From owner-freebsd-questions@FreeBSD.ORG Mon Jun 11 03:21:02 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 944E11065670 for ; Mon, 11 Jun 2012 03:21:02 +0000 (UTC) (envelope-from brian@brianwhalen.net) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 03B668FC1C for ; Mon, 11 Jun 2012 03:21:01 +0000 (UTC) Received: by lbon10 with SMTP id n10so3033123lbo.13 for ; Sun, 10 Jun 2012 20:21:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=TSdPU1PdBBqBsNTeaEVv8A/+J63Y8XyPrzGAWuS3wrI=; b=bYCpCISEaH4Cgw32Gq9aX68+qBduIZqsSnv1RirXU9uAVQo8AV2nQobPC5KYuLTI/Y Oee0cq5sHnoUhKOM7uH48z/CSRf3NtuZwTJ18nD9aoyvGcRHHHtUuB8FWopENPPyyYgA WgdfQF8rMDE+ZI/5gzDfVOoVe3D6UFObuSdzGMKlib1CGh2GU4YxUYPuPkttYdsL0pk5 ydXnJ4JVnu4rkJ5sua4VJliqaiQmXkeZHq5kf4g/qQB9mPmi89JnxcHlv0zpYu0/0O1b UL8NlEfNBEhRclZFvk20HALC+R2PwiL9FEltlat+wTND5s2lEd7kemDtxkisTyun8nXS BWvQ== MIME-Version: 1.0 Received: by 10.152.145.41 with SMTP id sr9mr15748106lab.25.1339384860656; Sun, 10 Jun 2012 20:21:00 -0700 (PDT) Received: by 10.114.13.8 with HTTP; Sun, 10 Jun 2012 20:21:00 -0700 (PDT) X-Originating-IP: [174.254.44.83] Received: by 10.114.13.8 with HTTP; Sun, 10 Jun 2012 20:21:00 -0700 (PDT) In-Reply-To: References: <20120610120041.4D0F610657C3@hub.freebsd.org> <20120611025332.N46641@sola.nimnet.asn.au> Date: Sun, 10 Jun 2012 20:21:00 -0700 Message-ID: From: "Brian W." To: Bill Yuan X-Gm-Message-State: ALoCoQnvcoUny7pzYY8EkzDSN67TQ2Zs7ZXbnSd8i3azfE0eaCJApvd256N1U462qnpuqaxXlqvn Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Ian Smith Subject: Re: how to allow by MAC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 03:21:02 -0000 I would ask what problem do you want to solve here; is it preventing a userjust from getting out unless they are using their assigned address, or something else? On Jun 10, 2012 8:16 PM, "Bill Yuan" wrote: > Hi Lan, > > Thanks for your reply, I am reading some old emails which you sent in 2008 > while other place asked a same question as mine, > > > On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith wrote: > > > In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 > > On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan wrote: > > > > > how to allow by MAC in ipfw > > > > > > currently i set the rule like below > > > > > > 1 allow ip from any to any MAC any to > > > 1 allow ip from any to any MAC any > > > 2 deny all from any to any > > > > > > i want to only allow the mac address to go through the freebsd > firewall, > > > > > > but I found it is not working on my freebsd but it works on pfsense! > > > > > > so maybe that means the environment is not the same ? and how to setup > > the > > > ipfw properly to support this ? > > > > Bill, you did get some good clues in the earlier thread, but it's not > > clear if you took note of them. There's also been some confusion .. > > > > Firstly, read up on layer2 (ethernet, MAC-level) filtering options in > > ipfw(8). Thoroughly, several times, until you've got it. Seriously. > > > > After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) > > ipfw will be invoked 4 times instead of the normal 2, on every packet. > > > > Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the > > inbound pass invoked from ether_demux() and the outbound pass invoked > > from ether_output_frame() can you test for MAC addresses (or mac-types); > > the 'normal' layer3 passes examine packets that have no layer2 headers. > > > > You could just add 'layer2' to any rules filtering on MAC addresses, and > > omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using > > a method like shown there to separate layer2 and layer3 flows early on: > > > > # packets from ether_demux > > ipfw add 10 skipto 1000 all from any to any layer2 in > > # packets from ip_input > > ipfw add 10 skipto 2000 all from any to any not layer2 in > > # packets from ip_output > > ipfw add 10 skipto 3000 all from any to any not layer2 out > > # packets from ether_output_frame > > ipfw add 10 skipto 4000 all from any to any layer2 out > > > > So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering > > rules (remembering the reversed order of MAC addresses vs IP addresses, > > and to allow broadcasts as well), pass good guys and/or block bad guys, > > then deal with your normal IPv4|v6 traffic in a separate section(s). > > > > Or you could just split the flows into two streams, one for layer2 for > > your MAC filtering, the other for layer3, ie the rest of your ruleset. > > > > HTH, Ian [please cc me on any reply] > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >