Strange (mis)behaviour of pf ruleset in combination with dhcpd

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange (mis)behaviour of pf ruleset in combination with dhcpd

illya.meyer@wiesan.de
Dear all,

I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
with all 16 patches).

When running dhcpd, some pf rules are seem to not working.
I'm pretty sure, this behaviour is different than in 6.3.

Setup:
+--------+  +--------+      +----------------------+
| Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
+--------+  +--------+      +----------------------+

I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
pf.conf I block traffic on port 67+68 (see below).

When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
---- Schnipp 8< ----
Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
---- Schnapp 8< ----

When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
---- Schnipp 8< ----
Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from
00:96:69:96:69:96 via em0
Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
00:96:69:96:69:96 via em0
Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
00:96:69:96:69:96 via em0
Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
00:96:69:96:69:96 via em0
---- Schniap 8< ----

... and this entry via tcpdump:
---- Schnipp 8< ----
Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
10.69.250.1: icmp: echo request
---- Schnapp 8< ----

... and „Client“ got an ip address!

If you need futher information don't hesistate to contact me.

Please tell me also, if I'm to stupid to understand what happenend ;-)

If you want to know, why I'm running dhcpd and want to block the
traffic: We use OpenBSD as bridge and dhcpd should only offer
ip-addresses to one side. But this strange behaviour is also present
without the bridge-configuration.

Thank you for your help and support
Illya Meyer

pfctl -s rules
---- Schipp 8< ----
0  block return log all
1  block drop in log quick on em0 proto tcp from any to any port = 67
2  block drop in log quick on em0 proto tcp from any to any port = 68
3  block drop in log quick on em0 proto udp from any to any port = 67
4  block drop in log quick on em0 proto udp from any to any port = 68
5  pass log all flags S/SA
6  block return out log proto tcp all user = 55
7  block return out log proto udp all user = 55
8  block return in log on ! lo0 proto tcp from any to any port 6000:6010
---- Schnapp 8< ----

/etc/pf.conf
---- Schnipp 8< ----
#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

ext=em0

set skip on lo

block return log    # block stateless traffic

block in log quick on $ext proto {tcp,udp} from any to any port 67
block in log quick on $ext proto {tcp,udp} from any to any port 68

pass log
---- Schnapp 8< ----

/etc/hostname.em0
---- Schnipp 8< ----
inet 10.69.228.156 255.255.0.0
up
---- Schnapp 8< ----

/etc/dhcp.conf
---- Schnipp 8< ----
option domain-name "something.test";
max-lease-time 28800;
default-lease-time 14400;

shared-network test-1 {
   subnet 10.69.0.0 netmask 255.255.0.0 {
     range 10.69.250.1 10.69.250.30;
   }
}
---- Schnapp 8< ----


dmesg.boot (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

Bruno Flueckiger
On 09.04., [hidden email] wrote:

> Dear all,
>
> I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
> with all 16 patches).
>
> When running dhcpd, some pf rules are seem to not working.
> I'm pretty sure, this behaviour is different than in 6.3.
>
> Setup:
> +--------+  +--------+      +----------------------+
> | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
> +--------+  +--------+      +----------------------+
>
> I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
> pf.conf I block traffic on port 67+68 (see below).
>
> When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
> ---- Schnipp 8< ----
> Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
> 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
> ---- Schnapp 8< ----
>
> When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
> ---- Schnipp 8< ----
> Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
> via em0
> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
> 00:96:69:96:69:96 via em0
> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
> 00:96:69:96:69:96 via em0
> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
> 00:96:69:96:69:96 via em0
> ---- Schniap 8< ----
>
> .. and this entry via tcpdump:
> ---- Schnipp 8< ----
> Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
> 10.69.250.1: icmp: echo request
> ---- Schnapp 8< ----
>
> .. and „Client“ got an ip address!
>
> If you need futher information don't hesistate to contact me.
>
> Please tell me also, if I'm to stupid to understand what happenend ;-)
>
> If you want to know, why I'm running dhcpd and want to block the traffic: We
> use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
> But this strange behaviour is also present without the bridge-configuration.
>
> Thank you for your help and support
> Illya Meyer
>

Hi Illya

DHCP operates on layer 2 using bpf(4) to receive and send packets.
Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
has done its work before the packets get to pf(4). If you want to make
sure that dhcpd(8) hands out leases only on interface em0 you can tell
it to operate only on this interface:

# rcctl set dhcpd flags em0

Cheers,
Bruno

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

illya.meyer@wiesan.de

Am 10.04.19 um 07:34 schrieb Bruno Flückiger:

> On 09.04., [hidden email] wrote:
>> Dear all,
>>
>> I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
>> with all 16 patches).
>>
>> When running dhcpd, some pf rules are seem to not working.
>> I'm pretty sure, this behaviour is different than in 6.3.
>>
>> Setup:
>> +--------+  +--------+      +----------------------+
>> | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
>> +--------+  +--------+      +----------------------+
>>
>> I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
>> pf.conf I block traffic on port 67+68 (see below).
>>
>> When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
>> ---- Schnipp 8< ----
>> Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
>> 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
>> ---- Schnapp 8< ----
>>
>> When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
>> ---- Schnipp 8< ----
>> Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
>> via em0
>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
>> 00:96:69:96:69:96 via em0
>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
>> 00:96:69:96:69:96 via em0
>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
>> 00:96:69:96:69:96 via em0
>> ---- Schniap 8< ----
>>
>> .. and this entry via tcpdump:
>> ---- Schnipp 8< ----
>> Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
>> 10.69.250.1: icmp: echo request
>> ---- Schnapp 8< ----
>>
>> .. and „Client“ got an ip address!
>>
>> If you need futher information don't hesistate to contact me.
>>
>> Please tell me also, if I'm to stupid to understand what happenend ;-)
>>
>> If you want to know, why I'm running dhcpd and want to block the traffic: We
>> use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
>> But this strange behaviour is also present without the bridge-configuration.
>>
>> Thank you for your help and support
>> Illya Meyer
>>
>
> Hi Illya
>
> DHCP operates on layer 2 using bpf(4) to receive and send packets.
> Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
> has done its work before the packets get to pf(4). If you want to make
> sure that dhcpd(8) hands out leases only on interface em0 you can tell
> it to operate only on this interface:
>
> # rcctl set dhcpd flags em0
>
> Cheers,
> Bruno
>

Hi Bruno,

thank you for the information.

It's strange, that a packet first reachs a daemon and then the packet
filter (thats job it is to protect the machine from unwanted packets!)

Maybe it's a good idea to build a bpf-Filter for layer 2 :-)

Thank you and kind regards,
Illya

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

Otto Moerbeek
On Wed, Apr 10, 2019 at 10:08:51AM +0200, [hidden email] wrote:

>
> Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
> > On 09.04., [hidden email] wrote:
> > > Dear all,
> > >
> > > I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
> > > with all 16 patches).
> > >
> > > When running dhcpd, some pf rules are seem to not working.
> > > I'm pretty sure, this behaviour is different than in 6.3.
> > >
> > > Setup:
> > > +--------+  +--------+      +----------------------+
> > > | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
> > > +--------+  +--------+      +----------------------+
> > >
> > > I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
> > > pf.conf I block traffic on port 67+68 (see below).
> > >
> > > When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
> > > ---- Schnipp 8< ----
> > > Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
> > > 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
> > > ---- Schnapp 8< ----
> > >
> > > When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
> > > ---- Schnipp 8< ----
> > > Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
> > > via em0
> > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
> > > 00:96:69:96:69:96 via em0
> > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
> > > 00:96:69:96:69:96 via em0
> > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
> > > 00:96:69:96:69:96 via em0
> > > ---- Schniap 8< ----
> > >
> > > .. and this entry via tcpdump:
> > > ---- Schnipp 8< ----
> > > Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
> > > 10.69.250.1: icmp: echo request
> > > ---- Schnapp 8< ----
> > >
> > > .. and „Client“ got an ip address!
> > >
> > > If you need futher information don't hesistate to contact me.
> > >
> > > Please tell me also, if I'm to stupid to understand what happenend ;-)
> > >
> > > If you want to know, why I'm running dhcpd and want to block the traffic: We
> > > use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
> > > But this strange behaviour is also present without the bridge-configuration.
> > >
> > > Thank you for your help and support
> > > Illya Meyer
> > >
> >
> > Hi Illya
> >
> > DHCP operates on layer 2 using bpf(4) to receive and send packets.
> > Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
> > has done its work before the packets get to pf(4). If you want to make
> > sure that dhcpd(8) hands out leases only on interface em0 you can tell
> > it to operate only on this interface:
> >
> > # rcctl set dhcpd flags em0
> >
> > Cheers,
> > Bruno
> >
>
> Hi Bruno,
>
> thank you for the information.
>
> It's strange, that a packet first reachs a daemon and then the packet filter
> (thats job it is to protect the machine from unwanted packets!)
>
> Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
>
> Thank you and kind regards,
> Illya
>

What do you think dhcpd uses?

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

illya.meyer@wiesan.de
Am 10.04.19 um 10:58 schrieb Otto Moerbeek:

> On Wed, Apr 10, 2019 at 10:08:51AM +0200, [hidden email] wrote:
>
>>
>> Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
>>> On 09.04., [hidden email] wrote:
>>>> Dear all,
>>>>
>>>> I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
>>>> with all 16 patches).
>>>>
>>>> When running dhcpd, some pf rules are seem to not working.
>>>> I'm pretty sure, this behaviour is different than in 6.3.
>>>>
>>>> Setup:
>>>> +--------+  +--------+      +----------------------+
>>>> | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
>>>> +--------+  +--------+      +----------------------+
>>>>
>>>> I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
>>>> pf.conf I block traffic on port 67+68 (see below).
>>>>
>>>> When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
>>>> ---- Schnipp 8< ----
>>>> Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
>>>> 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
>>>> ---- Schnapp 8< ----
>>>>
>>>> When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
>>>> ---- Schnipp 8< ----
>>>> Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
>>>> via em0
>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
>>>> 00:96:69:96:69:96 via em0
>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
>>>> 00:96:69:96:69:96 via em0
>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
>>>> 00:96:69:96:69:96 via em0
>>>> ---- Schniap 8< ----
>>>>
>>>> .. and this entry via tcpdump:
>>>> ---- Schnipp 8< ----
>>>> Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
>>>> 10.69.250.1: icmp: echo request
>>>> ---- Schnapp 8< ----
>>>>
>>>> .. and „Client“ got an ip address!
>>>>
>>>> If you need futher information don't hesistate to contact me.
>>>>
>>>> Please tell me also, if I'm to stupid to understand what happenend ;-)
>>>>
>>>> If you want to know, why I'm running dhcpd and want to block the traffic: We
>>>> use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
>>>> But this strange behaviour is also present without the bridge-configuration.
>>>>
>>>> Thank you for your help and support
>>>> Illya Meyer
>>>>
>>>
>>> Hi Illya
>>>
>>> DHCP operates on layer 2 using bpf(4) to receive and send packets.
>>> Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
>>> has done its work before the packets get to pf(4). If you want to make
>>> sure that dhcpd(8) hands out leases only on interface em0 you can tell
>>> it to operate only on this interface:
>>>
>>> # rcctl set dhcpd flags em0
>>>
>>> Cheers,
>>> Bruno
>>>
>>
>> Hi Bruno,
>>
>> thank you for the information.
>>
>> It's strange, that a packet first reachs a daemon and then the packet filter
>> (thats job it is to protect the machine from unwanted packets!)
>>
>> Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
>>
>> Thank you and kind regards,
>> Illya
>>
>
> What do you think dhcpd uses?
>
> -Otto
>

Hm, sorry. What do you mean exactly?

In my opinion, it should be possible for a packet filter to block ALL
packets, that arrives from a network, before a daemon (in this case
dhcpd) does its work.

But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
gets the packet on layer 3. So was my understanding. Please see my tests
above, pf doesn't block the dhcp requests when dhcpd runs.

In my scenario, I have a firewall, which works as bridge (so more a
firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
from „Bad net“ (especially dhcp requests).

+---------+       +----------------+       +----------+
| Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
+---------+       +----------------+       +----------+

Only em0 has had an ip address and so dhcpd had to listen on em0. But
some PCs from „Bad net“ got ip addresses from the BSD-Box.
My solution was now to give the BSD-Box a second ip address on em1 and
let dhcpd listens on em1 only. This works with the pf-rules (see above).

When I interpret this article in the right way
(https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables
on Linux works on layer 2, so it should be possible to block dhcp
requests. Other articles said the same (e.g.
https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
But it seems, this is not possible with pf, which works on layer 3.

Kind regards,
Illya

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

Hrvoje Popovski
On 10.4.2019. 11:19, [hidden email] wrote:

> Am 10.04.19 um 10:58 schrieb Otto Moerbeek:
>> On Wed, Apr 10, 2019 at 10:08:51AM +0200, [hidden email] wrote:
>>
>>>
>>> Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
>>>> On 09.04., [hidden email] wrote:
>>>>> Dear all,
>>>>>
>>>>> I discovered a strange problem with OpenBSD 6.4 AMD64
>>>>> (stable(?)-release
>>>>> with all 16 patches).
>>>>>
>>>>> When running dhcpd, some pf rules are seem to not working.
>>>>> I'm pretty sure, this behaviour is different than in 6.3.
>>>>>
>>>>> Setup:
>>>>> +--------+  +--------+      +----------------------+
>>>>> | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
>>>>> +--------+  +--------+      +----------------------+
>>>>>
>>>>> I try to get an ip address for „Client“ via dhcp from „OpenBSD“,
>>>>> but in
>>>>> pf.conf I block traffic on port 67+68 (see below).
>>>>>
>>>>> When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as
>>>>> expected:
>>>>> ---- Schnipp 8< ----
>>>>> Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
>>>>> 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
>>>>> ---- Schnapp 8< ----
>>>>>
>>>>> When dhcpd („dhcpd em0“) is running, I got an entry in
>>>>> /var/log/daemon.log:
>>>>> ---- Schnipp 8< ----
>>>>> Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from
>>>>> 00:96:69:96:69:96
>>>>> via em0
>>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
>>>>> 00:96:69:96:69:96 via em0
>>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1
>>>>> from
>>>>> 00:96:69:96:69:96 via em0
>>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
>>>>> 00:96:69:96:69:96 via em0
>>>>> ---- Schniap 8< ----
>>>>>
>>>>> .. and this entry via tcpdump:
>>>>> ---- Schnipp 8< ----
>>>>> Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
>>>>> 10.69.250.1: icmp: echo request
>>>>> ---- Schnapp 8< ----
>>>>>
>>>>> .. and „Client“ got an ip address!
>>>>>
>>>>> If you need futher information don't hesistate to contact me.
>>>>>
>>>>> Please tell me also, if I'm to stupid to understand what happenend ;-)
>>>>>
>>>>> If you want to know, why I'm running dhcpd and want to block the
>>>>> traffic: We
>>>>> use OpenBSD as bridge and dhcpd should only offer ip-addresses to
>>>>> one side.
>>>>> But this strange behaviour is also present without the
>>>>> bridge-configuration.
>>>>>
>>>>> Thank you for your help and support
>>>>> Illya Meyer
>>>>>
>>>>
>>>> Hi Illya
>>>>
>>>> DHCP operates on layer 2 using bpf(4) to receive and send packets.
>>>> Packet filtering takes place on layers 3 and 4. This means that
>>>> dhcpd(8)
>>>> has done its work before the packets get to pf(4). If you want to make
>>>> sure that dhcpd(8) hands out leases only on interface em0 you can tell
>>>> it to operate only on this interface:
>>>>
>>>> # rcctl set dhcpd flags em0
>>>>
>>>> Cheers,
>>>> Bruno
>>>>
>>>
>>> Hi Bruno,
>>>
>>> thank you for the information.
>>>
>>> It's strange, that a packet first reachs a daemon and then the packet
>>> filter
>>> (thats job it is to protect the machine from unwanted packets!)
>>>
>>> Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
>>>
>>> Thank you and kind regards,
>>> Illya
>>>
>>
>> What do you think dhcpd uses?
>>
>>     -Otto
>>
>
> Hm, sorry. What do you mean exactly?
>
> In my opinion, it should be possible for a packet filter to block ALL
> packets, that arrives from a network, before a daemon (in this case
> dhcpd) does its work.
>
> But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
> gets the packet on layer 3. So was my understanding. Please see my tests
> above, pf doesn't block the dhcp requests when dhcpd runs.
>
> In my scenario, I have a firewall, which works as bridge (so more a
> firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
> from „Bad net“ (especially dhcp requests).
>
> +---------+       +----------------+       +----------+
> | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
> +---------+       +----------------+       +----------+
>
> Only em0 has had an ip address and so dhcpd had to listen on em0. But
> some PCs from „Bad net“ got ip addresses from the BSD-Box.
> My solution was now to give the BSD-Box a second ip address on em1 and
> let dhcpd listens on em1 only. This works with the pf-rules (see above).
>
> When I interpret this article in the right way
> (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables
> on Linux works on layer 2, so it should be possible to block dhcp
> requests. Other articles said the same (e.g.
> https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
>
> But it seems, this is not possible with pf, which works on layer 3.
>
> Kind regards,
> Illya
>
>

maybe you could use tcpdump -B fildrop feature, but you need -current to
do this ..


https://www.mail-archive.com/tech@.../msg50785.html

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

Otto Moerbeek
In reply to this post by illya.meyer@wiesan.de
On Wed, Apr 10, 2019 at 11:19:18AM +0200, [hidden email] wrote:

> Am 10.04.19 um 10:58 schrieb Otto Moerbeek:
> > On Wed, Apr 10, 2019 at 10:08:51AM +0200, [hidden email] wrote:
> >
> > >
> > > Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
> > > > On 09.04., [hidden email] wrote:
> > > > > Dear all,
> > > > >
> > > > > I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
> > > > > with all 16 patches).
> > > > >
> > > > > When running dhcpd, some pf rules are seem to not working.
> > > > > I'm pretty sure, this behaviour is different than in 6.3.
> > > > >
> > > > > Setup:
> > > > > +--------+  +--------+      +----------------------+
> > > > > | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
> > > > > +--------+  +--------+      +----------------------+
> > > > >
> > > > > I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
> > > > > pf.conf I block traffic on port 67+68 (see below).
> > > > >
> > > > > When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
> > > > > 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
> > > > > ---- Schnapp 8< ----
> > > > >
> > > > > When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
> > > > > ---- Schnipp 8< ----
> > > > > Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
> > > > > via em0
> > > > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
> > > > > 00:96:69:96:69:96 via em0
> > > > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
> > > > > 00:96:69:96:69:96 via em0
> > > > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
> > > > > 00:96:69:96:69:96 via em0
> > > > > ---- Schniap 8< ----
> > > > >
> > > > > .. and this entry via tcpdump:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
> > > > > 10.69.250.1: icmp: echo request
> > > > > ---- Schnapp 8< ----
> > > > >
> > > > > .. and „Client“ got an ip address!
> > > > >
> > > > > If you need futher information don't hesistate to contact me.
> > > > >
> > > > > Please tell me also, if I'm to stupid to understand what happenend ;-)
> > > > >
> > > > > If you want to know, why I'm running dhcpd and want to block the traffic: We
> > > > > use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
> > > > > But this strange behaviour is also present without the bridge-configuration.
> > > > >
> > > > > Thank you for your help and support
> > > > > Illya Meyer
> > > > >
> > > >
> > > > Hi Illya
> > > >
> > > > DHCP operates on layer 2 using bpf(4) to receive and send packets.
> > > > Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
> > > > has done its work before the packets get to pf(4). If you want to make
> > > > sure that dhcpd(8) hands out leases only on interface em0 you can tell
> > > > it to operate only on this interface:
> > > >
> > > > # rcctl set dhcpd flags em0
> > > >
> > > > Cheers,
> > > > Bruno
> > > >
> > >
> > > Hi Bruno,
> > >
> > > thank you for the information.
> > >
> > > It's strange, that a packet first reachs a daemon and then the packet filter
> > > (thats job it is to protect the machine from unwanted packets!)
> > >
> > > Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
> > >
> > > Thank you and kind regards,
> > > Illya
> > >
> >
> > What do you think dhcpd uses?
> >
> > -Otto
> >
>
> Hm, sorry. What do you mean exactly?
>
> In my opinion, it should be possible for a packet filter to block ALL
> packets, that arrives from a network, before a daemon (in this case dhcpd)
> does its work.
>
> But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
> gets the packet on layer 3. So was my understanding. Please see my tests
> above, pf doesn't block the dhcp requests when dhcpd runs.
>
> In my scenario, I have a firewall, which works as bridge (so more a
> firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
> from „Bad net“ (especially dhcp requests).
>
> +---------+       +----------------+       +----------+
> | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
> +---------+       +----------------+       +----------+
>
> Only em0 has had an ip address and so dhcpd had to listen on em0. But some
> PCs from „Bad net“ got ip addresses from the BSD-Box.
> My solution was now to give the BSD-Box a second ip address on em1 and let
> dhcpd listens on em1 only. This works with the pf-rules (see above).
>
> When I interpret this article in the right way
> (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables on
> Linux works on layer 2, so it should be possible to block dhcp requests.
> Other articles said the same (e.g. https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
> But it seems, this is not possible with pf, which works on layer 3.
>
> Kind regards,
> Illya

pf filters on IP and TCP/UDP level and that is a good design decision.

dhcpd uses a different mechanism (bpf) to filer on layer2. Each tool
has its scope and usage. Mixing layers is not a good idea in general.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

illya.meyer@wiesan.de
Am 10.04.19 um 11:24 schrieb Otto Moerbeek:

> On Wed, Apr 10, 2019 at 11:19:18AM +0200, [hidden email] wrote:
>
>> Am 10.04.19 um 10:58 schrieb Otto Moerbeek:
>>> On Wed, Apr 10, 2019 at 10:08:51AM +0200, [hidden email] wrote:
>>>
>>>>
>>>> Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
>>>>> On 09.04., [hidden email] wrote:
>>>>>> Dear all,
>>>>>>
>>>>>> I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
>>>>>> with all 16 patches).
>>>>>>
>>>>>> When running dhcpd, some pf rules are seem to not working.
>>>>>> I'm pretty sure, this behaviour is different than in 6.3.
>>>>>>
>>>>>> Setup:
>>>>>> +--------+  +--------+      +----------------------+
>>>>>> | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
>>>>>> +--------+  +--------+      +----------------------+
>>>>>>
>>>>>> I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
>>>>>> pf.conf I block traffic on port 67+68 (see below).
>>>>>>
>>>>>> When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
>>>>>> ---- Schnipp 8< ----
>>>>>> Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
>>>>>> 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
>>>>>> ---- Schnapp 8< ----
>>>>>>
>>>>>> When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
>>>>>> ---- Schnipp 8< ----
>>>>>> Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
>>>>>> via em0
>>>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
>>>>>> 00:96:69:96:69:96 via em0
>>>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
>>>>>> 00:96:69:96:69:96 via em0
>>>>>> Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
>>>>>> 00:96:69:96:69:96 via em0
>>>>>> ---- Schniap 8< ----
>>>>>>
>>>>>> .. and this entry via tcpdump:
>>>>>> ---- Schnipp 8< ----
>>>>>> Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
>>>>>> 10.69.250.1: icmp: echo request
>>>>>> ---- Schnapp 8< ----
>>>>>>
>>>>>> .. and „Client“ got an ip address!
>>>>>>
>>>>>> If you need futher information don't hesistate to contact me.
>>>>>>
>>>>>> Please tell me also, if I'm to stupid to understand what happenend ;-)
>>>>>>
>>>>>> If you want to know, why I'm running dhcpd and want to block the traffic: We
>>>>>> use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
>>>>>> But this strange behaviour is also present without the bridge-configuration.
>>>>>>
>>>>>> Thank you for your help and support
>>>>>> Illya Meyer
>>>>>>
>>>>>
>>>>> Hi Illya
>>>>>
>>>>> DHCP operates on layer 2 using bpf(4) to receive and send packets.
>>>>> Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
>>>>> has done its work before the packets get to pf(4). If you want to make
>>>>> sure that dhcpd(8) hands out leases only on interface em0 you can tell
>>>>> it to operate only on this interface:
>>>>>
>>>>> # rcctl set dhcpd flags em0
>>>>>
>>>>> Cheers,
>>>>> Bruno
>>>>>
>>>>
>>>> Hi Bruno,
>>>>
>>>> thank you for the information.
>>>>
>>>> It's strange, that a packet first reachs a daemon and then the packet filter
>>>> (thats job it is to protect the machine from unwanted packets!)
>>>>
>>>> Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
>>>>
>>>> Thank you and kind regards,
>>>> Illya
>>>>
>>>
>>> What do you think dhcpd uses?
>>>
>>> -Otto
>>>
>>
>> Hm, sorry. What do you mean exactly?
>>
>> In my opinion, it should be possible for a packet filter to block ALL
>> packets, that arrives from a network, before a daemon (in this case dhcpd)
>> does its work.
>>
>> But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
>> gets the packet on layer 3. So was my understanding. Please see my tests
>> above, pf doesn't block the dhcp requests when dhcpd runs.
>>
>> In my scenario, I have a firewall, which works as bridge (so more a
>> firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
>> from „Bad net“ (especially dhcp requests).
>>
>> +---------+       +----------------+       +----------+
>> | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
>> +---------+       +----------------+       +----------+
>>
>> Only em0 has had an ip address and so dhcpd had to listen on em0. But some
>> PCs from „Bad net“ got ip addresses from the BSD-Box.
>> My solution was now to give the BSD-Box a second ip address on em1 and let
>> dhcpd listens on em1 only. This works with the pf-rules (see above).
>>
>> When I interpret this article in the right way
>> (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables on
>> Linux works on layer 2, so it should be possible to block dhcp requests.
>> Other articles said the same (e.g. https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
>> But it seems, this is not possible with pf, which works on layer 3.
>>
>> Kind regards,
>> Illya
>
> pf filters on IP and TCP/UDP level and that is a good design decision.
>
> dhcpd uses a different mechanism (bpf) to filer on layer2. Each tool
> has its scope and usage. Mixing layers is not a good idea in general.
>
> -Otto

Yep, you are right. Therefore my idea for a new bpf-filter-layer2-thing.
But, of course, it's your decision. My scenario is very special, I think ...

Thank you all for your support and ideas,
Illya

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

Bruno Flueckiger
In reply to this post by illya.meyer@wiesan.de
On 10.04., [hidden email] wrote:

> Am 10.04.19 um 10:58 schrieb Otto Moerbeek:
> > On Wed, Apr 10, 2019 at 10:08:51AM +0200, [hidden email] wrote:
> >
> > >
> > > Am 10.04.19 um 07:34 schrieb Bruno Flückiger:
> > > > On 09.04., [hidden email] wrote:
> > > > > Dear all,
> > > > >
> > > > > I discovered a strange problem with OpenBSD 6.4 AMD64 (stable(?)-release
> > > > > with all 16 patches).
> > > > >
> > > > > When running dhcpd, some pf rules are seem to not working.
> > > > > I'm pretty sure, this behaviour is different than in 6.3.
> > > > >
> > > > > Setup:
> > > > > +--------+  +--------+      +----------------------+
> > > > > | Client |--| Switch |--em0-| OpenBSD (with dhcpd) |
> > > > > +--------+  +--------+      +----------------------+
> > > > >
> > > > > I try to get an ip address for „Client“ via dhcp from „OpenBSD“, but in
> > > > > pf.conf I block traffic on port 67+68 (see below).
> > > > >
> > > > > When dhcpd is NOT running, I got from „tcpdump -nettti pflog0“ as expected:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 09 16:29:05.165687 rule 3/(match) block in on em0: 0.0.0.0.68 >
> > > > > 255.255.255.255.67:  xid:0x3f51206f secs:5 [|bootp] [tos 0x10]
> > > > > ---- Schnapp 8< ----
> > > > >
> > > > > When dhcpd („dhcpd em0“) is running, I got an entry in /var/log/daemon.log:
> > > > > ---- Schnipp 8< ----
> > > > > Apr  9 16:30:40 feuerwand dhcpd[50668]: DHCPDISCOVER from 00:96:69:96:69:96
> > > > > via em0
> > > > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPOFFER on 10.69.250.1 to
> > > > > 00:96:69:96:69:96 via em0
> > > > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPREQUEST for 10.69.250.1 from
> > > > > 00:96:69:96:69:96 via em0
> > > > > Apr  9 16:30:41 feuerwand dhcpd[50668]: DHCPACK on 10.69.250.1 to
> > > > > 00:96:69:96:69:96 via em0
> > > > > ---- Schniap 8< ----
> > > > >
> > > > > .. and this entry via tcpdump:
> > > > > ---- Schnipp 8< ----
> > > > > Apr 09 16:30:40.450863 rule 5/(match) pass out on em0: 10.69.228.156 >
> > > > > 10.69.250.1: icmp: echo request
> > > > > ---- Schnapp 8< ----
> > > > >
> > > > > .. and „Client“ got an ip address!
> > > > >
> > > > > If you need futher information don't hesistate to contact me.
> > > > >
> > > > > Please tell me also, if I'm to stupid to understand what happenend ;-)
> > > > >
> > > > > If you want to know, why I'm running dhcpd and want to block the traffic: We
> > > > > use OpenBSD as bridge and dhcpd should only offer ip-addresses to one side.
> > > > > But this strange behaviour is also present without the bridge-configuration.
> > > > >
> > > > > Thank you for your help and support
> > > > > Illya Meyer
> > > > >
> > > >
> > > > Hi Illya
> > > >
> > > > DHCP operates on layer 2 using bpf(4) to receive and send packets.
> > > > Packet filtering takes place on layers 3 and 4. This means that dhcpd(8)
> > > > has done its work before the packets get to pf(4). If you want to make
> > > > sure that dhcpd(8) hands out leases only on interface em0 you can tell
> > > > it to operate only on this interface:
> > > >
> > > > # rcctl set dhcpd flags em0
> > > >
> > > > Cheers,
> > > > Bruno
> > > >
> > >
> > > Hi Bruno,
> > >
> > > thank you for the information.
> > >
> > > It's strange, that a packet first reachs a daemon and then the packet filter
> > > (thats job it is to protect the machine from unwanted packets!)
> > >
> > > Maybe it's a good idea to build a bpf-Filter for layer 2 :-)
> > >
> > > Thank you and kind regards,
> > > Illya
> > >
> >
> > What do you think dhcpd uses?
> >
> > -Otto
> >
>
> Hm, sorry. What do you mean exactly?
>
> In my opinion, it should be possible for a packet filter to block ALL
> packets, that arrives from a network, before a daemon (in this case dhcpd)
> does its work.
>
> But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
> gets the packet on layer 3. So was my understanding. Please see my tests
> above, pf doesn't block the dhcp requests when dhcpd runs.
>
> In my scenario, I have a firewall, which works as bridge (so more a
> firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
> from „Bad net“ (especially dhcp requests).
>
> +---------+       +----------------+       +----------+
> | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
> +---------+       +----------------+       +----------+
>
> Only em0 has had an ip address and so dhcpd had to listen on em0. But some
> PCs from „Bad net“ got ip addresses from the BSD-Box.
> My solution was now to give the BSD-Box a second ip address on em1 and let
> dhcpd listens on em1 only. This works with the pf-rules (see above).

I don't know the reasons you have for this setup, but to me it looks
rather unusual. Especially if you want to filter traffic between the two
subnets.

>
> When I interpret this article in the right way
> (https://www.linuxtopia.org/Linux_Firewall_iptables/c479.html) iptables on
> Linux works on layer 2, so it should be possible to block dhcp requests.
> Other articles said the same (e.g. https://serverfault.com/questions/873839/block-dhcp-traffic-for-one-device-mac-address)
> But it seems, this is not possible with pf, which works on layer 3.
>
> Kind regards,
> Illya
>

Why do you read an article about Linux if you use OpenBSD? Beside that
the article talks about layer 2 in the TCP/IP stack. Most people doing
networking I know talk about layers in the OSI model. The layer numbers
of these two models don't match 1:1, e. g. layer 2 in TCP/IP is layer 3
in OSI [1]. So iptables in Linux operates on the same two layers as
pf(4) in OpenBSD does.

Cheers,
Bruno

[1] https://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model

Reply | Threaded
Open this post in threaded view
|

Re: Strange (mis)behaviour of pf ruleset in combination with dhcpd

Stuart Henderson
On 2019/04/10 12:29, Bruno Flückiger wrote:
> On 10.04., [hidden email] wrote:
> >
> > In my opinion, it should be possible for a packet filter to block ALL
> > packets, that arrives from a network, before a daemon (in this case dhcpd)
> > does its work.

If you want that sort of control, split things up into a filtering bridge
on one machine, and run services (e.g. DHCP) on another.

> > But as Bruno sayd, dhcpd listens on layer 2 and answers first, before pf
> > gets the packet on layer 3. So was my understanding. Please see my tests
> > above, pf doesn't block the dhcp requests when dhcpd runs.
> >
> > In my scenario, I have a firewall, which works as bridge (so more a
> > firebridge ;-)) with a dhcpd for „Good net“ and blocking the most things
> > from „Bad net“ (especially dhcp requests).
> >
> > +---------+       +----------------+       +----------+
> > | Bad net |---em0-| OpenBSD-Bridge |-em1---| Good net |
> > +---------+       +----------------+       +----------+
> >
> > Only em0 has had an ip address and so dhcpd had to listen on em0. But some
> > PCs from „Bad net“ got ip addresses from the BSD-Box.
> > My solution was now to give the BSD-Box a second ip address on em1 and let
> > dhcpd listens on em1 only. This works with the pf-rules (see above).
>
> I don't know the reasons you have for this setup, but to me it looks
> rather unusual. Especially if you want to filter traffic between the two
> subnets.

If you don't have control of the routing table on the upstream router,
it's quite common to work as a bridging firewall. Otherwise you need to use
proxy arp or double nat.

The most unusual thing about OPs setup is running DHCP on the OpenBSD bridge,
with that type of setup it would usually be the upstream router that handles
addressing..