buster
July 31st, 2006, 13:20
I could use some advice about BOOTP and PF.
My setup (roughly):
ISP---Modem---[xl0 BRIDGE vr0]---[e0 Cisco2514 e1]---PC
Basically I am using the setup for training/learning (there is a management interface on the bridge too).
My ISP assigns a dynamic IP address which is negotiated by E0 on the 2514. I have discovered by watching tcpdump that my ISP is using a BOOTP server.
To allow this traffic through the bridge, I have pf rules (only partially shown, but default-policy is deny):
ext_if = "xl0"
bootp_server_ip = "{10.0.0.1}"
bootp_server_pt = 67
bootp_client_pt = 68
# Allow packets to and from ISP BOOTP server
pass out quick on $ext_if inet proto udp from any port $bootp_client_port to any port $bootp_server_pt ......................# As this is a bcast I guess I cant specify the 'to' IP address???
pass in quick on $ext_if inet proto udp from $bootp_server_ip port $bootp_server_pt to any port $bootp_client_pt
This works and the Cisco 2514 gets an IP address.
I am trying to make the rules as specific as possible. However, since initially the 2514 does not have an IP address, I am forced to allow the udp broadcast using a 'from any port $bootp_client_port'. So I think this means any x.x.x.x:68 could get through provided it is going to y.y.y.y:67? Can someone let me know if they think this is a possible hole?
Given I am only allowing incoming connections to port 68 from a specific IP address and UDP is stateless I am assuming the configuration is safe? (I suppose ISP can attack but only on port 67)
What do you think? I'd love to know if anyone has a better suggestion.
Thanks!
My setup (roughly):
ISP---Modem---[xl0 BRIDGE vr0]---[e0 Cisco2514 e1]---PC
Basically I am using the setup for training/learning (there is a management interface on the bridge too).
My ISP assigns a dynamic IP address which is negotiated by E0 on the 2514. I have discovered by watching tcpdump that my ISP is using a BOOTP server.
To allow this traffic through the bridge, I have pf rules (only partially shown, but default-policy is deny):
ext_if = "xl0"
bootp_server_ip = "{10.0.0.1}"
bootp_server_pt = 67
bootp_client_pt = 68
# Allow packets to and from ISP BOOTP server
pass out quick on $ext_if inet proto udp from any port $bootp_client_port to any port $bootp_server_pt ......................# As this is a bcast I guess I cant specify the 'to' IP address???
pass in quick on $ext_if inet proto udp from $bootp_server_ip port $bootp_server_pt to any port $bootp_client_pt
This works and the Cisco 2514 gets an IP address.
I am trying to make the rules as specific as possible. However, since initially the 2514 does not have an IP address, I am forced to allow the udp broadcast using a 'from any port $bootp_client_port'. So I think this means any x.x.x.x:68 could get through provided it is going to y.y.y.y:67? Can someone let me know if they think this is a possible hole?
Given I am only allowing incoming connections to port 68 from a specific IP address and UDP is stateless I am assuming the configuration is safe? (I suppose ISP can attack but only on port 67)
What do you think? I'd love to know if anyone has a better suggestion.
Thanks!