On 2016-02-16 16:34, Patrick Lamaiziere wrote:
> Le Tue, 16 Feb 2016 13:05:51 +0100,
> Clemens Goessnitzer <e1126...@student.tuwien.ac.at> a écrit :
>
> Ok I think :
>
> the pf.conf rule
> ### rules for internal network ###
> pass inet proto { tcp, udp } from internal:network to port $udp_services
>
> is expanded to
>
> pass inet proto udp from 10.0.0.0/24 to any port = 22
> pass inet proto udp from 10.0.0.0/24 to any port = 53
> pass inet proto udp from 10.0.0.0/24 to any port = 123
> pass inet proto udp from 10.0.0.0/24 to any port = 67
> pass inet proto udp from 10.0.0.0/24 to any port = 68
>
> For DHCP, the source IP is 0.0.0.0 so this does not match.
>
> If re1 is a member of the group internal how this rule is expanded ?
> (may be there is something with "if:network' when the interface
> does not have an IP address and a network.)
If I change the group of re1 to internal, test or lan, nothing changes
in the expansion of the rules by pf. What I am wondering is why DHCP
requests on the athnX interfaces are not blocked by pf...
Thanks for your time,
Clemens
