I'm using a pretty simple configuration:
My rc.conf:
ifconfig_sis0="DHCP"
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/ipfw.rules"
My /etc/ipfw.rules:
#!/bin/sh
fwcmd="/sbin/ipfw -q".
${fwcmd} -f flush
${fwcmd} add pass ip from any to any via lo0
${fwcmd} add deny log ip from any to any
But after a reboot this machine is still able to get an IP address by DHCP
and nothing (related to DHCP) is logged on the firewall:
[root@wrap]~# ifconfig sis0
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=83808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC,LINKSTATE>
ether 00:0d:b9:02:76:58
inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
[root@wrap]~# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 4 1631 deny log ip from any to any
65535 0 0 deny ip from any to any
[root@wrap]~# cat /var/log/security
Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
192.168.100.255:138 in via sis0
Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
192.168.100.255:138 in via sis0
I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
Are DHCP packets exluded from the filtering/logging engine of ipfw ?
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
