On 7/3/23 11:25, Mark wrote:
I'm getting (I think once per day) "dhcpleased[59824]: sendto: Permission
denied" error message in my daemon and messages log files.
I think that's happening due to my PF configuration.
Certainly could be. If this happens consistently around a particular
time, you can "live dangerously" and allow all traffic temporarily to
see if the issue is resolved. More safely, use tcpdump(8) to see if you
can find the problem.
I tried to add:
pass log quick on $ext_if proto udp from any to any port = 67
in my pf.conf file, didn't help.
Completely useless. DHCP traffic never makes its way to pf(4) due to
being handled by bpf(4) first, so you don't need such a rule-in fact
you could explicitly block such traffic, and it won't matter. Proof:
router# cat /etc/pf.conf
# Options.
set block-policy drop
# Macros.
wan = em0
# Filtering rules.
block in quick on $wan inet proto udp to port 68
block out quick on $wan inet proto udp to port 67
pass quick
router# rcctl stop dhcpcd
dhcpcd(ok)
router# rm -rf /var/run/dhcpcd/
router# ifconfig em0 -inet
router# ifconfig em0 -inet6
router# ifconfig em0 down
router# pfctl -f /etc/pf.conf
router# tcpdump -ntt -i em0 -w pkts.dat 'udp and ip and (dst port 67 or dst port
68)' &
[1] 98425
router# tcpdump: listening on em0, link-type EN10MB
router# rcctl start dhcpcd
dhcpcd(ok)
router# pkill -x tcpdump
12551 packets received by filter
0 packets dropped by kernel
router# tcpdump -nr pkts.dat
10:02:29.663056 0.0.0.0.68 > 255.255.255.255.67: xid:0x3544268 [|bootp]
10:02:32.802098 0.0.0.0.68 > 255.255.255.255.67: xid:0x3544268 secs:3 [|bootp]
10:02:32.857942 96.120.140.45.67 > 73.78.65.184.68: xid:0x3544268
Y:73.78.65.184 G:96.120.140.45 [|bootp] [tos 0x10]
The use of dhcpcd(8) is not relevant. I choose to use it for both DHCPv6
and DHCP so that I only have one daemon. I am _not_ recommending its
use over dhcpleased(8). The point is to show that such traffic is
allowed regardless of what rules you have in pf(4).
If it is a pf(4) issue, then it not related to that traffic.
