Theo de Raadt wrote:
Where are the details written up for how pf is bypassed by dhcpd and
dhclient?
Would that mean that the machine with dhcpd could still serve dhcp
requests despite a filter ruleset like this:
block in all
pass out all
Damn right it will.
Where is it written up? In the manual pages. I can't believe
we are here in 2009 and people still believe they can get away
with being an idiot because they believe they are above doing
research:
From the dhclient manual page:
You must have the Berkeley Packet Filter (BPF) configured in your kernel.
dhclient requires at least one /dev/bpf* file for each broadcast network
interface that is attached to your system. See bpf(4) for more informa-
tion.
See that last sentence?
From the bpf manual page:
The Berkeley Packet Filter provides a raw interface to data link layers
in a protocol-independent fashion. All packets on the network, even
those destined for other hosts, are accessible through this mechanism.
See that last sentence?
"All packets on the network".
Maybe it should read, "All packets on the network, even those filtered
by pf, and those caused by sunspots, and those sent from the planet
that has sent their ambassador Linus to live among us, and those coming
from Theo himself, and..."
Seriously, I never gave much thought to the fact that dhcp worked
regardless of pf until reading this thread. But I did know that it uses
bpf, and what bpf is, so Claudio's explanation makes perfect sense.
One thing I'll say about debugging connectivity problems in general is
that you can go nuts trying to tweak your pf.conf when the problem isn't
pf. I try to refrain from modifying my ruleset unless I can prove pf is
blocking packets by examining the logs and/or using tcpdump.
Corey
