From owner-freebsd-questions@FreeBSD.ORG Sun Jun 10 17:54:02 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A70EF106564A for ; Sun, 10 Jun 2012 17:54:02 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0775E8FC12 for ; Sun, 10 Jun 2012 17:54:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q5AHrvGA047967; Mon, 11 Jun 2012 03:53:57 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 11 Jun 2012 03:53:57 +1000 (EST) From: Ian Smith To: Bill Yuan In-Reply-To: <20120610120041.4D0F610657C3@hub.freebsd.org> Message-ID: <20120611025332.N46641@sola.nimnet.asn.au> References: <20120610120041.4D0F610657C3@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: how to allow by MAC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2012 17:54:02 -0000 In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan wrote: > how to allow by MAC in ipfw > > currently i set the rule like below > > 1 allow ip from any to any MAC any to > 1 allow ip from any to any MAC any > 2 deny all from any to any > > i want to only allow the mac address to go through the freebsd firewall, > > but I found it is not working on my freebsd but it works on pfsense! > > so maybe that means the environment is not the same ? and how to setup the > ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply]