On 5/22/23 12:36, Stuart Henderson wrote:
> Huh. So a client can use some other source port to send to the server,
> but the server is still required to send packets back to port 546 on the
> client rather than the source port the client actually used. Who came
> up with this idea... (I am dubious that random DHCPv6 infrastructure on
> the 'net will cope with a different source port either).
>
> Anyway in that case the "out" rule would be
>
> pass out quick on pppoe0 proto udp to port dhcpv6-server received-on none
>
> The "in" rule is more problematic, I don't think we would want
>
> pass in quick on pppoe0 proto udp to port dhcpv6-client
>
> because that covers incoming packets to machines behind the router.
> We can't use "self" because addresses are determined at PF ruleset load
> time. Do we need "{(self) fe80::/10" or something?
>
> Is this something you had to change yourself or is it just from a strict
> reading of 8415?
RFC 2131 also does not state what source UDP ports DHCP clients and servers
MUST/SHOULD use. This caused Florian Obser to fix a bug in dhcpleased
(https://marc.info/?l=openbsd-bugs&m=163507791819694&w=2).
Shadrock Uhuru was having trouble with IPv6, and they got it to work once
they followed my pf ruleset
(https://marc.info/?l=openbsd-misc&m=167502694716840&w=2). I don't know
which rules exactly fixed their problem, but I don't think it makes sense
to have an overly restrictive ruleset. If one wants to iteratively add
more restrictive rules, then they can; but the base ruleset should conform
to RFC 8415.
I am aware that this allows more than one wants, but then again so does
not filtering for the exact IP of the DHCPv6 server. Obviously as the
maintainer, it is your call.
No comments:
Post a Comment