Date: Sun, 9 Jan 2005 01:24:38 +0100 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Cc: "heath, Chia Hui Chen" <heath0504@gmail.com> Subject: Re: ipfw + MAC nothing happens? Message-ID: <200501090124.55534.4711@chello.at> In-Reply-To: <200501082236.24796.4711@chello.at> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 22:36, Christian Hiris wrote: > On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote: > > It's strange. > > I use two computer to test. > > One called A (00:e0:18:62:xx:xx) > > another called B. > > > > And the rulesets is same as you said. > > I try reboot and use A to connect port 443 of one site. > > IPFW output are below: > > ============================================================ > > The diverted packets are not layer-2 packets, so they must be able to > bypass the layer-2 rules. In our case all diverted packets match rule 30, > because none of the two layer-2 rules (10 and 20) applies. > So please add the rule below to your ruleset. If this doesn't work, I will > try to reproduce this on one of my boxes. Sorry, I'm kinda braindead today ... 00030 3 144 deny tcp from any to any dst-port 443 The above rule will not work, because at ip_input, the layer-2 headers already striped off and the packet will be treated as layer-3 packet. Good news are: I tested another solution on one of my boxen. The result is that all filtering on MAC _and_ port must be done on layer-2. I also forgot to add the necessary rules to allow layer-2 packets in the last example (shame on me). So here are the rules I tested, but I did not test them with natd enabled and the divert rule. # Bypass all packets w/o layer-2 headers ipfw add 10 skipto 30 all from any to any not layer2 # Branch to MAC filter, if we find layer-2 and dst-port 443 ipfw add 11 skipto 20 all from any to any 443 layer2 # For all other layer-2 packets jump to rule 30 ipfw add 12 skipto 30 MAC any any # MAC filter for layer-2 packets we got from rule 11 ipfw add 20 deny MAC any 00:e0:18:62:xx:xx # Allow rest of layer-2 packets ipfw add 30 pass MAC any any # Process packets as usual 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any ============================================================ PS: I would also think about users that try to circumvent the rules by using proxies and/or users that are smart enough to spoof their MAC addresses. - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq 87O4RZ1U19Hh4vznXIgYksg= =Z5yx -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501090124.55534.4711>