On Wed, Nov 05, 2008 at 09:47:55PM -0200, Limaunion wrote:
> Hi, for some reason my OpenBSD 4.4 firewall [has] been able to [send
> a] dhcp request although there are no [pf] rules that allow this
> operation.
Because dhclient uses a low-level interface, accessible only to root,
that gets around PF. This is the same low-level interface that enables
dhclient to access the network before it is properly configured, so
there is not really a way around this.
Since root can disable pf anyway, this is not a security problem. But it
is indeed surprising.
Joachim
