In article <43B88453.2060805 (AT) 2005 (DOT) smokva.net>,
Petar Bogdanovic <p.netbsd (AT) 2005 (DOT) smokva.netwrites:
If I haven't totally misunderstood something, dhcpd shouldn't be able to
get DHCPDISCVER if the only matching rule is: 'block in all'.

"dhcpd" uses the Berkeley Packet Filter bpf(4) to monitor for incoming
requests. And bpf(4) get's the packet before ipf(4) which is why your
rules don't help. Use settings like this in "/etc/rc.conf" to restrict
"dhcpd" to the correct interface:

dhcpd_flags="-q fxp0"

Kind regards

Mon, Jan 02, 2006 at 04:50:02PM +0100, Petar Bogdanovic wrote:
I assume, that there is a reason behind this.

Yes, IP Filter is a filter for the IP protocol. BPF is a low level
interface which receives packets before processing of the packet
(including IP) has even been started by the kernel. And that's
a useful feature because it allows you e.g. to use "tcpdump" to
have a look at all incoming packets before firewall rules are applied.

and some user-land tool is able to jump into the chain

It's not "some user-land tool". It's an application using BFP which
requires root privileges.
- one step before ipf

See above.

and get everything which comes in.

IPF doesn't get everything, it only gets all IP traffic.

Kind regards

Petar Bogdanovic netbsd-users (2006-01-02 21:15:42 +0100):
[]
The bpf(4)-use of dhcpd seems not to be indisputable

However, I don't know what happened in the meantime.

I can't reproduce the problem described in the post:

$ uname -srp
NetBSD 2.1_STABLE i386

$ ps -ax | grep dhc
309 ? Ss 0:00.64 /usr/sbin/dhcpd -q fxp0

$ ipf -V
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3
[]

$ ipfstat -ion
@1 pass out all
@1 pass in all
@2 block return-icmp-as-dest(port-unr) in quick on fxp0 from any to any port = 68

Running nmap (3.95) on this machine from another system:

$ nmap -sU -p67,68 $host
[]
PRT STATE SERVICE
67/udp open|filtered dhcpserver
68/udp closed dhcpclient
[]

Cheers, Jukka