[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: blocking DHCP requests
Ahh.. how would _any_ software that uses IP (TCP or UDP) be able to
"bypass" pf? Doesn't pf operate at layer 2 and 3? AFAIK, DHCP still
ends up heading out of the client or server over the network as UDP
packets on ports 67 & 68. eg:
--- Björn Ketelaars <[email protected]> wrote:
> > Does your dhcpd server listen on wi0 ?
> > /Sigfred
> > On Saturday 02 October 2004 18.28, you wrote:
> >> I'm trying to block wireless clients in using my DHCP-server. The
> >> problem is that these clients are still able to retrieve
> >> from the DHCP-server. If I understand the hereby included pf.conf,
> >> everything (except UDP domain and TCP ssh) is blocked into
> >> $wir_if (which comes from $wir_if:network). Doesn't this also mean
> >> an DHCP-request is blocked? Any suggestions in what I'm missing?
> Indeed does the DHCP-server listen on wi0...If I understand correctly
> the DHCP daemon is written to use pcap instead of network sockets.
> means that the offers send out by the daemon can not be filtered(?) .
> Quote from another user...
> "I know that the dhcp* subsystem, was fundamentally written using
> so that it did not use normal network sockets to request and accept
> answers, at least I know that the dhcpclient worked this way for
> I'm not sure that the dhcpd daemon worked this way, so this is
> something that deserves some follow-up... The dhcpclient in OpenBSD
> changed this in 3.5, I know because I had to put pf rules in place
> the client to work on my DSL public interface. The dhcpd server may
> well use proper sockets at this time..."
> A simple solution to this problem would be to remove wi0 from
> dhcpd.interfaces, but I wonder; is it 'wise' to give daemons the
> option to
> 'bypass' pf?
Find local movie times and trailers on Yahoo! Movies.