PF Allow DHCP within PF

[kalleboy]

In terms of PF rules (enabled, actively running in my VPS), which way is the best way to allow a DHCP server (of my VPS provider) connect&define an IP to my VPS without any prevention?

1- pass quick proto udp from any to 255.255.255.255

or

2- pass in quick on $ext_if inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"

Many thanks in advance!

 

[SirDice]

which way is the best way to allow a DHCP server (of my VPS provider) connect&define an IP to my VPS without any prevention?

It's going to work a lot better if you understood how DHCP works. When dealing with firewalls it's imperative you know how the various protocols and services actually work. To properly configure a firewall you really need to understand quite a bit of TCP/IP, or else it's all going to look like magic and you will never be able to write good firewall rules.

The wikipedia article is actually quite good at explaining how DHCP works (read the "Operation" bit).

Dynamic Host Configuration Protocol - Wikipedia

en.wikipedia.org

Read the article, then set up a small test where you can observe an actual DHCP request/response using tcpdump(1) or Wireshark. Once you understand how DHCP works you will be much better equipped to write firewall rules for it.

 

[mer]

SirDice is correct understanding how it works is important.
Here's the rules that are created on a pfSense device when you set up DHCP server for an interface: igb1 is one of the interfaces in the box.

pass in quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1 inet proto udp from any port = bootpc to 192.168.251.50 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1 inet proto udp from 192.168.251.50 port = bootps to any port = bootpc keep state label "allow access to DHCP server"