On 10.04., [email protected] wrote: > Am 10.04.19 um 10:58 schrieb Otto Moerbeek: > > On Wed, Apr 10, 2019 at 10:08:51AM +0200, [email protected] wrote: > > > > > > > > Am 10.04.19 um 07:34 schrieb Bruno Flückiger: > > > > On 09.04., [email protected] wrote: > > > > > Dear all, > > > > > > > > > > I discovered a strange problem with OpenBSD 6.4 AMD64 > > > > > (stable(?)-release > > > > > with all 16 patches). > > > > > > > > > > When running dhcpd, some pf rules are seem to not working. > > > > > I'm pretty sure, this behaviour is different than in 6.3. > > > > > > > > > > Setup: > > > > > +--------+ +--------+ +----------------------+ > > > > > | Client |--| Switch |--em0-| OpenBSD (with dhcpd) | > > > > > +--------+ +--------+ +----------------------+ > > > > > > > > > > I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but > > > > > in > > > > > pf.conf I block traffic on port 67+68 (see below). > > > > > > > > > > When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as > > > > > expected: > > > > > ---- Schnipp 8< ---- > > > > > Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 > > > > > > 255.255.255.255.67: xid:0x3f51206f secs:5 [|bootp] [tos 0x10] > > > > > ---- Schnapp 8< ---- > > > > > > > > > > When dhcpd („dhcpd em0“) is running, I got an entry in > > > > > /var/log/daemon.log: > > > > > ---- Schnipp 8< ---- > > > > > Apr 9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from > > > > > 00:96:69:96:69:96 > > > > > via em0 > > > > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to > > > > > 00:96:69:96:69:96 via em0 > > > > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 > > > > > from > > > > > 00:96:69:96:69:96 via em0 > > > > > Apr 9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to > > > > > 00:96:69:96:69:96 via em0 > > > > > ---- Schniap 8< ---- > > > > > > > > > > .. and this entry via tcpdump: > > > > > ---- Schnipp 8< ---- > > > > > Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 > > > > > > 10.69.250.1: icmp: echo request > > > > > ---- Schnapp 8< ---- > > > > > > > > > > .. and „Client“ got an ip address! > > > > > > > > > > If you need futher information don't hesistate to contact me. > > > > > > > > > > Please tell me also, if I'm to stupid to understand what happenend ;-) > > > > > > > > > > If you want to know, why I'm running dhcpd and want to block the > > > > > traffic: We > > > > > use OpenBSD as bridge and dhcpd should only offer ip-addresses to one > > > > > side. > > > > > But this strange behaviour is also present without the > > > > > bridge-configuration. > > > > > > > > > > Thank you for your help and support > > > > > Illya Meyer > > > > > > > > > > > > > Hi Illya > > > > > > > > DHCP operates on layer 2 using bpf(4) to receive and send packets. > > > > Packet filtering takes place on layers 3 and 4. This means that dhcpd(8) > > > > has done its work before the packets get to pf(4). If you want to make > > > > sure that dhcpd(8) hands out leases only on interface em0 you can tell > > > > it to operate only on this interface: > > > > > > > > # rcctl set dhcpd flags em0 > > > > > > > > Cheers, > > > > Bruno > > > > > > > > > > Hi Bruno, > > > > > > thank you for the information. > > > > > > It's strange, that a packet first reachs a daemon and then the packet > > > filter > > > (thats job it is to protect the machine from unwanted packets!) > > > > > > Maybe it's a good idea to build a bpf-Filter for layer 2 :-) > > > > > > Thank you and kind regards, > > > Illya > > > > > > > What do you think dhcpd uses? > > > > -Otto > > > > Hm, sorry. What do you mean exactly? > > In my opinion, it should be possible for a packet filter to block ALL > packets, that arrives from a network, before a daemon (in this case dhcpd) > does its work. > > But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf > gets the packet on layer 3. So was my understanding. Please see my tests > above, pf doesn't block the dhcp requests when dhcpd runs. > > In my scenario, I have a firewall, which works as bridge (so more a > firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things > from „Bad net“ (especially dhcp requests). > > +---------+ +----------------+ +----------+ > | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net | > +---------+ +----------------+ +----------+ > > Only em0 has had an ip address and so dhcpd had to listen on em0. But some > PCs from „Bad net“ got ip addresses from the BSD-Box. > My solution was now to give the BSD-Box a second ip address on em1 and let > dhcpd listens on em1 only. This works with the pf-rules (see above).
I don't know the reasons you have for this setup, but to me it looks rather unusual. Especially if you want to filter traffic between the two subnets. > > When I interpret this article in the right way > (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables on > Linux works on layer 2, so it should be possible to block dhcp requests. > Other articles said the same (e.g. > https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address) > But it seems, this is not possible with pf, which works on layer 3. > > Kind regards, > Illya > Why do you read an article about Linux if you use OpenBSD? Beside that the article talks about layer 2 in the TCP/IP stack. Most people doing networking I know talk about layers in the OSI model. The layer numbers of these two models don't match 1:1, e. g. layer 2 in TCP/IP is layer 3 in OSI [1]. So iptables in Linux operates on the same two layers as pf(4) in OpenBSD does. Cheers, Bruno [1] https://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model
