Hi all,
I'm running OpenBSD 6.9 as a home router, and observed some behavior of
pf that I can't really make sense of.
The router runs dhcpleased to obtain its IP address from the ISP, and I
have
the following pf rules (only the relevant ones are shown):
block drop all
pass out on $ext_if inet from ($ext_if) to ! <ipv4_reserved>
block drop in log (all) on $ext_if inet proto udp from port 67 to port
68
pass in on $ext_if inet proto udp from port 67 to 255.255.255.255 port
68
(I need to mention here that after digging into some old discussions on
the
mailing list, I realize that the last two rules are unnecessary because
DHCP
traffic is supposedly processed by dhcpleased though bpf regardless of
pf's
decision, but my question is something else)
With tcpdump on the external interface, I see packets similar to the
following
for lease renewal:
{timestamp} {my_ip}.68 > {ip1}.67: xid:0xfe51c9a3 [|bootp]
{timestamp} {ip2}.67 > {my_ip}.68: xid:0xfe51c9a3 Y:{my_ip} G:{ip1}
[|bootp]
Note that DHCP renew request is sent to {ip1}, but the DHCP
acknowledgment
is from {ip2}, so I guess {ip1} is a DHCP relay?
The problems is, with my existing pf rules I expect the second packet to
be
blocked and logged to pflog0, but in reality, a tcpdump on pflog0 shows
that no
packets are being blocked:
tcpdump -l -n -i pflog0
Why is the second packet not blocked by pf when its source ip address
{ip2} is
supposedly not in the state table?
I would greatly appreciate any help on this.
Best Regards
