foundry27 : Post

Forum Topic - Enabling Firewall to pass DHCP traffic - How?: (1 Item)

View: as

Glenn Schmottlach

11/08/2010 7:09 PM

post73982

Enabling Firewall to pass DHCP traffic - How?

I am *trying* to come up with firewall rules to allow DHCP to work reliably from my firewalled target system.

The simplest firewall (when enabled wth 'pfctl -e') works perfectly with dhcp.client:

## Scrub
scrub in all

## Filter Rules

pass in log all keep state
pass out log all keep state 

Monitoring /dev/pflog0 I see the following when I make a dhcp.client request:

 > dhcp.client -um
 
rule 1/0(match): pass out on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
rule 0/0(match): pass in on en0: 10.30.174.2.67 > 10.30.175.133.68: BOOTP/DHCP, Reply, length 363
rule 0/0(match): pass in on en0: 10.30.174.3.67 > 10.30.175.133.68: BOOTP/DHCP, Reply, length 363
rule 0/0(match): pass in on en0: 10.30.175.4.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]


Next I tried a more complex firewall rule:

## Macros
local_if="lo0" 
syn_only="S/FSRA"

icmp_types=echoreq

## Tables

## Options

## Scrub
scrub in all

## Filter Rules

block all

anchor "eth/*"

# Allow the local interface to talk unrestricted
pass in quick on $local_if all
pass out quick on $local_if all

To this configuration I added rules to the "eth" anchor using pfctl:

> cat en0_rules ./en0_rules | pfctl -a eth/en0 -f -

Where the en0_rules file contains the following directives:

enet_if=en0
syn_only="S/FSRA"
icmp_types=echoreq

eth_tcp_services="{ 22, 23, 42, 53, 67, 68, 80, 113, 851, 2011, 2021, 6010, 6020, 6667, 7667, 8000, 9402 }"
eth_udp_services="{ 22, 23, 42, 53, 67, 68, 851 }"


# Default TCP policy
block return-rst in log on $enet_if proto TCP all
	pass in log quick on $enet_if inet proto tcp from any to ($enet_if) port $eth_tcp_services flags $syn_only keep state
	pass in log quick on $enet_if inet proto udp from any to ($enet_if) port $eth_udp_services

# Default ICMP policy
block in log on $enet_if proto icmp all
 	pass in log quick on $enet_if inet proto icmp all icmp-type $icmp_types keep state   

# Allow all outbound traffic
block out log on $enet_if all
	pass out log quick on $enet_if all keep state


Notice that both TCP/UDP ports 67,68 are opened. As I understand it, I should only need to allow UDP data out to the 
server on port 67 and the server should reply back to the client (my target) on UDP port 68. When I tcpdump /dev/pflog0 
I see the request go out the interface (en0) but nothing passes back through the firewall (or is logged as being 
blocked). Will the returning UDP packet on port 68 show up in the pflog0 trace? I don't know all the details of the DHCP
 handshake, but it would seem the reply back from the server might not contain a destination IP address (since one 
hasn't been assigned to my target yet) and is routed via the MAC address to my target. Could this be the source of my 
problems and is there any way to configure a rule to allow the response back from the DHCP server through?

So it boils down to a simple question: can anyone suggest a filter rule that will explicitly allow DHCP traffic (only) 
through an otherwise blocked firewall.

Thanks . . .

Return

The text you entered is not a valid object ID
More Information
Object IDs begin with an object prefix and end with a number. For example, if you enter
artf2345
the application will jump directly to an artifact with the ID artf2345. Some valid object prefixes are:
artf	for an artifact
doc	for a document
page	for a project page
topc	for a discussion topic
wiki	for a wiki page