Hello, I just wanted to thank you guys for answering so quickly! Those resources were extremely helpful when it came to figuring out what my setup was gonna be. On the topic of dhcp starvation, I know you guys mentioned using static ips for important devices. I was thinking of doing something like that along with limiting the packet rate to 1 packet per second going to the dhcp server. My question is what would that rule look like in terms of the destination of the dhcp server? Would it be the gateway or would it be the “self” rule designation in pf?
My guess is this possibly from pf.conf manpage? Please correct me if I’m wrong. pass in on $lan from $lan:network to any port 68 keep state max-pkt-rate 1/1 Or pass out on self from $lan:network to any port 67 keep state max-pkt-rate 1/1 > On Apr 9, 2023, at 3:24 AM, Janne Johansson <[email protected]> wrote: > > Den sön 9 apr. 2023 kl 11:56 skrev <[email protected]>: >> >> Hello, I am new to OpenBSD in terms of using it as a home router/firewall. >> Im trying to implement the OpenBSD equivalent or similar way of doing things >> like I did on my Linux Router. Are there are equivalent ways/programs for >> the following: >> >> 1. Reverse Path Filter (Like on Linux). > > PF antispoof and urpf is available. "man pf.conf" > >> 2. Protection against DHCP Starvation attacks. > > Give the important machines static entries, if you are concerned that > hundreds or thousands of boxes/macs will eat up all dynamic ranges. > Or use ipv6. Or perhaps 802.1x "authentication" where the mac is the > password for radius so that unknown/undesired entries get the "wrong" > network, if your switches support 802.1x. > >> 3. DHCP Snooping >> >> 4. Reply-Only ARP system with features like(automatically adding arps for >> leases) that keep people from setting a static ip on the network and >> bypassing the queueing done by pf. > > You can have dhcpd add handed out entries to a list, for which PF > later can block. "man dhcpd" for the various lists it populates. > >> P.S.: If there are any ways of doing these options above can you point me to >> the right documentation as I have tried to research but couldn’t find any >> thing on these subjects listed above. > > > -- > May the most significant bit of your life be positive.
