DHCP Discover/Offer/Request/Ack packets not being blocked
-
Hi,
I'm learning pfSense through tinkering and there's something I can't figure out.
I have the following setup:
+-----------------+ | | | Veon | | 192.168.1.100 | | | +--------+--------+ | | | | 192.168.1.1 (WAN) +-----+-----+ | | | pfSense | | | +-----+-----+ | 10.0.0.1 (LAN) | | | +-------+------+ | | | Vito | | 10.0.0.100 | | | +--------------+
I'm using "Veon" to access the pfSense web interface. I enabled a DHCP server on the LAN interface, then I sent a DHCP request from "Vito"… and, successfully received a DHCP response. Which was surprising because I expected I would need to create a firewall rule to allow DHCP traffic. Then I created a rule to specifically block DHCP traffic and cleared the state table. I did another DHCP request, and... it worked again. I double checked this with tcpdump, the traffic is not being blocked. What am I missing?
The blanket firewall rule is on the "LAN" interface:
Protocol Source Port Destination Port Action IPv4+6 UDP * * * Block
I've tried several different versions before this shotgun rule, nothing has worked.
-
when you enable dhcp server, there are hidden rules to allow for dhcp.. This is to protect the user from themselves ;) Users are normally quite stupid ;)
user: I enabled dhcp - but its not working!!! Freaking pfsense sucks.. is there a bug??
admin: Did you create the rules to allow for dhcp??
user: Dohhh!! What ports and protocols does dhcp use?Its taken as a given that if you enable dhcpd on an interface - that you would actually like the discover packets to reach the dhcp server.. You can always look at the rules with
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset
example from my lan interface
pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em1 inet proto udp from any port = bootpc to 192.168.9.253 port = bootps keep state label "allow access to DHCP server"
pass out quick on em1 inet proto udp from 192.168.9.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server" -
Ah, it makes perfect sense from usability point of view, and now I know how to view the ALL of the rules. Fantastic, thank you! :D
-
There is a specific order to how the rules are evaluated as well.. So take that in mind
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order