On 2019/04/10 12:29, Bruno Flückiger wrote: > On 10.04., [email protected] wrote: > > > > In my opinion, it should be possible for a packet filter to block ALL > > packets, that arrives from a network, before a daemon (in this case dhcpd) > > does its work.
If you want that sort of control, split things up into a filtering bridge on one machine, and run services (e.g. DHCP) on another. > > But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf > > gets the packet on layer 3. So was my understanding. Please see my tests > > above, pf doesn't block the dhcp requests when dhcpd runs. > > > > In my scenario, I have a firewall, which works as bridge (so more a > > firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things > > from „Bad net“ (especially dhcp requests). > > > > +---------+ +----------------+ +----------+ > > | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net | > > +---------+ +----------------+ +----------+ > > > > Only em0 has had an ip address and so dhcpd had to listen on em0. But some > > PCs from „Bad net“ got ip addresses from the BSD-Box. > > My solution was now to give the BSD-Box a second ip address on em1 and let > > dhcpd listens on em1 only. This works with the pf-rules (see above). > > I don't know the reasons you have for this setup, but to me it looks > rather unusual. Especially if you want to filter traffic between the two > subnets. If you don't have control of the routing table on the upstream router, it's quite common to work as a bridging firewall. Otherwise you need to use proxy arp or double nat. The most unusual thing about OPs setup is running DHCP on the OpenBSD bridge, with that type of setup it would usually be the upstream router that handles addressing..
