>If you'll look at the rc.conf snippet included in the original message,
>I _am_ running dhcpd only on the inside interface.  In fact, dhcpd
>listens on ports 67 and 111 with INADDR_ANY, and bpfs on _all_
>interfaces for port 68.  Only after receiving a packet does dhcpd check
>to see if the packet is from an interface it is supposed to be listening
>to.

it's actually listening on *all* interfaces via bpfs?  have you
checked that lsof or fstat reports dhcpd as having open a number of
bpf devices that matches the number of interfaces on the system as
opposed to the number of interfaces you told it?  i tried a quick
check just now and dhcpd only had one bpf open on a system with two
physical interfaces.  is something perhaps forwarding the dhcp request
such that dhcpd picks up the request from the outside interface as it
passes out through the internal interface?

>This, of itself, is pretty clearly a bug in dhcpd.  The fact that dhcpd
>in addition uses bpf, and is thus not wrappable with ipfilter makes the
>matter even worse.

the actual use of bpf aside, if dhcpd is opening and attaching more
bpf's than it is supposed to (as rarpd used to), then that's
definitely a bug.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."