Re: /etc/rc: pf vs. dhclient ... lockd, too

On Mon, 25 Nov 2002, Chris Jepeway wrote:
> I removed the bootpc/bootps rules,

No, I don't need the ICMP either in my setup for dhclient to work.

Looking at the dhclient-script, there is only one ping in there. It is executed iff $reason == TIMEOUT and $new_routers != "".

It looks like this code is some fallback-scenario, when all DHCP requests time out.

Are you sure you need the ICMP hole?

A good way to test if the /etc/rc rules are blocking any packets is to modify it like this (make block rules log, move pflogd up):

--
Cam


zigzag$ diff -u /etc/rc rc
--- /etc/rc     Wed Nov 13 10:40:13 2002
+++ rc  Tue Nov 26 08:29:54 2002
@@ -119,7 +119,7 @@
 ttyflags -a

 if [ "X${pf}" != X"NO" ]; then
-       RULES="block in all\nblock out all"
+       RULES="block in log all\nblock out log all"
        RULES="$RULES\npass in proto tcp from any to any port 22 keep state"
        RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state"
        case `sysctl vfs.mounts.nfs 2>/dev/null` in
@@ -132,6 +132,11 @@
        echo $RULES | pfctl -f - -e
 fi

+if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then
+       ifconfig pflog0 up
+       pflogd ${pflogd_flags}
+fi
+
 if [ -f /etc/sysctl.conf ]; then
 (
        # delete comments and blank lines
@@ -191,11 +196,6 @@
        syslogd_flags="${syslogd_flags} -a ${named_chroot}/dev/log"
 fi
 syslogd ${syslogd_flags}
-
-if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then
-       ifconfig pflog0 up
-       pflogd ${pflogd_flags}
-fi