Re: Why ipfw didn't filter neither log DHCP packets ?

Mon, 05 Jan 2015 03:24:09 -0800 

Hi. Have the same problem, but with wlan. With rule like below
Ipfw add deny log all from any to any

i do not see any packets in ipfw -d show output.
LAN behind wlan interface gets ip-addr, but inet is blocked, of course.

----
Vitaliy


 --- Original Message ---
 From: "Olivier Cochard-Labbé" 
 Date: 5 January 2015, 12:33:46
 


> I'm using a pretty simple configuration:
> 
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
> 
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
> 
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
> 
> [root@wrap]~# ifconfig sis0
> sis0: flags=8843  metric 0 mtu 1500
> options=83808 
> ether 00:0d:b9:02:76:58
> inet 192.168.100.68 netmask 0xffffff00 broadcast 192.168.100.255
> media: Ethernet autoselect (100baseTX )
> status: active
> 
> [root@wrap]~# ipfw show
> 00100 0 0 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 0 0 deny ip from any to any
> 
> [root@wrap]~# cat /var/log/security
> Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> 
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
> 
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
> 
 
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Reply via email to