ipfw get IP by DHCP on re0 (without rules allowing it)

1. #!/bin/sh
2. fwcmd="/sbin/ipfw -q"
3. RFC1918="10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12"
4. INTERNAL_LANS="10.1.2.96/27,10.1.3.24/29"
5. # re0: Interface facing Internet (get IP by DHCP)
6. # re1: LAN Internal interface
7. # wlan0: Wifi Internal interface
8. # tun0: OpenVPN tunnel
9. # Flush out the list before we begin.
10. ${fwcmd} -f flush
11. # Didn't filter on loopback,internal interfaces and OpenVPN tunnel
12. ${fwcmd} add pass ip from any to any via lo0
13. ${fwcmd} add pass ip from any to any via lo1
14. ${fwcmd} add pass ip from any to any via re1
15. ${fwcmd} add pass ip from any to any via wlan0
16. ${fwcmd} add pass ip from any to any via tun0
17. # Create a NAT table
18. ${fwcmd} nat 123 config if re0 same_ports unreg_only reset
19. # Check incoming packets against NAT table
20. ${fwcmd} add nat 123 ip from any to any in via re0
21. # Check incoming packets against statefull table
22. ${fwcmd} add check-state
23. # Allow ICMP from myself
24. ${fwcmd} add pass icmp from me to any out via re0 keep-state
25. # Allow DNS from myself
26. ${fwcmd} add pass udp from me to any 53 out via re0 keep-state
27. # Allow NTP from myself
28. ${fwcmd} add pass udp from me to any 123 out via re0 keep-state
29. # Allow OpenVPN from myself
30. ${fwcmd} add pass udp from me to any 1195 out via re0 keep-state
31. # Never emit packets with RFC1918 destination on Internet (in case of tunnel down)
32. ${fwcmd} add deny ip from any to ${RFC1918} out via re0
33. # NAT internal networks when they exit to Internet
34. ${fwcmd} add nat 123 ip from ${LANS} to any out via re0
35.  
36. [manager@router]~> sudo ipfw -a l
37. ipfw: DEPRECATED: 'l' matched 'list' as a sub-string
38. 00100 0 0 allow ip from any to any via lo0
39. 00200 0 0 allow ip from any to any via lo1
40. 00300 6 408 allow ip from any to any via re1
41. 00400 6 408 allow ip from any to any via wlan0
42. 00500 24 2284 allow ip from any to any via tun0
43. 00600 134 15118 nat 123 ip from any to any in via re0
44. 00700 0 0 check-state
45. 00800 0 0 allow icmp from me to any out via re0 keep-state
46. 00900 7 484 allow udp from me to any dst-port 53 out via re0 keep-state
47. 01000 48 3648 allow udp from me to any dst-port 123 out via re0 keep-state
48. 01100 86 10979 allow udp from me to any dst-port 1195 out via re0 keep-state
49. 01200 0 0 deny ip from any to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 out via re0
50. 01300 0 0 nat 123 ip from 10.239.142.96/27,10.239.143.24/29 to any out via re0
51. 65535 0 0 deny ip from any to any
52.  
53. [manager@router]~> sysrc ifconfig_re0
54. ifconfig_re0: DHCP
55. [manager@router]~> ifconfig re0
56. re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
57. options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
58. ether 00:0d:b9:33:13:24
59. inet6 fe80::20d:b9ff:fe33:1324%re0 prefixlen 64 scopeid 0x1
60. inet 192.168.100.70 netmask 0xffffff00 broadcast 192.168.100.255
61. nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
62. media: Ethernet autoselect (1000baseT <full-duplex>)
63. status: active
64. [manager@router]~> uname -a
65. FreeBSD olivier 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r275821M: Thu Dec 18 01:39:49 CET 2014 root@SM1.orange.bsdrp.net:/usr/obj/EINE.amd64/usr/local/BSDRP/EINE/FreeBSD/src/sys/amd64 amd64
66.  
67. => How can it get an IP address by DHCP ?