Problem with pf.conf
Gardner Bell
gbell72 at rogers.com
Thu Mar 10 13:11:33 PST 2005
Hello all,
I'm trying to reconfigure a more restrictive packet filtering firewall
for my home network but am running into some trouble. When I run
dhclient dc0 at an attempt to obtain an IP address from my ISP I
receive the normal:
DHCPREQUEST on dc0 to 255.255.255.255 port 67
DHCPDISCOVER on dc0 to 255.255.255.255 port 67
DHCPDISCOVER eventually fails after the fourth or fifth try. When I
run tcpdump at the same time as dhclient dc0 I receive the following
arp requests. The 70.xxx.xxx.x is my gateway I'm trying to communicate
with.
14:59 arp who-has 7.x.xxx.xxx tell 70.xxx.xxx.x
... I see about 3-400 of these.
Here is a partial excerpt of my pf.conf with what I believe to be the
most relevant sections needed to obtain an ISP on the WAN nic.
pass out on $ext_if proto tcp from any to x.x.x.x port 53 keep state
pass out on $ext_if proto udp from any to x.x.x.x port 53 keep state
The above lines are duplicated as I have two nameservers that I am able
to use.
To contact my ISPs DHCP I use the following
pass out on $ext_if proto udp from any to x.x.x.x port 68 keep state
pass in on $ext_if from x.x.x.x to any port 68 keep state
I also seem to be having a problem with the same NAT directive I've
used on less restrictive firewalls.
nat on $ext_if from $int_if:network to any -> ($ext_if)
Any help is greatly appreciated
Reagrds,
Gardner
More information about the freebsd-questions
mailing list