rc default PF ruleset too restrictive for DHCPv6

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

rc default PF ruleset too restrictive for DHCPv6

Brad Smith-14
The default PF ruleset as setup by rc is too restrictive. Have the default
ruleset allow for DHCPv6.


Index: rc
===================================================================
RCS file: /home/cvs/src/etc/rc,v
retrieving revision 1.419
diff -u -p -u -p -r1.419 rc
--- rc 3 Jan 2014 23:24:19 -0000 1.419
+++ rc 9 Jan 2014 20:47:07 -0000
@@ -330,6 +330,8 @@ if [ X"${pf}" != X"NO" ]; then
  RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
  RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
  RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
+ RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
+ RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
  fi
  RULES="$RULES\npass proto carp keep state (no-sync)"
  case `sysctl vfs.mounts.nfs 2>/dev/null` in

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Brad Smith-14
On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> The default PF ruleset as setup by rc is too restrictive. Have the default
> ruleset allow for DHCPv6.

Anyone?

> Index: rc
> ===================================================================
> RCS file: /home/cvs/src/etc/rc,v
> retrieving revision 1.419
> diff -u -p -u -p -r1.419 rc
> --- rc 3 Jan 2014 23:24:19 -0000 1.419
> +++ rc 9 Jan 2014 20:47:07 -0000
> @@ -330,6 +330,8 @@ if [ X"${pf}" != X"NO" ]; then
>   RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
>   RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
>   RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
> + RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
> + RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
>   fi
>   RULES="$RULES\npass proto carp keep state (no-sync)"
>   case `sysctl vfs.mounts.nfs 2>/dev/null` in
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Mike Belopuhov-5
On 19 January 2014 15:57, Brad Smith <[hidden email]> wrote:
> On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
>> The default PF ruleset as setup by rc is too restrictive. Have the default
>> ruleset allow for DHCPv6.
>
> Anyone?
>

yes, i think this is ok.

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Claudio Jeker
In reply to this post by Brad Smith-14
On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote:
> On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> > The default PF ruleset as setup by rc is too restrictive. Have the default
> > ruleset allow for DHCPv6.
>
> Anyone?

Looks good to me. OK claudio@

Question: should we add the same for inet as well since dhclient may use
a normal udp socket in some cases?
 

> > Index: rc
> > ===================================================================
> > RCS file: /home/cvs/src/etc/rc,v
> > retrieving revision 1.419
> > diff -u -p -u -p -r1.419 rc
> > --- rc 3 Jan 2014 23:24:19 -0000 1.419
> > +++ rc 9 Jan 2014 20:47:07 -0000
> > @@ -330,6 +330,8 @@ if [ X"${pf}" != X"NO" ]; then
> >   RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
> >   RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
> >   RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
> > + RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
> > + RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
> >   fi
> >   RULES="$RULES\npass proto carp keep state (no-sync)"
> >   case `sysctl vfs.mounts.nfs 2>/dev/null` in
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Todd T. Fries-2
In reply to this post by Brad Smith-14
This seems to make sense.  ok todd@.  Please get at least one other ok though.

Penned by Brad Smith on 20140118 20:57.26, we have:
| On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
| > The default PF ruleset as setup by rc is too restrictive. Have the default
| > ruleset allow for DHCPv6.
|
| Anyone?
|
| > Index: rc
| > ===================================================================
| > RCS file: /home/cvs/src/etc/rc,v
| > retrieving revision 1.419
| > diff -u -p -u -p -r1.419 rc
| > --- rc 3 Jan 2014 23:24:19 -0000 1.419
| > +++ rc 9 Jan 2014 20:47:07 -0000
| > @@ -330,6 +330,8 @@ if [ X"${pf}" != X"NO" ]; then
| >   RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
| >   RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
| >   RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
| > + RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
| > + RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
| >   fi
| >   RULES="$RULES\npass proto carp keep state (no-sync)"
| >   case `sysctl vfs.mounts.nfs 2>/dev/null` in
| >
| > --
| > This message has been scanned for viruses and
| > dangerous content by MailScanner, and is
| > believed to be clean.
| >
|
| --
| This message has been scanned for viruses and
| dangerous content by MailScanner, and is
| believed to be clean.

--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Brad Smith-14
In reply to this post by Claudio Jeker
On Sun, Jan 19, 2014 at 04:10:21AM +0100, Claudio Jeker wrote:

> On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote:
> > On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> > > The default PF ruleset as setup by rc is too restrictive. Have the default
> > > ruleset allow for DHCPv6.
> >
> > Anyone?
>
> Looks good to me. OK claudio@
>
> Question: should we add the same for inet as well since dhclient may use
> a normal udp socket in some cases?
 
Curious, under what conditions is this possible? A particular client
implementation?

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Kenneth Westerback
send_packet() sends packets out a raw socket unless the destination is
INADDR_BROADCAST, in which case it sends the packet out via bpf.

.... Ken
On 19 Jan 2014 17:33, "Brad Smith" <[hidden email]> wrote:

> On Sun, Jan 19, 2014 at 04:10:21AM +0100, Claudio Jeker wrote:
> > On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote:
> > > On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> > > > The default PF ruleset as setup by rc is too restrictive. Have the
> default
> > > > ruleset allow for DHCPv6.
> > >
> > > Anyone?
> >
> > Looks good to me. OK claudio@
> >
> > Question: should we add the same for inet as well since dhclient may use
> > a normal udp socket in some cases?
>
> Curious, under what conditions is this possible? A particular client
> implementation?
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Brad Smith-14
In reply to this post by Claudio Jeker
On Sun, Jan 19, 2014 at 04:10:21AM +0100, Claudio Jeker wrote:

> On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote:
> > On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> > > The default PF ruleset as setup by rc is too restrictive. Have the default
> > > ruleset allow for DHCPv6.
> >
> > Anyone?
>
> Looks good to me. OK claudio@
>
> Question: should we add the same for inet as well since dhclient may use
> a normal udp socket in some cases?
 
Untested on the v4 side but how about something like the following?


Index: rc
===================================================================
RCS file: /home/cvs/src/etc/rc,v
retrieving revision 1.419
diff -u -p -u -p -r1.419 rc
--- rc 3 Jan 2014 23:24:19 -0000 1.419
+++ rc 19 Jan 2014 08:32:17 -0000
@@ -325,11 +325,15 @@ if [ X"${pf}" != X"NO" ]; then
  RULES="$RULES\npass in proto tcp from any to any port 22 keep state"
  RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state"
  RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state"
+ RULES="$RULES\npass out inet proto udp from any port bootpc to any port bootps"
+ RULES="$RULES\npass in inet proto udp from any port bootps to any port bootpc"
  if ifconfig lo0 inet6 >/dev/null 2>&1; then
  RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol"
  RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
  RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
  RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
+ RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
+ RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
  fi
  RULES="$RULES\npass proto carp keep state (no-sync)"
  case `sysctl vfs.mounts.nfs 2>/dev/null` in

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Kenneth Westerback
*But what is the practical problem being addressed? Is dhcp not functional
with the existing default **ruleset?*

*.... Ken*


On 19 January 2014 19:39, Brad Smith <[hidden email]> wrote:

> On Sun, Jan 19, 2014 at 04:10:21AM +0100, Claudio Jeker wrote:
> > On Sat, Jan 18, 2014 at 09:57:26PM -0500, Brad wrote:
> > > On Thu, Jan 09, 2014 at 03:55:44PM -0500, Brad Smith wrote:
> > > > The default PF ruleset as setup by rc is too restrictive. Have the
> default
> > > > ruleset allow for DHCPv6.
> > >
> > > Anyone?
> >
> > Looks good to me. OK claudio@
> >
> > Question: should we add the same for inet as well since dhclient may use
> > a normal udp socket in some cases?
>
> Untested on the v4 side but how about something like the following?
>
>
> Index: rc
> ===================================================================
> RCS file: /home/cvs/src/etc/rc,v
> retrieving revision 1.419
> diff -u -p -u -p -r1.419 rc
> --- rc  3 Jan 2014 23:24:19 -0000       1.419
> +++ rc  19 Jan 2014 08:32:17 -0000
> @@ -325,11 +325,15 @@ if [ X"${pf}" != X"NO" ]; then
>         RULES="$RULES\npass in proto tcp from any to any port 22 keep
> state"
>         RULES="$RULES\npass out proto { tcp, udp } from any to any port 53
> keep state"
>         RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
> state"
> +       RULES="$RULES\npass out inet proto udp from any port bootpc to any
> port bootps"
> +       RULES="$RULES\npass in inet proto udp from any port bootps to any
> port bootpc"
>         if ifconfig lo0 inet6 >/dev/null 2>&1; then
>                 RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> neighbrsol"
>                 RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> neighbradv"
>                 RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> routersol"
>                 RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> routeradv"
> +               RULES="$RULES\npass out inet6 proto udp from any port
> dhcpv6-client to any port dhcpv6-server"
> +               RULES="$RULES\npass in inet6 proto udp from any port
> dhcpv6-server to any port dhcpv6-client"
>         fi
>         RULES="$RULES\npass proto carp keep state (no-sync)"
>         case `sysctl vfs.mounts.nfs 2>/dev/null` in
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: rc default PF ruleset too restrictive for DHCPv6

Henning Brauer-5
* Kenneth Westerback <[hidden email]> [2014-01-19 09:56]:
> *But what is the practical problem being addressed? Is dhcp not functional
> with the existing default **ruleset?*

it's not correct and we rely on dhclient falling back to a new
discovery eventually.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/