pf.conf rules for dhcp

kondziq

Member

Reaction score: 1
Messages: 34

Hi,

I'd like to know if you guys normaly put any rules to pf.conf about dhcp ? I know dhcp uses bpf, which means all packets are passed before pf really decides what to do. Now, should i still unblock ports 67 & 68 ? I'm asking because I keep getting annoying
Code:
14:47:06.251001 rule 0/0(match): block in on rl1: 192.168.1.20.68 > 192.168.1.1.67: BOOTP/DHCP, Request [|bootp]
14:47:06.251365 rule 0/0(match): block out on rl1: 192.168.1.1.67 > 192.168.1.20.68: BOOTP/DHCP, Reply, length 300
in my pf log. What do you Pro's do ? ;] Do you keep blocking it or unblock ?

Thanks,
K.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,841
Messages: 11,319

When my firewall is between dhcp clients and a dhcp server, I allow 67/68 traffic, something like this:

Code:
pass quick on { $LAN $WAN } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $LAN $WAN } inet proto udp from any port 67:68 to any port 67:68 keep state
 

kisscool-fr

Active Member

Reaction score: 19
Messages: 196

I have my dhcp server on the firewall and 2 rules are needed to make it work properly.

Code:
pass in quick on $int_if proto udp from port = 68 to port = 67
pass out quick on $int_if proto udp from proto = 67 to port = 68
Without the second rule, the renew step does not work.
 
Top