Greetings, I recently built up a router based on OBSD 6.0; axe0 is the i/f connected to the ADSL modem, and it obtains its address from my ISP through DHCP:
[....................snip....................] root@egeo:[~]> cat /etc/hostname.axe0 # Internet connection # Pubblic address obtained through ISP DHCP service dhcp [....................snip....................] I noticed the following log messages at DHCP request renewal: [....................snip....................] Jan 9 23:32:28 egeo dhclient[58607]: DHCPREQUEST on axe0 to 10.254.3.253 Jan 9 23:32:28 egeo dhclient[58607]: send_packet: No route to host Jan 9 23:32:31 egeo dhclient[58607]: DHCPREQUEST on axe0 to 255.255.255.255 Jan 9 23:32:31 egeo dhclient[58607]: DHCPACK from 2.238.176.1 (78:19:f7:45:d7:c1) Jan 9 23:32:31 egeo dhclient[58607]: bound to 2.238.176.236 -- renewal in 14340 seconds. [....................snip....................] I do not understand what's happening here; the first request fails with "No route to host", the second one (which seems to me a broadcast one) is instead correctly managed. Does it mean that there is a DHCP server running on 10.254.3.253? This should be a private network address, but my LAN is on 192.168 (and on the same machine, having internal IP address 192.168.1.1, is indeed running a DHCP service). Is it a "reject" declaration in dhclient.conf the right way to tackle this symptom? Or do I need some additional rules in pf.conf? [....................snip....................] root@egeo:[~]> cat /etc/dhclient.conf # DHCP service is used on this machine only for ISP # connection (axe0 i/f) send host-name "egeo.atlantide.priv"; # Do not overwrite resolv.conf, use local DNS instead ignore domain-name-servers, domain-name; [....................snip....................] [....................snip....................] root@egeo:[~]> cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf # List of internal interfaces int_if="{ vether0 bce0 ath0 }" # "egress" keyword chooses the i/f that holds the default route (axe0) # Non-routable private addresses table <non-routable> { \ 0.0.0.0/8 \ 10.0.0.0/8 \ 127.0.0.0/8 \ 169.254.0.0/16 \ 172.16.0.0/12 \ 192.0.0.0/24 \ 192.0.2.0/24 \ 224.0.0.0/3 \ 192.168.0.0/16 \ 198.18.0.0/15 \ 198.51.100.0/24 \ 203.0.113.0/24 \ } set block-policy drop # Silently drop rejected packets set loginterface egress # Enable packet and byte statistics for axe0 #set skip on lo0 # \ #set skip on enc0 # ) Completely omit these i/f from packet processing #set skip on bwi0 # / # Enable traffic on loopback i/f (very low security risk) pass quick on lo0 all # Normalize incoming packets and perform NAT match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) # Drop packets coming in on egress if they appear to be from # non-routable addresses (misconfiguration? spoofing attack?) # Similarly, clients should not attempt to connect to such # addresses block in quick on egress from <non-routable> to any block return out quick on egress from any to <non-routable> # By default, block all traffic block all # Allow outgoing IPv4 traffic from both the router itself # and the LAN clients pass out quick inet # Allow all internal LAN traffic pass in on $int_if inet # Do not permit remote connections to X11 block return in on !lo0 proto tcp to port 6000:6010 # Allow pinging pass inet proto icmp all icmp-type { echoreq, unreach } # # Port forwarding # # Note: currently all servers are running on the router itself; # if that's won't be the case in future, use "rdt-to 192.168.1.x" # # Network services, Internet style pass in on egress inet proto { tcp udp } from any to (egress) port ssh pass in on egress inet proto { tcp udp } from any to (egress) port www pass in on egress inet proto tcp from any to (egress) port https pass in on egress inet proto { tcp udp } from any to (egress) port imap pass in on egress inet proto { tcp udp } from any to (egress) port imaps pass in on egress inet proto tcp from any to (egress) port smtp pass in on egress inet proto { tcp udp } from any to (egress) port submission # FTP pass in on egress inet proto tcp from any to (egress) port ftp pass in on egress inet proto tcp from any to (egress) port 49152:49407 # transmission daemon pass in on egress inet proto { tcp, udp } from any to (egress) port { 9091 51413 } [....................snip....................] Thanks, -- Alessandro DE LAURENZIS [mailto:jus...@atlantide.t28.net] LinkedIn: http://it.linkedin.com/in/delaurenzis