From owner-freebsd-net@FreeBSD.ORG Fri Jun 12 08:24:11 2015 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB6D0F0C for ; Fri, 12 Jun 2015 08:24:11 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail.madpilot.net (grunt.madpilot.net [78.47.145.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 958281560 for ; Fri, 12 Jun 2015 08:24:10 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail (mail [192.168.254.3]) by mail.madpilot.net (Postfix) with ESMTP id 3m7FT40PRzzbll; Fri, 12 Jun 2015 10:24:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=madpilot.net; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:from:from :date:date:message-id:received:received; s=mail; t=1434097446; x=1435911847; bh=iBonFr7gW/T8Si2f/NMxABmiRhYUelAviifRMheGFiI=; b= YmM049RUA+HC1feEqhlGtJFo1caGvGB0AZT1ob1+Cm7LPem/fuh3eiRD3dAGH8nO +6cNmuZaOG37L84odFFjT03QMl8BoqubJXT2PKYMGSx2KkJZLEZHcTS2jLP+iBQe ov/H/6xX+Er+TJuWg8vi/vX4hw/l88DTZo/uKpU1hzc= Received: from mail.madpilot.net ([192.168.254.3]) by mail (mail.madpilot.net [192.168.254.3]) (amavisd-new, port 10024) with ESMTP id Gar5ieXstiuj; Fri, 12 Jun 2015 10:24:06 +0200 (CEST) Received: from marvin.madpilot.net (micro.madpilot.net [88.149.173.206]) by mail.madpilot.net (Postfix) with ESMTPSA; Fri, 12 Jun 2015 10:24:06 +0200 (CEST) Message-ID: <557A9725.7050506@madpilot.net> Date: Fri, 12 Jun 2015 10:24:05 +0200 From: Guido Falsi User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Ian Smith CC: John Reynolds , freebsd-net@freebsd.org Subject: Re: question on NAT + IPFW References: <557A48A2.4090805@reynoldsnet.org> <557A80F8.1070109@madpilot.net> <557A835C.1090106@madpilot.net> <20150612174047.Q74737@sola.nimnet.asn.au> In-Reply-To: <20150612174047.Q74737@sola.nimnet.asn.au> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 08:24:11 -0000 On 06/12/15 10:07, Ian Smith wrote: > On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote: > > > > looks correct, assuming xl0 is your internal interface (better put it in > > > a variable and use the variable in your rules imho) > > > > Forgot one thing, working around this block is as easy as changing the > > machine IP, teenager can learn this easily and it can be done in a lot > > of ways, even if they are not root(or equivalent) on their machine, they > > can just boot from a CD with some live OS. You could have a better block > > by also checking the MAC address, like this: > > > > $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0 > > > > (not tested) > > > > MAC addresses can be modified too but it's somewhat more difficult. > > While that's all true, blocking at layer 2 requires extra work that may > be beyond what's needed here, to have ipfw deal with layer 2 traffic. > > sysctl net.link.ether.ipfw=1 must be set for ipfw to see layer 2 packets > at all, and then you'd need to follow ipfw(8) section PACKET FLOW to > separate the layer 2 and 3 traffic in order to look at MAC addresses on > the appropriate one of the extra two passes through ipfw this entails. > Uhm, I forgot to check these details. Yes, layer 2 is a lot more work anyway, I avoid it if possible. I also did not read carefully the example given, my fault on that too :) -- Guido Falsi