# Is this a bug… (dhclient issue)



## max21 (Sep 18, 2015)

Or is it my imagination 


```
Sep 18 02:51:14 bsd102 dhclient[491]: send_packet : Operation not permitted
Sep 18 02:51:14 bsd102 last message repeated 3 times
Sep 18 02:52:14 bsd102 last message repeated 4 times
Sep 18 03:03:14 bsd102 message repeated 10 times
Sep 18 03:11:14 bsd102 last message repeated 5 times
```

In FreeBSD 10.1, if I remember correctly, starting with p4 update,  errors like this would show up while the machine would be rebooting.

I installed FreeBSD 10.2 yesterday (dreaming of the impossible), and to this very minute, I see these error messages as I type in the console of my running system.  Am I’m the only one who is seeing this?  It’s not a hardware issue.   10.1p4 is on one AMD system and 10.2 is now on my other AMD.   It went from outside (boot) to the inside a running system and no one notice it, before release?  If not, maybe it’s my INTERNET provider wacky services.


```
Background_dhclient=”yes”
```

That line in the rc.conf doesn’t work.

I google, or may have even ask about it back in the p4 days (the finest ever), but people said it was a normal thing.  Now that it’s on the inside (popping up as you type), I like to hear from them now.

Just thought you should know.

I’ll go back to 8.2 if I have to.


----------



## wblock@ (Sep 18, 2015)

max21 said:


> send_packet : Operation not permitted


Probably not a bug, but a firewall or security misconfiguration.


----------



## max21 (Sep 19, 2015)

I get it … the upgrade of pf for FreeBSD since 8,2.  I turn-off pf, sparing FreeBSD 10.1 and 10.2 my outdated rules, and all is well (no more errors).   But I suspect a leak that may cause other problems down the line; because what in the world would cause it to show up at console time vs boot time for these two back-to-back versions. The first thing I install every single time is my PF rules on a minimum install of new FreeBSD's since the middle of the 8.2 era, with my eyes wide open for days.   When I find that error in my rules I will post it here.  I have no choice but to find it!

Thank you wblock@.


----------



## max21 (Sep 28, 2015)

I still have not yet had time to pick my rules apart but I will soon.  Here is what I got so far:

I used this link to http://www.hcidata.info/host2ip.cgi to convert Host/Domain Name to IP Address and vice versa.  This is Brighthouse.  Brighthouse (cable) is my internet provider, but I'm on port-22.


```
IP Address : 107.xxx.xxx.0
Host Name  : 107-xxx-xxx-0.res.bhn.net

Host Name  : 198.xxx.xxx.228
IP Address : 198.xxx.xxx.228
Location   : United States (accuracy)
```

This seems to me like another IP or user is on the same network but is hitting my port-22 all day long.


```
root@bsd1:~ # ssh -vvv IP-address
OpenSSH_6.6.1p1, OpenSSL 1.0.1j-freebsd 15 Oct 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0

debug1: Connecting to ip-address [198.xxx.xxx.228] port 22.
debug1: connect to address 198.xxx.xxx.228 port 22: Operation not permitted
debug1: Connecting to ip-address [198.xxx.xxx.228] port 22.
debug1: connect to address 198.xxx.xxx.228 port 22: Operation not permitted
ssh: connect to host ip-address port 22: Operation not permitted
root@bsd1:~ #
```

I don't remember seeing anything like it when I was on AT&T dsl.  Is this normal?  I would think if you are only using SSH with FreeBSD ports, no pinging should be coming in from IP before ever running anything except PF and SSH.

My rules came from http://www.unixguide.net/freebsd/fbsd_installguide80/, including a lot of bits and pieces from here.  It was all trial and error for me.  I'm just getting a real clue about pf, but I'm glad it blocking this whoever.  But still it overlap or underlap the terminal as explained above.


----------



## andrian (Sep 29, 2015)

To begin, turn off the firewall, run `tcpdump -n -i name_interface` on the interface on which you launch dhclient(8) and see traffic. If not traffic go to see state interface (`ifconfig name_interface`):

```
root@freebsd:/usr/home/andrian # ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
  ether 00:22:4d:9e:50:33
  inet 10.144.40.2 netmask 0xffffff00 broadcast 10.144.40.255
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
```

See in line

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
```
Or is "UP" present?
If not present "UP" run:
`# ifconfig you_name_interface up`
And again see in line

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
```
Or is "UP" present?
And see in line "status: active" or present word "active"? If not present when problem cable, port on switch or interface.


----------



## max21 (Sep 30, 2015)

andrian said:


> To begin, turn off the firewall, run `tcpdump -n -i name_interface` on the interface on which you launch dhclient(8) and see traffic....



Thanks andrian  for introducing me to those web-tools.  They are awesome! 

I followed your instructions and all devices are working.  Its my e-mail-XP-machine that is getting hack.  I caught it, it encrypt my e-mail the second I open it, than it made it disappear.  This morning it took my mouse for test spin around 4:00AM.  My 2nd machine has FreeBSD, running Virtualbox for XP, I use it for web surfing.  I get little to no trouble protecting XP from web-hacks, but somebody is still on my Ethernet Cable line.

I don’t want this to cross-over onto my new FreeBSD workstation (now under construction).  I want to block or strip out _EVERY_ port possible except for 22 and 443 for this box only.  How could I accomplish this?


----------



## max21 (Oct 3, 2015)

As wblock@ indicated, the problem was in my pf rules.  After being encourage to use commands, (Thanks again andrian), I went through them fairly well, having a ball, then caught this:

```
pass out quick on $ext_if inet proto icmp from any to any icmp-type 8 keep state
```
Would someone show me the proper way to use the icmp_types variable?  Why should I use it?  Do I even need it for my purpose (listed in the file)?

About the inside/out error output, GNOME blinded me.  I now go real console mode ttyv1 after commenting-out, then testing these pf rules under GNOME; it’s nice to see if any errors are showing up in the real FreeBSD console.  I keep asking myself, where have I been?  Thanks for the eye-opener Community.


```
##########################################################################################
#  http://www.unixguide.net/freebsd/fbsd_installguide80/
#
#  some dizzy examples and ideas here... and his full-versions modified for other type boxes.
#  https://forums.freebsd.org/threads/fine-tuning-pf-ruleset.50364/
#
#  Planning on using THESE rules to connect to my first remote server at DC. Is it a overkill?

ext_if = "re0"
int_if = "re1"
dns1 = "222.xx.xx.81"
dhcp = "192.168.x.255"

#  tcp_services = "{22, 80, 3389}"
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"            #  allowed ICMP types
#  priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"

ob_state = "flags S/SA modulate state"            #  outbound
ib_state = "flags S/SA synproxy state"            #  inbound
#  __________________________________________________________________________
#                                     [TABLES]
table <sshguard> persist
#  __________________________________________________________________________
#                                    [OPTIONS]
set loginterface $ext_if  #   gather statistics on this interface
set optimization aggressive   # drop state fast without having excessively low timeouts.

set block-policy return   #   a TCP RST packet is returned for blocked TCP
              #   packets and an ICMP Unreachable packet is
              #   returned for all others.    squid
#set block-policy drop      #   default block behavior to packet silently dropped
set state-policy if-bound #   states are bound to interface created on

set skip on lo0          #   KDE uses loopback
#  __________________________________________________________________________
#                              [TRAFFIC NORMALIZATION]
#scrub in on $ext_if all reassemble tcp no-df random-id
scrub all no-df random-id min-ttl 5 max-mss 1440 reassemble tcp
scrub out on $ext_if no-df random-id
#scrub in all          #   scrub out on $ext_if all random-id
#scrub reassemble tcp      #   Make sure clean & sane fragment reassemble

#block in all
#  __________________________________________________________________________
#                                 [TRANLATION]
nat on $ext_if from !($ext_if) -> ($ext_if:0)    # TRANLATION
pass quick on $int_if all             # No restrictions on LAN Interface
pass quick on lo0 all                # No restrictions on Loopback Interface

#pass in on $int_if inet proto tcp from any to 10.0.0.1 port 8880 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
#pass out on $int_if inet proto tcp from any to 192.168.1.254 port 3389
#  __________________________________________________________________________
#  __________________________________________________________________________
#                                      [OUT BOUND]

pass out quick on $ext_if proto tcp from any to $dns1 port 53 $ob_state  #  dns in resolv
pass out quick on $ext_if proto udp from any to $dns1 port 53 keep state

pass out quick on $ext_if proto udp from any to $dhcp port 67 keep state #  dhcp

pass out quick on $ext_if proto tcp from any to any port 80 $ob_state    #  INTERNET out ****

pass out quick on $ext_if proto tcp from any to any port 443 $ob_state   #  https over TLS SSL

#pass out quick on $ext_if inet proto icmp from any to any icmp-type 8 keep state #  ping out
pass out quick on $ext_if proto tcp from any to any port 43 $ob_state    #  whois PC

pass out quick on $ext_if proto tcp from any to any port 22 $ob_state    #  SSH FTP-Tel-SCP out

block out log quick on $ext_if all                                       #  trying to get out
#  __________________________________________________________________________
#  __________________________________________________________________________
#                                      [IN BOUND]

block in quick on $ext_if from <sshguard> label "ssh bruteforce"  #  guard all, not just ssh

#  Block all inbound traffic from non-routable or reserved address spaces
block in quick on $ext_if from 192.168.0.0/16 to any    #  RFC 1918 private IP
block in quick on $ext_if from 172.16.0.0/12 to any    #  RFC 1918 private IP
block in quick on $ext_if from 10.0.0.0/8 to any    #  RFC 1918 private IP

block in quick on $ext_if from 127.0.0.0/8 to any    #  loopback
block in quick on $ext_if from 0.0.0.0/8 to any        #  loopback

block in quick on $ext_if from 169.254.0.0/16 to any    #  DHCP auto-config
block in quick on $ext_if from 192.0.2.0/24 to any    #  reserved for doc's
block in quick on $ext_if from 204.152.64.0/23 to any    #  Sun cluster connect
block in quick on $ext_if from 224.0.0.0/3 to any     #  Class D $ E multicast

block in quick on $ext_if inet proto icmp all icmp-type 8    #  Block public pings in
block in quick on $ext_if proto tcp from any to any port 113    #  Block ident in

#  Block all Netbios service. 137=name, 138=datagram, 139=session
#  Netbios is MS/Windows sharing services.
#  Block MS/Windows hosts2 name server requests 81

block in log quick on $ext_if proto tcp from any to any port 137
block in log quick on $ext_if proto udp from any to any port 137

block in log quick on $ext_if proto tcp from any to any port 138
block in log quick on $ext_if proto udp from any to any port 138

block in log quick on $ext_if proto tcp from any to any port 139
block in log quick on $ext_if proto udp from any to any port 139

block in log quick on $ext_if proto tcp from any to any port 81
block in log quick on $ext_if proto udp from any to any port 81

pass in quick on $ext_if proto udp from $dhcp to any port 68 keep state  # cable-DSL-dhcp in
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types
pass in quick on $ext_if proto tcp from any to any port 22 $ib_state  # SSH FTP-Telnet-SCP in

block in log quick on $ext_if all                                       #  trying to get in
############################# End of rules file ############################
############################# End of rules file ############################
############################# End of rules file ############################
```


----------

