On Tue, Nov 24, 2009 at 04:45:25PM +0200, Lars Nooden wrote: > Claudio Jeker wrote: > > > Neither dhcpd nor dhclient need any pass rules in pf. Both tools use bpf > > to steal the packets before they're checked by pf. > > I see that has been there for a while. > > Now that I look I see that dhcpd can add addresses to a PF table using > the argument -L. Useful! > > Where are the details written up for how pf is bypassed by dhcpd and > dhclient?
dhclient mentions the use of bpf and bpf is bypassing everything in the network stack. > Would that mean that the machine with dhcpd could still serve dhcp > requests despite a filter ruleset like this: > > block in all > pass out all > Yes. It would even work with a "block all". -- :wq Claudio