From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 9 07:48:57 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8461F16A4CE for ; Sun, 9 Jan 2005 07:48:57 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id 09E6E43D2F for ; Sun, 9 Jan 2005 07:48:56 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 41504 invoked from network); 9 Jan 2005 07:48:54 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 9 Jan 2005 07:48:54 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sun, 9 Jan 2005 08:48:35 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501090124.55534.4711@chello.at> <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> In-Reply-To: <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501090848.54123.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 07:48:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 09 January 2005 05:11, heath, Chia Hui Chen wrote: > It's work, thank you very much. > > :) Great! I just did some more testing. On 5.3-STABLE things work as easy as: ipfw add 10 skipto 50 all from any to any not layer2 ipfw add 20 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx ipfw add 30 pass MAC any any 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any ============================================================ I think the rules should also work for 5.2.1. The solution I posted in the previous message has the advantage that you can build blocks of ports and MACs, which are easily to maintain. However, it has the disadvantage that it consists of more rules (esp. slowly skipto rules) than the above solution (which I derived from your question). I read the ipfw manpage about 20 times in the last two years, and I ever thought it explains that it's not possible to mix up layer-2 and layer-3 filtering ... Cheers, ch > ----- Original Message ----- > From: "Christian Hiris" <4711@chello.at> > To: > Cc: "heath, Chia Hui Chen" > Sent: Sunday, January 09, 2005 8:24 AM > Subject: Re: ipfw + MAC nothing happens? > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Saturday 08 January 2005 22:36, Christian Hiris wrote: > > > The diverted packets are not layer-2 packets, so they must be able to > > > bypass the layer-2 rules. In our case all diverted packets match rule > > 30, > > > > because none of the two layer-2 rules (10 and 20) applies. > > > So please add the rule below to your ruleset. If this doesn't work, I > > will > > > > try to reproduce this on one of my boxes. > > > > Sorry, I'm kinda braindead today ... > > > > 00030 3 144 deny tcp from any to any dst-port 443 > > > > The above rule will not work, because at ip_input, the layer-2 headers > > already > > > striped off and the packet will be treated as layer-3 packet. > > > > Good news are: I tested another solution on one of my boxen. The result > > is that all filtering on MAC _and_ port must be done on layer-2. I also > > forgot > > > to add the necessary rules to allow layer-2 packets in the last example > > (shame on me). > > > > So here are the rules I tested, but I did not test them with natd enabled > > and > > > the divert rule. > > > > > > # Bypass all packets w/o layer-2 headers > > ipfw add 10 skipto 30 all from any to any not layer2 > > > > # Branch to MAC filter, if we find layer-2 and dst-port 443 > > ipfw add 11 skipto 20 all from any to any 443 layer2 > > > > # For all other layer-2 packets jump to rule 30 > > ipfw add 12 skipto 30 MAC any any > > > > # MAC filter for layer-2 packets we got from rule 11 > > ipfw add 20 deny MAC any 00:e0:18:62:xx:xx > > > > # Allow rest of layer-2 packets > > ipfw add 30 pass MAC any any > > > > # Process packets as usual > > > > 00050 divert 8668 ip from any to any via fxp0 > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > ============================================================ > > > > PS: I would also think about users that try to circumvent the rules by > > using > > > proxies and/or users that are smart enough to spoof their MAC addresses. > > > > - -- > > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (FreeBSD) > > > > iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq > > 87O4RZ1U19Hh4vznXIgYksg= > > =Z5yx > > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4OHm09WjGjvKU74RApwqAJ9TSgOGztX2Ss9jLGYKsIDO3V+SZgCdH5vT g4HWzPCWkqOUWsavDN3exkI= =zlv4 -----END PGP SIGNATURE-----