July 31st, 2006, 13:20
I could use some advice about BOOTP and PF.

My setup (roughly):

ISP---Modem---[xl0 BRIDGE vr0]---[e0 Cisco2514 e1]---PC

Basically I am using the setup for training/learning (there is a management interface on the bridge too).

My ISP assigns a dynamic IP address which is negotiated by E0 on the 2514. I have discovered by watching tcpdump that my ISP is using a BOOTP server.

To allow this traffic through the bridge, I have pf rules (only partially shown, but default-policy is deny):

ext_if = "xl0"
bootp_server_ip = "{}"
bootp_server_pt = 67
bootp_client_pt = 68

# Allow packets to and from ISP BOOTP server
pass out quick on $ext_if inet proto udp from any port $bootp_client_port to any port $bootp_server_pt ......................# As this is a bcast I guess I cant specify the 'to' IP address???
pass in quick on $ext_if inet proto udp from $bootp_server_ip port $bootp_server_pt to any port $bootp_client_pt

This works and the Cisco 2514 gets an IP address.

I am trying to make the rules as specific as possible. However, since initially the 2514 does not have an IP address, I am forced to allow the udp broadcast using a 'from any port $bootp_client_port'. So I think this means any x.x.x.x:68 could get through provided it is going to y.y.y.y:67? Can someone let me know if they think this is a possible hole?

Given I am only allowing incoming connections to port 68 from a specific IP address and UDP is stateless I am assuming the configuration is safe? (I suppose ISP can attack but only on port 67)

What do you think? I'd love to know if anyone has a better suggestion.