In article <43B88453.2060805@2005.smokva.net>,
	Petar Bogdanovic <p.netbsd@2005.smokva.net> writes:
> If I haven't totally misunderstood something, dhcpd shouldn't be able to 
> get DHCPDISCOVER if the only matching rule is: 'block in all'.

"dhcpd" uses the Berkeley Packet Filter bpf(4) to monitor for incoming
requests. And bpf(4) get's the packet before ipf(4) which is why your
rules don't help. Use settings like this in "/etc/rc.conf" to restrict
"dhcpd" to the correct interface:

dhcpd_flags="-q fxp0"

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/