DHCP Discover/Offer/Request/Ack packets not being blocked
I'm learning pfSense through tinkering and there's something I can't figure out.
I have the following setup:
+-----------------+ | | | Veon | | 192.168.1.100 | | | +--------+--------+ | | | | 192.168.1.1 (WAN) +-----+-----+ | | | pfSense | | | +-----+-----+ | 10.0.0.1 (LAN) | | | +-------+------+ | | | Vito | | 10.0.0.100 | | | +--------------+
I'm using "Veon" to access the pfSense web interface. I enabled a DHCP server on the LAN interface, then I sent a DHCP request from "Vito"… and, successfully received a DHCP response. Which was surprising because I expected I would need to create a firewall rule to allow DHCP traffic. Then I created a rule to specifically block DHCP traffic and cleared the state table. I did another DHCP request, and... it worked again. I double checked this with tcpdump, the traffic is not being blocked. What am I missing?
The blanket firewall rule is on the "LAN" interface:
Protocol Source Port Destination Port Action IPv4+6 UDP * * * Block
I've tried several different versions before this shotgun rule, nothing has worked.
when you enable dhcp server, there are hidden rules to allow for dhcp.. This is to protect the user from themselves ;) Users are normally quite stupid ;)
user: I enabled dhcp - but its not working!!! Freaking pfsense sucks.. is there a bug??
admin: Did you create the rules to allow for dhcp??
user: Dohhh!! What ports and protocols does dhcp use?
Its taken as a given that if you enable dhcpd on an interface - that you would actually like the discover packets to reach the dhcp server.. You can always look at the rules with
example from my lan interface
pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em1 inet proto udp from any port = bootpc to 192.168.9.253 port = bootps keep state label "allow access to DHCP server"
pass out quick on em1 inet proto udp from 192.168.9.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
Ah, it makes perfect sense from usability point of view, and now I know how to view the ALL of the rules. Fantastic, thank you! :D
There is a specific order to how the rules are evaluated as well.. So take that in mind