|
List Info
Thread: pf.conf and cable modem
|
|
| pf.conf and cable modem |
 
United States |
2007-02-27 16:48:12 |
I am converting from DSL to RoadRunner this week and
wondering if
there is anything special I need to do to my pf.conf for
passing DHCP
into my NIC?
From what I can tell...the NIC comes up *then* pf comes
up.
But if I dont permit the periodic DHCP stuff in, I am
wondering if
that will cause an issue.
I think if I just permit everything OUT my NIC hooked up to
RR I will
be ok...but wanted to ask the group:
pass out quick on $ext_if from ($ext_if) to any keep state
-JD
_______________________________________________
freebsd-questions freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
|
2007-02-27 16:55:55 |
> I am converting from DSL to RoadRunner this week and
wondering if
> there is anything special I need to do to my pf.conf
for passing DHCP
> into my NIC?
I think all you'll need is:
pass in quick on $ext_if proto udp from any port 67 to any
port 68 keep state
Thanks,
Josh
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
 
United Kingdom |
2007-02-28 11:35:17 |
On Tue, 27 Feb 2007 14:55:55 -0800
"Josh Carroll" <josh.carrollgmail.com> wrote:
> > I am converting from DSL to RoadRunner this week
and wondering if
> > there is anything special I need to do to my
pf.conf for passing
> > DHCP into my NIC?
>
> I think all you'll need is:
>
> pass in quick on $ext_if proto udp from any port 67 to
any port 68
> keep state
>
When I used DHCP with PF, I found that it just worked
without any rules
at all.
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
|
2007-02-28 11:39:33 |
> When I used DHCP with PF, I found that it just worked
without any rules
> at all.
As long as you're allowing packets out with keep state, it
may be that
it is able to allow the inbound DHCPOFFER after a DHCP
REQUEST
outbound. The rule I provided may not be necessary, then.
Josh
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
United States |
2007-02-28 11:44:21 |
Quoting RW <fbsd06mlists.homeunix.com>:
> On Tue, 27 Feb 2007 14:55:55 -0800
> "Josh Carroll" <josh.carrollgmail.com> wrote:
>
>> > I am converting from DSL to RoadRunner this
week and wondering if
>> > there is anything special I need to do to my
pf.conf for passing
>> > DHCP into my NIC?
>>
>> I think all you'll need is:
>>
>> pass in quick on $ext_if proto udp from any port 67
to any port 68
>> keep state
>>
>
> When I used DHCP with PF, I found that it just worked
without any rules
> at all.
That's been my experience as well (admittedly on OpenBSD,
but it's
basically the same PF). Remember, your NIC's initialization
sequence,
which is where the DHCP request will come, happens before PF
is
enabled, so you're essentially at a "pass all"
sort of a state when the
request happens.
The one thing to keep in mind is that if you're doing, say,
NAT for
some clients behind the box, you can use a rule like this to
deal with
any changes in your dynamic IP (which should be extremely
rare -- on
Comcast I've had one IP change in 1.5 years, and that was
because I was
down for a significant chunk of time):
nat on $ext_if from $int_if:network to any -> (nfe0)
The "(nfe0)" here says "use the IP address of
the nfe0 interface,
instead of requiring you to specify the address manually.
HTH,
Alex Kirk
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
United Kingdom |
2007-02-28 12:02:15 |
On Wed, 28 Feb 2007 12:44:21 -0500
alexschnarff.com wrote:
> Quoting RW <fbsd06mlists.homeunix.com>:
> > When I used DHCP with PF, I found that it just
worked without any
> > rules at all.
>
> That's been my experience as well (admittedly on
OpenBSD, but it's
> basically the same PF). Remember, your NIC's
initialization sequence,
> which is where the DHCP request will come, happens
before PF is
> enabled, so you're essentially at a "pass
all" sort of a state when
> the request happens.
>
> The one thing to keep in mind is that if you're doing,
say, NAT for
> some clients behind the box, you can use a rule like
this to deal
> with any changes in your dynamic IP
Not in my experience.
I was using a half-bridge modem that had a 30 second lease
time, which
was definitely renewing. It would also give me a private
address when
PPPoA went down, and I saw that happen too.
I added-in some early static rules to log all the DHCP
packets. IIRC I
never saw any of the lease renewal packets, just some
broadcast
packets. I asked in this list about it but never got a
reply.
I suspect that either DHCP sees the packets directly in some
way, or PF
has some special handling for DHCP. In either case it would
make sense
for PF rules to see the broadcasts, since they might need to
be
bridged.
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
United Kingdom |
2007-02-28 12:08:42 |
On Wed, 28 Feb 2007 18:02:15 +0000
RW <fbsd06mlists.homeunix.com> wrote:
> On Wed, 28 Feb 2007 12:44:21 -0500
> alexschnarff.com wrote:
>
> > Quoting RW <fbsd06mlists.homeunix.com>:
>
> > > When I used DHCP with PF, I found that it
just worked without any
> > > rules at all.
> >
> > That's been my experience as well (admittedly on
OpenBSD, but it's
> > basically the same PF). Remember, your NIC's
initialization
> > sequence, which is where the DHCP request will
come, happens before
> > PF is enabled, so you're essentially at a
"pass all" sort of a
> > state when the request happens.
> >
> > The one thing to keep in mind is that if you're
doing, say, NAT for
> > some clients behind the box, you can use a rule
like this to deal
> > with any changes in your dynamic IP
>
> Not in my experience.
>
> I was using a half-bridge modem that had a 30 second
lease time, which
> was definitely renewing. It would also give me a
private address when
> PPPoA went down, and I saw that happen too.
>
> I added-in some early static rules to log all the DHCP
packets. IIRC I
> never saw any of the lease renewal packets, just some
broadcast
> packets. I asked in this list about it but never got a
reply.
>
> I suspect that either DHCP sees the packets directly in
some way, or
> PF has some special handling for DHCP. In either case
it would make
> sense for PF rules to see the broadcasts, since they
might need to be
> bridged.
Sorry, I misread what you were saying about the rule, but
the point
still remains that it's not simply the case that PF is in
pass-all mode
when DHCP start.
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
United States |
2007-02-28 12:19:13 |
Quoting RW <fbsd06mlists.homeunix.com>:
> On Wed, 28 Feb 2007 12:44:21 -0500
> alexschnarff.com wrote:
>
>> Quoting RW <fbsd06mlists.homeunix.com>:
>
>> > When I used DHCP with PF, I found that it just
worked without any
>> > rules at all.
>>
>> That's been my experience as well (admittedly on
OpenBSD, but it's
>> basically the same PF). Remember, your NIC's
initialization sequence,
>> which is where the DHCP request will come, happens
before PF is
>> enabled, so you're essentially at a "pass
all" sort of a state when
>> the request happens.
>>
>> The one thing to keep in mind is that if you're
doing, say, NAT for
>> some clients behind the box, you can use a rule
like this to deal
>> with any changes in your dynamic IP
>
> Not in my experience.
>
> I was using a half-bridge modem that had a 30 second
lease time, which
> was definitely renewing. It would also give me a
private address when
> PPPoA went down, and I saw that happen too.
Are you sure it was a 30 *second* lease time? No sane ISP
would set
such a low value -- that's a surefire way to overwhelm their
DHCP
servers. It sounds like either a) there was something
misconfigured on
one end of the connection (and I make no value judgement as
to which
end it was, given the lack of evidence), or b) you had an
incredibly
stupid ISP that I'd like the name of, so that I can avoid
them at all
costs.
> I added-in some early static rules to log all the DHCP
packets. IIRC I
> never saw any of the lease renewal packets, just some
broadcast
> packets. I asked in this list about it but never got a
reply.
What were the rules? I'd be curious to see them.
> I suspect that either DHCP sees the packets directly in
some way, or PF
> has some special handling for DHCP. In either case it
would make sense
> for PF rules to see the broadcasts, since they might
need to be
> bridged.
Given this thread:
http://marc.theaimsgroup.com/?l=openbsd-
pf&m=115702991719970&w=2
I'd say that DHCP goes on at a level below PF, at least on
OpenBSD
(which, again, should be largely similar, if not identical,
on
FreeBSD). In any case, the OP shouldn't have to do anything
special to
let DHCP through, especially if he's got something like:
pass out quick on $ext_if proto udp all keep state
in his ruleset, which probably makes sense anyway.
Alex Kirk
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
| Re: pf.conf and cable modem |
United Kingdom |
2007-02-28 15:16:41 |
On Wed, 28 Feb 2007 13:19:13 -0500
alexschnarff.com wrote:
> Quoting RW <fbsd06mlists.homeunix.com>:
>
> > On Wed, 28 Feb 2007 12:44:21 -0500
> > alexschnarff.com wrote:
> > I was using a half-bridge modem that had a 30
second lease time,
> > which was definitely renewing. It would also give
me a private
> > address when PPPoA went down, and I saw that
happen too.
>
> Are you sure it was a 30 *second* lease time? No sane
ISP would set
> such a low value -- that's a surefire way to overwhelm
their DHCP
> servers.
As I said, it was a half-bridge modem. It terminates PPPoA
and delivers
the public IP address and DNS server addresses with its own
DHCP
server. When PPP is not connected it issues a private IP
address
instead.
Until the Draytek Vigor 100 offered true PPPoA to PPPoE
bridging,
half-bridge modems were the only ethernet-based modems that
would work
with FreeBSD and PPPoA.
> > I added-in some early static rules to log all the
DHCP packets.
> > IIRC I never saw any of the lease renewal packets,
just some
> > broadcast packets. I asked in this list about it
but never got a
> > reply.
>
> What were the rules? I'd be curious to see them.
>
pass out log quick on $ext_if proto udp from port {
bootps, bootpc} to port { bootps, bootpc}
pass in log quick on $ext_if proto udp from port {
bootps, bootpc} to port { bootps, bootpc}
I can't remember the details, but the only packets I saw
with tcpdump
were some incoming broadcasts from the DHCP server.
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
|
[1-9]
|
|