Lampros - Weird Bricks

Adventures in blocking a DHCP server with IPFW..

20 March, 2014 | DHCP

I have a simple local area network where my router is also the DHCP server. It's IP address is

For testing purposes I've been playing with a second DHCP server on the same network running inside VirtualBox - that machine is set to

However my DHCP server would never assign an IP address to my test instance - the router would always be the one assigning it - my guess is because it's responding much faster than the VirtualBox.

I tried blocking this with IPFW by blocking all UDP rules.. this is the ruleset I set:

ipfw -f flush
cat /dev/null > /var/log/security
ipfw add 100 deny log udp from any to any
ipfw add 101 deny log tcp from any to any

Of course the above will block everything (both TCP and UDP) and also log everything in /var/log/security. Surprise surprise..... On one window I run

tail -f /var/log/security

On the other one I tried to get a new IP:

service netif restart; dhclient em0

This is what I got in the logs....

Mar 20 18:25:19 freebsd10 kernel: ipfw: 100 Deny UDP out via em0
Mar 20 18:25:28 freebsd10 kernel: ipfw: 100 Deny UDP in via em0
Mar 20 18:25:28 freebsd10 kernel: ipfw: 100 Deny UDP in via em0

So the packets are clearly caught by IPFW ... why am I still getting an IP address? It looks like the ISC DHCP server does not use UDP - it uses "Internet Socket of protocol Raw instead of TCP or UDP" -- Sources here and here. Instead you can edit the /etc/dhclient.conf and add lines like these:

interface "em0"

Try getting a new IP again: [quote]service netif restart; dhclient em0[/quote] Output: (trimmed)

DHCPREQUEST on em0 to port 67
DHCPNACK from rejected.
bound to -- renewal in 300 seconds.

Nice. If you need to load your ruleset automatically you can do it by having the following lines in /etc/rc.conf: