On 2016-02-16 11:17, Patrick Lamaiziere wrote:
> Le Tue, 16 Feb 2016 00:10:41 +0100,
> Clemens Goessnitzer <[email protected]> a écrit
>> Hello misc,
>
> Hi
>
Salut!
>
>> So, if I specify a group for re1, everything is working as expected.
>> However, if re1 is not a member of any group, DHCP request are blocked
>> by pf, as tcpdump shows. Is this intended behaviour? Or have I done
>> something wrong in my ruleset?
>
> hmmm may be the output of the ruleset loaded by pf will help.
>
> # pfctl -sr
# pfctl -sr
match in all scrub (no-df max-mss 1440)
block drop in quick on ! external inet from 192.168.0.0/24 to any
block drop in quick inet from 192.168.0.10 to any
block drop in quick on ! internal inet from 10.0.0.0/24 to any
block drop in quick inet from 10.0.0.1 to any
block drop quick from <bruteforce> to any
pass log (all) quick inet proto icmp all icmp-type echoreq
pass log (all) quick inet proto icmp all icmp-type echorep
pass log (all) quick inet proto icmp all icmp-type unreach
block drop log all
block return log (all) inet from 10.0.0.0/24 to any
match out proto tcp from any to any port = 53 set ( prio(6, 7) )
match out proto udp from any to any port = 53 set ( prio(6, 7) )
pass quick on external inet proto tcp from 127.0.0.1 to any port = 53
flags S/SA
pass quick on external inet proto tcp from 192.168.0.10 to any port = 53
flags S/SA
pass quick on external inet proto tcp from 10.0.0.1 to any port = 53
flags S/SA
pass quick on external inet proto udp from 127.0.0.1 to any port = 53
pass quick on external inet proto udp from 192.168.0.10 to any port = 53
pass quick on external inet proto udp from 10.0.0.1 to any port = 53
pass quick inet proto tcp from any to any port = 53 flags S/SA
pass quick inet proto udp from any to any port = 53
pass log quick inet proto tcp from any to 192.168.0.10 port = 22 flags
S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate
3/15, overload <bruteforce> flush global, src.track 15)
pass log quick inet proto udp from any to 192.168.0.10 port = 22 keep
state (source-track rule, max-src-conn 15, max-src-conn-rate 3/15,
overload <bruteforce> flush global, src.track 15)
pass inet proto tcp from 10.0.0.0/24 to any port = 22 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 53 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 123 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 67 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 68 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 143 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 993 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 113 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 119 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 80 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 443 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 2401 flags S/SA
pass inet proto tcp from 10.0.0.0/24 to any port = 587 flags S/SA
pass inet proto udp from 10.0.0.0/24 to any port = 22
pass inet proto udp from 10.0.0.0/24 to any port = 53
pass inet proto udp from 10.0.0.0/24 to any port = 123
pass inet proto udp from 10.0.0.0/24 to any port = 67
pass inet proto udp from 10.0.0.0/24 to any port = 68
pass inet proto udp from 10.0.0.0/24 to any port 33433:33626
match out on external inet from 10.0.0.0/24 to any nat-to (external:0)
round-robin
And what I should have included maybe in the original email:
# cat /etc/hostname.vether0
inet 10.0.0.1 255.255.255.0 10.0.0.255
group internal
# cat /etc/hostname.bridge0
add re1
add athn0
add athn1
add vether0
up
# cat /etc/dhcpd.conf
# cat /etc/dhcpd.conf
# $OpenBSD: dhcpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
default-lease-time 86400;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
range 10.0.0.5 10.0.0.254;
host debian {
hardware ethernet d0:50:99:37:bb:a2;
fixed-address 10.0.0.2;
}
host nexus5 {
hardware ethernet bc:f5:ac:ff:84:19;
fixed-address 10.0.0.3;
}
host nexus7 {
hardware ethernet ac:22:0b:5c:f4:a7;
fixed-address 10.0.0.4;
}
}
