# pf.conf rules for dhcp



## kondziq (Jun 18, 2010)

Hi, 

I'd like to know if you guys normaly put any rules to pf.conf about dhcp ? I know dhcp uses bpf, which means all packets are passed before pf really decides what to do. Now, should i still unblock ports 67 & 68 ? I'm asking because I keep getting annoying 
	
	



```
14:47:06.251001 rule 0/0(match): block in on rl1: 192.168.1.20.68 > 192.168.1.1.67: BOOTP/DHCP, Request [|bootp]
14:47:06.251365 rule 0/0(match): block out on rl1: 192.168.1.1.67 > 192.168.1.20.68: BOOTP/DHCP, Reply, length 300
```
in my pf log. What do you Pro's do ? ;] Do you keep blocking it or unblock ? 

Thanks,
K.


----------



## DutchDaemon (Jun 18, 2010)

When my firewall is between dhcp clients and a dhcp server, I allow 67/68 traffic, something like this:


```
pass quick on { $LAN $WAN } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $LAN $WAN } inet proto udp from any port 67:68 to any port 67:68 keep state
```


----------



## kisscool-fr (Jun 24, 2010)

I have my dhcp server on the firewall and 2 rules are needed to make it work properly. 


```
pass in quick on $int_if proto udp from port = 68 to port = 67
pass out quick on $int_if proto udp from proto = 67 to port = 68
```

Without the second rule, the renew step does not work.


----------

