Project

General

Profile

Actions

Bug #2041

closed

DHCP failover Auto Generated Rules

Added by Chris Mirchandani almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
DHCP (IPv4)
Target version:
Start date:
12/06/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:
amd64

Description

I am running the 2.0 final release AMD64. This install was performed via a flash drive images with a 2.0 beta memstick image. The system was updated with snapshots a number of times and then was upgraded to the final version soon after its release.

As I understand it, pf rules that do not use the quick option are processed in a last matching system. e.g. The last rule that it comes to that matches determines pass or fail. It seems that since the automatically generated rules do not use the quick option, they can be negated by user rules as they all use the quick option and there is no way that I can see to prevent the use of quick. I am having issues with DHCP failover not working on interfaces I have a rule that blocks all access to the firewall. I have rules to allow DHCP and DNS for clients, but not the failover ports as rules for failover should be generated by pfsense. Below is the block line and under that the explanation.

Dec 6 13:02:55 OPT5_VID_01 10.3.1.3:64546 10.3.1.2:519 TCP:S

The rule that triggered this action is:

@207 block drop in log quick on lagg0_vlan3 inet from any to 10.3.1.0/24 label "USER_RULE: Block VID01 from Accessing the VID01 Int on FW01"

Below is the list of rules that apply to this interface. You will see that the rule mentioned above is below the DHCP failover rules. Based on the way user rules work, packets from 10.3.1.3:any to 10.3.1.2:519 or 10.3.1.2:520 should never get to the rule listed above. the difference is that none of the pfsense generated rules have the quick option. I have verified that in /etc/services the port names like bootpc, bootps, utime, efs and router all have the correct ports listed.

: pfctl -sr | grep -i vlan3
scrub in on lagg0_vlan3 all fragment reassemble
block drop in on ! lagg0_vlan3 inet from 10.3.1.0/24 to any
block drop in on lagg0_vlan3 inet6 from fe80::290:bff:fe1b:633b to any
pass in on lagg0_vlan3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in on lagg0_vlan3 inet proto udp from any port = bootpc to 10.3.1.2 port = bootps keep state label "allow access to DHCP server"
pass out on lagg0_vlan3 inet proto udp from 10.3.1.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lagg0_vlan3 inet proto tcp from 10.3.1.3 to 10.3.1.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
pass in on lagg0_vlan3 inet proto udp from 10.3.1.3 to 10.3.1.2 port = utime keep state label "allow access to DHCP failover"
pass in on lagg0_vlan3 inet proto tcp from 10.3.1.3 to 10.3.1.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
pass in on lagg0_vlan3 inet proto udp from 10.3.1.3 to 10.3.1.2 port = router keep state label "allow access to DHCP failover"
block drop in log quick on lagg0_vlan3 inet from any to 10.20.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on LAN"
block drop in log quick on lagg0_vlan3 inet from any to 10.10.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on MGMT01"
block drop in log quick on lagg0_vlan3 inet from any to 10.99.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on GUEST01"
block drop in log quick on lagg0_vlan3 inet from any to 10.1.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on VLAN1"
block drop in log quick on lagg0_vlan3 inet from any to 10.2.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on VOIP01 "
block drop in log quick on lagg0_vlan3 inet from any to 172.19.1.0/24 label "USER_RULE: Block VID01 from Accessing Devices on PFSYNC "
pass in quick on lagg0_vlan3 inet proto icmp from 10.3.1.0/24 to any keep state label "USER_RULE: Allow VID01 to use ICMP "
pass in quick on lagg0_vlan3 inet proto tcp from 10.3.1.0/24 to 10.3.1.0/24 port = domain flags S/SA keep state label "USER_RULE: Allow VID01 to use DNS on the VID01 Int on FW01"
pass in quick on lagg0_vlan3 inet proto udp from 10.3.1.0/24 to 10.3.1.0/24 port = domain keep state label "USER_RULE: Allow VID01 to use DNS on the VID01 Int on FW01"
pass in quick on lagg0_vlan3 inet proto tcp from 10.3.1.0/24 to 97.76.110.48/28 port = domain flags S/SA keep state label "USER_RULE: Allow VID01 to use DNS on WAN Devices"
pass in quick on lagg0_vlan3 inet proto udp from 10.3.1.0/24 to 97.76.110.48/28 port = domain keep state label "USER_RULE: Allow VID01 to use DNS on WAN Devices"
block drop in log quick on lagg0_vlan3 inet from any to 10.3.1.0/24 label "USER_RULE: Block VID01 from Accessing the VID01 Int on FW01"
block drop in log quick on lagg0_vlan3 inet from any to 97.76.110.48/28 label "USER_RULE: Block VID01 from Accessing the WAN Subnet"
pass in quick on lagg0_vlan3 inet from 10.3.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow VID01 to any rule"

Actions

Also available in: Atom PDF