Date: Tue, 7 Sep 2004 22:28:43 +0200 From: Robert Klein <RoKlein@roklein.de> To: freebsd-ipfw@freebsd.org Subject: Re: simple mac address filter Message-ID: <200409072228.43818.RoKlein@roklein.de> In-Reply-To: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Dienstag, 7. September 2004 15:49, brisbanebsd@mac.com wrote: > hi all - i am not sure where to post this question, I am > trying to set up my first ipfw rule, but I just cannot get it > to work. > > I need to set up MAC filtering on a 5.2.1 Freebsd box. I am > using the command > > ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e > > I am just trying to allow traffic ( at this stage) one machine > to the freebsd box. > > If I use > > ipfw add allow ip from any to any > > I can ping from the above NIC, when I add the first rule ( as > in first example above ) it stops. Your problem is, you're "mixing" rules. You see, when a packet enters your computer IPFW (IPFW2, that is) rules are checked twice, first at layer two, and later at layer three. Your first rule doesn't allow anything, because it fails at both tests: The first one fails, because there are no "IP" packets at layer two. The second one fails, because there are no MAC addresses at layer three. To get a better illustration of when the ruleset is checked, please read the section "PACKET FLOW" in the IPFW(8) man page. Please ensure youve set the necessary system variables net.inet.ip.fw.enable=1 and net.link.ether.ipfw=1 to enable packet checking at level three and two, respectively. Please see the script below; it is the one I use to allow access by MAC address. The first rule applying to your case is $IPFW add allow all from any to any not layer2 which says "pass all IP traffic through". I'm not doing any filtering at IP level with IPFW2, so I can safely do this. The next rule is $IPFW add allow layer2 out via em0 where I'm allowing all traffic out from the filtering box, regardless of MAC address. The third rule is $IPFW add allow MAC any 00:0d:93:81:82:1e in via em0 where I allow the MAC stated there to pass the filter. My last rule there is $IPFW add deny log logamount 0 MAC any any in via em0 which I use to get a logfile of every user using an unregistered MAC address... #!/bin/sh IPFW=/sbin/ipfw # ALL="add allow all from any to any MAC any " ALL="add allow MAC any " EM="in via em0" $IPFW -q flush $IPFW -q pipe flush # allow everything not on layer 2 $IPFW add allow all from any to any not layer2 # localhost traffic $IPFW add allow layer2 via lo0 # outbound interface $IPFW add allow layer2 via fxp0 # out via em0; $IPFW add allow layer2 out via em0 # in via em0; hostile internal network $IPFW $ALL 00:0d:93:81:82:1e $EM # some 40 other rules like the one before $IPFW add deny log logamount 0 MAC any any $EM Regards, Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409072228.43818.RoKlein>