pf.conf rules for dhcp

Hi,

I'd like to know if you guys normaly put any rules to pf.conf about dhcp ? I know dhcp uses bpf, which means all packets are passed before pf really decides what to do. Now, should i still unblock ports 67 & 68 ? I'm asking because I keep getting annoying
Code:
14:47:06.251001 rule 0/0(match): block in on rl1: 192.168.1.20.68 > 192.168.1.1.67: BOOTP/DHCP, Request [|bootp]
14:47:06.251365 rule 0/0(match): block out on rl1: 192.168.1.1.67 > 192.168.1.20.68: BOOTP/DHCP, Reply, length 300
in my pf log. What do you Pro's do ? ;] Do you keep blocking it or unblock ?

Thanks,
K.
 
When my firewall is between dhcp clients and a dhcp server, I allow 67/68 traffic, something like this:

Code:
pass quick on { $LAN $WAN } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $LAN $WAN } inet proto udp from any port 67:68 to any port 67:68 keep state
 
I have my dhcp server on the firewall and 2 rules are needed to make it work properly.

Code:
pass in quick on $int_if proto udp from port = 68 to port = 67
pass out quick on $int_if proto udp from proto = 67 to port = 68

Without the second rule, the renew step does not work.
 
Back
Top