Matthias Scheler wrote:
> In article <43B88453.2060805@2005.smokva.net>,
> 	Petar Bogdanovic <p.netbsd@2005.smokva.net> writes:
>> If I haven't totally misunderstood something, dhcpd shouldn't be able to 
>> get DHCPDISCOVER if the only matching rule is: 'block in all'.
> 
> "dhcpd" uses the Berkeley Packet Filter bpf(4) to monitor for incoming
> requests. And bpf(4) get's the packet before ipf(4) which is why your
> rules don't help.

I assume, that there is a reason behind this. Nevertheless, I do feel 
strange about the fact, that my packet-filter contains this:

block in all

and some user-land tool is able to jump into the chain - one step before 
ipf - and get everything which comes in.


Kind regards,

Petar