Bug #2041

DHCP failover Auto Generated Rules

Added by Chris Mirchandani over 2 years ago. Updated over 2 years ago.

Status:Resolved Start date:12/06/2011
Priority:Normal Due date:
Assignee:- % Done:

100%

Category:DHCP Server
Target version:2.0.1
Affected version:2.0 Affected Architecture:amd64

Description

I am running the 2.0 final release AMD64. This install was performed via a flash drive images with a 2.0 beta memstick image. The system was updated with snapshots a number of times and then was upgraded to the final version soon after its release.

As I understand it, pf rules that do not use the quick option are processed in a last matching system. e.g. The last rule that it comes to that matches determines pass or fail. It seems that since the automatically generated rules do not use the quick option, they can be negated by user rules as they all use the quick option and there is no way that I can see to prevent the use of quick. I am having issues with DHCP failover not working on interfaces I have a rule that blocks all access to the firewall. I have rules to allow DHCP and DNS for clients, but not the failover ports as rules for failover should be generated by pfsense. Below is the block line and under that the explanation.

Dec 6 13:02:55 OPT5_VID_01 10.3.1.3:64546 10.3.1.2:519 TCP:S

The rule that triggered this action is:

@207 block drop in log quick on lagg0_vlan3 inet from any to 10.3.1.0/24 label "USER_RULE: Block VID01 from Accessing the VID01 Int on FW01"

Below is the list of rules that apply to this interface. You will see that the rule mentioned above is below the DHCP failover rules. Based on the way user rules work, packets from 10.3.1.3:any to 10.3.1.2:519 or 10.3.1.2:520 should never get to the rule listed above. the difference is that none of the pfsense generated rules have the quick option. I have verified that in /etc/services the port names like bootpc, bootps, utime, efs and router all have the correct ports listed.

: pfctl -sr | grep -i vlan3
scrub in on lagg0_vlan3 all fragment reassemble
block drop in on ! lagg0_vlan3 inet from 10.3.1.0/24 to any
block drop in on lagg0_vlan3 inet6 from fe80::290:bff:fe1b:633b to any
pass in on lagg0_vlan3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in on lagg0_vlan3 inet proto udp from any port = bootpc to 10.3.1.2 port = bootps keep state label "allow access to DHCP server"
pass out on lagg0_vlan3 inet proto udp from 10.3.1.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lagg0_vlan3 inet proto tcp from 10.3.1.3 to 10.3.1.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
pass in on lagg0_vlan3 inet proto udp from 10.3.1.3 to 10.3.1.2 port = utime keep state label "allow access to DHCP failover"
pass in on lagg0_vlan3 inet proto tcp from 10.3.1.3 to 10.3.1.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
pass in on lagg0_vlan3 inet proto udp from 10.3.1.3 to 10.3.1.2 port = router keep state label "allow access to DHCP failover"
block drop in log quick on lagg0_vlan3 inet from any to 10.20.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on LAN"
block drop in log quick on lagg0_vlan3 inet from any to 10.10.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on MGMT01"
block drop in log quick on lagg0_vlan3 inet from any to 10.99.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on GUEST01"
block drop in log quick on lagg0_vlan3 inet from any to 10.1.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on VLAN1"
block drop in log quick on lagg0_vlan3 inet from any to 10.2.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on VOIP01 "
block drop in log quick on lagg0_vlan3 inet from any to 172.19.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on PFSYNC "
pass in quick on lagg0_vlan3 inet proto icmp from 10.3.1.0/24 to any keep state label "USER_RULE: Allow VID01 to use ICMP "
pass in quick on lagg0_vlan3 inet proto tcp from 10.3.1.0/24 to 10.3.1.0/24 port = domain flags S/SA keep state label "USER_RULE: Allow VID01 to use DNS on the VID01 Int on FW01"
pass in quick on lagg0_vlan3 inet proto udp from 10.3.1.0/24 to 10.3.1.0/24 port = domain keep state label "USER_RULE: Allow VID01 to use DNS on the VID01 Int on FW01"
pass in quick on lagg0_vlan3 inet proto tcp from 10.3.1.0/24 to 97.76.110.48/28 port = domain flags S/SA keep state label "USER_RULE: Allow VID01 to use DNS on WAN Devices"
pass in quick on lagg0_vlan3 inet proto udp from 10.3.1.0/24 to 97.76.110.48/28 port = domain keep state label "USER_RULE: Allow VID01 to use DNS on WAN Devices"
block drop in log quick on lagg0_vlan3 inet from any to 10.3.1.0/24 label "USER_RULE: Block VID01 from Accessing the VID01 Int on FW01"
block drop in log quick on lagg0_vlan3 inet from any to 97.76.110.48/28 label "USER_RULE: Block VID01 from Accessing the WAN Subnet"
pass in quick on lagg0_vlan3 inet from 10.3.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow VID01 to any rule"

Associated revisions

Revision c5eb24fb
Added by Jim P over 2 years ago

Use quick on DHCP server rules. Should fix #2041

Revision e5787a94
Added by Jim P over 2 years ago

Use quick on DHCP server rules. Should fix #2041

History

#1 Updated by Chris Mirchandani over 2 years ago

This is the output from a firewall running pfSense 1.2.2. Notice that the auto generated rules like the one commented "allow access to DHCP server on LAN" have the quick option, "pass in quick".

  1. pfctl -sr | grep -i em0
    pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN"
    pass in quick on em0 inet proto udp from any port = bootpc to 192.168.100.1 port = bootps keep state label "allow access to DHCP server on LAN"
    pass out quick on em0 inet proto udp from 192.168.100.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN"
    block drop in on ! em0 inet from 192.168.100.1 to any
    block drop in on em0 inet6 from fe80::230:48ff:fe94:bdf6 to any
    pass out quick on em0 proto icmp all keep state label "let out anything from firewall host itself"
    pass out quick on em0 all flags S/SA keep state label "let out anything from firewall host itself"
    pass in quick on em0 inet from any to 192.168.100.1 flags S/SA keep state label "anti-lockout web rule"
    pass in quick on em0 inet from 192.168.100.1 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
    pass in quick on em0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on em0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

#2 Updated by Jim P over 2 years ago

  • Status changed from New to Feedback
  • Priority changed from High to Normal

If you edit /etc/inc/filter.inc and find the failover rules around line 2268, and add quick to them, does it actually help?

#3 Updated by Chris Mirchandani over 2 years ago

Since I made the change and reloaded the rules, I have not seen block messages like the one below.

Dec 6 13:02:55 OPT5_VID_01 10.3.1.3:64546 10.3.1.2:519 TCP:S

Below is the output of the rules for an interface. I am concerned that the first 3 rules, the scrub and the next two block drop rules may need the quick option as well to prevent issues like I was having with DHCP failover. Below the rule output I have listed the code block that I modified in /etc/inc/filter.inc.

  1. pfctl -sr | grep -i lagg0_vlan1
    scrub in on lagg0_vlan1 all fragment reassemble
    block drop in on ! lagg0_vlan1 inet from 10.1.1.0/24 to any
    block drop in on lagg0_vlan1 inet6 from fe80::290:bff:fe1b:633b to any
    pass in quick on lagg0_vlan1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan1 inet proto udp from any port = bootpc to 10.1.1.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan1 inet proto udp from 10.1.1.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan1 inet proto tcp from 10.1.1.3 to 10.1.1.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan1 inet proto udp from 10.1.1.3 to 10.1.1.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan1 inet proto tcp from 10.1.1.3 to 10.1.1.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan1 inet proto udp from 10.1.1.3 to 10.1.1.2 port = router keep state label "allow access to DHCP failover"
    block drop in log quick on lagg0_vlan1 inet from any to 10.20.1.0/24 label "USER_RULE: Block VLAN1 from Accessing Devices on LAN"
    block drop in log quick on lagg0_vlan1 inet from any to 10.10.1.0/24 label "USER_RULE: Block VLAN1 from Accessing Devices on MGMT01"
    block drop in log quick on lagg0_vlan1 inet from any to 10.99.1.0/24 label "USER_RULE: Block VLAN1 from Accessing Devices on GUEST01"
    block drop in log quick on lagg0_vlan1 inet from any to 10.2.1.0/24 label "USER_RULE: Block VLAN1 from Accessing Devices on VOIP01 "
    block drop in log quick on lagg0_vlan1 inet from any to 10.3.1.0/24 label "USER_RULE: Block VLAN1 from Accessing Devices on VID01 "
    block drop in log quick on lagg0_vlan1 inet from any to 172.19.1.0/24 label "USER_RULE: Block VLAN1 from Accessing Devices on PFSYNC "
    pass in quick on lagg0_vlan1 inet proto icmp from 10.1.1.0/24 to any keep state label "USER_RULE: Allow VLAN1 to use ICMP "
    pass in quick on lagg0_vlan1 inet proto tcp from 10.1.1.0/24 to 10.1.1.0/24 port = domain flags S/SA keep state label "USER_RULE: Allow VLAN1 to use DNS on the VLAN1 Int on FW01"
    pass in quick on lagg0_vlan1 inet proto udp from 10.1.1.0/24 to 10.1.1.0/24 port = domain keep state label "USER_RULE: Allow VLAN1 to use DNS on the VLAN1 Int on FW01"
    pass in quick on lagg0_vlan1 inet proto tcp from 10.1.1.0/24 to 97.76.110.48/28 port = domain flags S/SA keep state label "USER_RULE: Allow VLAN1 to use DNS on WAN Devices"
    pass in quick on lagg0_vlan1 inet proto udp from 10.1.1.0/24 to 97.76.110.48/28 port = domain keep state label "USER_RULE: Allow VLAN1 to use DNS on WAN Devices"
    block drop in log quick on lagg0_vlan1 inet from any to 10.1.1.0/24 label "USER_RULE: Block VLAN1 from Accessing the VLAN1 Int on FW01"
    block drop in log quick on lagg0_vlan1 inet from any to 97.76.110.48/28 label "USER_RULE: Block VLAN1 from Accessing the WAN Subnet"
    pass in quick on lagg0_vlan1 inet from 10.1.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow VLAN1 to any rule"
/etc/inc/filter.inc code block:
  1. allow access to DHCP server on {$oc['descr']}
    pass in quick on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 label "allow access to DHCP server"
    pass out quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server"
break;
case "pppoe":
case "none":
/* XXX: Nothing to do in this case?! /
break;
default:
/
allow access to DHCP server on interfaces */
if(isset($config['dhcpd'][$on]['enable'])) {
$ipfrules .= <<&lt;EOD
EOD;
if($config['dhcpd'][$on]['failover_peerip'] <> "") {
$ipfrules .= <<<EOD
  1. allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
    pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "
    allow access to DHCP failover"
    pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "
    allow access to DHCP failover"

EOD;

#4 Updated by Jim P over 2 years ago

I checked in a fix to make the DHCP server rules quick, the others do not need quick, that is done on purpose.

#5 Updated by Jim P over 2 years ago

  • % Done changed from 0 to 100

#6 Updated by Jim P over 2 years ago

#7 Updated by Chris Mirchandani over 2 years ago

Jim,

Thank you for making this change. I have some questions.

1) I cannot see the code changed in the changesets you listed. I get the following message when I click the "View differences", "filter.inc" or "diff" links. Is this by design or am I doing something wrong?

The entry or revision was not found in the repository.

2) Why are there two changesets.

3) Are these changesets targeted to a specific release? I have seems 2.0.1 and 2.1 thrown around.

4) Are there any other auto rules that may need change. I listed three additional rules that all my interfaces have, but I would guess that there are other automatic rules created for different configurations.

4a) Some examples I can think of are block bagon, block private, IPSEC and Traffic Shaping rules. For example, I see that the IPSEC rules do not have quick.

4b) With the automatic drop rules I can see why quick may not be desired as not having quick lets me add targeted allow rules to allow traffic when I need that traffic to get through, but the auto allow rules without quick will likely be problematic in certain setups.

5) Can you explain what the following rules do? Also, can you explain why these rules do not need quick or why there would never be a case where I could negate the effects of those rules with a user rule in the same way my user rules negated the auto dhcp rules? Like I stated above, since these are block rules, quick may not be desired, but if there are cases when these or other auto rules are allow rules, quick will likely be desired.

scrub in on lagg0_vlan1 all fragment reassemble
block drop in on ! lagg0_vlan1 inet from 10.1.1.0/24 to any
block drop in on lagg0_vlan1 inet6 from fe80::290:bff:fe1b:633b to any

#8 Updated by Jim P over 2 years ago

1) redmine has an issue loading the changesets for some reason, look at it directly on github (https://github.com/bsdperimeter/pfsense/commit/e5787a94b7890c9a3905feb842d0a69355559d65)
2) For 2.0.1 (RELENG_2_0) and 2.1 (master)
3) Both of the above versions
4-5 do not belong here - open a thread on the forum and ask, they are not relevant to this ticket, they are support questions and not bugs.

#9 Updated by Ermal Lu├ži over 2 years ago

I do not agree with this change the intention for 2.0 is that those rules can be overridden.
If you(the user) cannot find a way around the situation described here the rules can just be cloned on the GUI interface and they will have the quick option.

2.0 has had this since more than 2 years now and i do not see that this change was really necessary.

#10 Updated by Jim P over 2 years ago

I disagree with that sentiment. The whole point of these rules is to make sure this traffic is always allowed.

If you have these features enabled, you need to allow this traffic. The rules are specific enough that overriding them does not make sense in any real-world situation. The rules are only enabled if you have the features enabled that require the rules.

People are going to accidentally override them and be confused why the services do not work, when these rules are meant to prevent that from happening. If someone had an 'allow all' rule on LAN then the traffic would have been allowed anyhow and the rules would have been pointless.

#11 Updated by Chris Mirchandani over 2 years ago

Ermal, I can't speak to the intent of those that choose to implement the DHCP auto rules, but I would think purpose is to make sure that services provided by pfSense work. There is no easy way to create the DHCP failover rules in the way that you would normally create pfSense rules that point to interfaces on the device. In other words you couldn't use the interface_address setting, so users would have to use interface_subnet opening 519 and 520 to all devices or manually specify the IP of each device.

The solution that is in place for DHCP failover works perfectly as the rules are perfectly specific, open ports 519 and 520 on each needed protocol from fw1 to fw2 and from fw2 to fw1 . In my opinion the solution to negate these rules would be better implemented as a check box in the DHCP interface that disables DHCP failover allowing this feature to be disabled without removing the IP from the field. Once this is done, the DHCP failover for that interface would be removed. Currently users can remove the DHCP failover IP to have the rules removed.

I can't speak about the general client DHCP rules. Isn't this an all or nothing feature? If it is and you want to block DHCP, disabling DHCP for the interface seems like a better way to block DHCP.

On a final note, if your feeling really adventurous, set pfSense up so that the rules page shows auto generated rules. Then on rules like the DHCP rules above, make it so that if you disable these rules from the rules page, the features that generated them are disabled. e.g. Disabling the DHCP failover rule will disable the DHCP failover feature and disabling the client DHCP rule will disable DHCp for the interface and therefore disable the DHCP failover rule.

#12 Updated by Chris Buechler over 2 years ago

  • Status changed from Feedback to Resolved
  • Target version set to 2.0.1

there's no reason to override the rules in this case, in fact it's impossible to do so without breaking DHCP entirely, so this is good as is.

#13 Updated by Chris Mirchandani over 2 years ago

I just noticed the following text in /etc/inc/filter.inc at around line 2263 which indicates that this block should be moved above antispoof rules if they use the quick otion. While I do not think the DHCP rules effect this, there is an antispoof section starting at 2207 and all of those rules have the quick option and if it matters, the bogon, section, starting around 2175, has rules that use the quick option as well.

/*
 * NB: The loopback rules are needed here since the antispoof would take precedence then.
 *              If you ever add the 'quick' keyword to the antispoof rules above move the looback
 *              rules before them.
*/
$ipfrules .= <<&lt;EOD
  1. loopback
    pass in on \$loopback all label "pass loopback"
    pass out on \$loopback all label "pass loopback"

Also available in: Atom PDF