From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 9 00:24:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9597116A4CE for ; Sun, 9 Jan 2005 00:24:58 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id F14A443D45 for ; Sun, 9 Jan 2005 00:24:56 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 39530 invoked from network); 9 Jan 2005 00:24:55 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 9 Jan 2005 00:24:55 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sun, 9 Jan 2005 01:24:38 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at> In-Reply-To: <200501082236.24796.4711@chello.at> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501090124.55534.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 00:24:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 22:36, Christian Hiris wrote: > On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote: > > It's strange. > > I use two computer to test. > > One called A (00:e0:18:62:xx:xx) > > another called B. > > > > And the rulesets is same as you said. > > I try reboot and use A to connect port 443 of one site. > > IPFW output are below: > > ============================================================ > > The diverted packets are not layer-2 packets, so they must be able to > bypass the layer-2 rules. In our case all diverted packets match rule 30, > because none of the two layer-2 rules (10 and 20) applies. > So please add the rule below to your ruleset. If this doesn't work, I will > try to reproduce this on one of my boxes. Sorry, I'm kinda braindead today ... 00030 3 144 deny tcp from any to any dst-port 443 The above rule will not work, because at ip_input, the layer-2 headers already striped off and the packet will be treated as layer-3 packet. Good news are: I tested another solution on one of my boxen. The result is that all filtering on MAC _and_ port must be done on layer-2. I also forgot to add the necessary rules to allow layer-2 packets in the last example (shame on me). So here are the rules I tested, but I did not test them with natd enabled and the divert rule. # Bypass all packets w/o layer-2 headers ipfw add 10 skipto 30 all from any to any not layer2 # Branch to MAC filter, if we find layer-2 and dst-port 443 ipfw add 11 skipto 20 all from any to any 443 layer2 # For all other layer-2 packets jump to rule 30 ipfw add 12 skipto 30 MAC any any # MAC filter for layer-2 packets we got from rule 11 ipfw add 20 deny MAC any 00:e0:18:62:xx:xx # Allow rest of layer-2 packets ipfw add 30 pass MAC any any # Process packets as usual 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any ============================================================ PS: I would also think about users that try to circumvent the rules by using proxies and/or users that are smart enough to spoof their MAC addresses. - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq 87O4RZ1U19Hh4vznXIgYksg= =Z5yx -----END PGP SIGNATURE-----