +----------------+ +----------+
> | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
> +---------+ +----------------+ +----------+
>
> Only em0 has had an ip address and so dhcpd had to listen on em0. But some
> PCs from „Bad net“ got ip addresses from the BSD-Box.
> My solution was now to give the BSD-Box a second ip address on em1 and let
> dhcpd listens on em1 only. This works with the pf-rules (see above).
>
> When I interpret this article in the right way
> (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables on
> Linux works on layer 2, so it should be possible to block dhcp requests.
> Other articles said the same (e.g.
> https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
> But it seems, this is not possible with pf, which works on layer 3.
>
> Kind regards,
> Illya
pf filters on IP and TCP/UDP level and that is a good design decision.
dhcpd uses a different mechanism (bpf) to filer on layer2. Each tool
has its scope and usage. Mixing layers is not a good idea in general.
-Otto
