Date: Sat, 9 Jun 2012 11:12:49 +0200 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org Cc: Bill Yuan <bycn82@gmail.com> Subject: Re: how to filter network by MAC and IP at the same time Message-ID: <201206091112.50161.4711@chello.at> In-Reply-To: <CAC%2BJH2wQcXY2fO2hbb6DH_PM60nKiPh9pBnDX1m2POFyCYRCAw@mail.gmail.com> References: <CAC%2BJH2zw0%2BXrJG=xnnFWEh8_JkGc7YnnqFE2VAtQBS5T7RubbA@mail.gmail.com> <44y5nxy29s.fsf@be-well.ilk.org> <CAC%2BJH2wQcXY2fO2hbb6DH_PM60nKiPh9pBnDX1m2POFyCYRCAw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi Bill, afaik, in your case the packets checked twice against the ipfw-rules - once for the layer2-filtering part and 2nd time for the ip-filtering part. 1st enable filtering on ethernet demux/eth. output frame: # sysctl net.link.ether.ipfw=1 then start your fw-script: # -- sniplet from fw-script -- # iif="em0" ip_client="192.168.123.45" ether_client="88:99:aa:bb:cc:dd" ether_broadcast="ff:ff:ff:ff:ff:ff" ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif} ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif} ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif} ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif} ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif} # -- sniplet from fw-script -- # this results in: # ipfw show 00010 1 28 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \ 88:99:aa:bb:cc:dd via em0 00020 74 9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0 00021 87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0 00030 74 9564 allow ip from 192.168.123.45 to any via em0 00031 86 85290 allow ip from any to 192.168.123.45 via em0 65535 487 35078 deny ip from any to any Most of this logic is described in the section "PACKET FLOW" section in man ipfw. "Note that as packets flow through the stack, headers can be stripped or added to it, and so they may or may not be available for inspection. E.g., incoming packets will include the MAC header when ipfw is invoked from ether_demux(), but the same packets will have the MAC header stripped off when ipfw is invoked from ip_input() or ip6_input()." Cheers ch On Saturday 09 June 2012, Bill Yuan wrote: > rule like below > > #allow the traffic which source mac is belong to the machine > ipfw add 1 allow all from any to any MAC <MAC ADDR1> any > #allow the ...... destination mac is that machine > ipfw add 1 allow all from any to any MAC any <MAC ADDR1> > ipfw add 1 deny all from any to any > > > it is not working , all the traffic will be block by the deny !!! how come > ? > > > > On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert < > > freebsd-questions-local@be-well.ilk.org> wrote: > > Bill Yuan <bycn82@gmail.com> writes: > > > i am using freebsd 9.0 as a firewall and i want to filter the traffic > > > by the mac and the ip at the same time, > > > > > > for example, i only allow my laptop <MAC Address 1> can go throught the > > > firewalll when it's using IP <IP Address 1> > > > > > > for how to config the firewall rules? > > > > > > > > > I tried to configure the firewall by the rule below , but it doesnt > > > work > > > > > > ipfw add 1 allow all from <IP Address 1> to any MAC <MAC Address 1> > > > any ipfw add 1 allow all from any to <IP Address 1> MAC any <MAC > > > Address > > > > 1> > > > > Well, for one thing if I understand your intent, you have the MAC > > addresses in the wrong order. Unless your firewall is acting as a > > bridge, you also need to keep in mind that the MAC addresses are changed > > when passing through, so those rules will only work on one side (i.e., > > you'll need "in via" type rules). > > > > > but it doesnt work. also found the explanation on google, someone > > > already asked this question before. > > > > I don't understand. Was there a suggested approach or not? > > > > > but I did not find the solution for this requirement. can someone tell > > > > me > > > > > how ? thanks in advance. > > > > I can't guarantee this will work, and I don't have any way to test it, > > > > but my above comments would suggest something more like: > > > ipfw add 1 allow all from <IP Address 1> to any MAC any <MAC Address > > > > in via $iif > > > > > ipfw add 1 allow all from any to <IP Address 1> MAC <MAC Address 1> > > > > any out via $oif > > > > Good luck. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206091112.50161.4711>