From owner-freebsd-questions@FreeBSD.ORG Sat Jun 9 09:12:52 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A0C4A106566B for ; Sat, 9 Jun 2012 09:12:52 +0000 (UTC) (envelope-from 4711@chello.at) Received: from fep13.mx.upcmail.net (fep13.mx.upcmail.net [62.179.121.33]) by mx1.freebsd.org (Postfix) with ESMTP id 1E6638FC0C for ; Sat, 9 Jun 2012 09:12:51 +0000 (UTC) Received: from edge01.upcmail.net ([192.168.13.236]) by viefep13-int.chello.at (InterMail vM.8.01.05.04 201-2260-151-105-20111014) with ESMTP id <20120609091250.GBNP3333.viefep13-int.chello.at@edge01.upcmail.net>; Sat, 9 Jun 2012 11:12:50 +0200 Received: from matrix020.matrix.net ([84.114.122.224]) by edge01.upcmail.net with edge id L9Cq1j00L4qbkk4019CqCz; Sat, 09 Jun 2012 11:12:50 +0200 X-SourceIP: 84.114.122.224 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org Date: Sat, 9 Jun 2012 11:12:49 +0200 User-Agent: KMail/1.13.7 (FreeBSD/9.0-STABLE; KDE/4.7.4; amd64; ; ) References: <44y5nxy29s.fsf@be-well.ilk.org> In-Reply-To: X-Face: 9K^F42eGrHAbAe?%/Jn(.sAeg9d{Ur6`x<[+LZ46Plx#sTFr]9_>|#(?~v6X,2~BeL#:7kxV8#s; UP |>X.=B,VvQ"}!^Zb}AGD:Um.+;P=%U6W Cc: Bill Yuan Subject: Re: how to filter network by MAC and IP at the same time X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 09:12:52 -0000 hi Bill, afaik, in your case the packets checked twice against the ipfw-rules - once for the layer2-filtering part and 2nd time for the ip-filtering part. 1st enable filtering on ethernet demux/eth. output frame: # sysctl net.link.ether.ipfw=1 then start your fw-script: # -- sniplet from fw-script -- # iif="em0" ip_client="192.168.123.45" ether_client="88:99:aa:bb:cc:dd" ether_broadcast="ff:ff:ff:ff:ff:ff" ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif} ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif} ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif} ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif} ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif} # -- sniplet from fw-script -- # this results in: # ipfw show 00010 1 28 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \ 88:99:aa:bb:cc:dd via em0 00020 74 9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0 00021 87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0 00030 74 9564 allow ip from 192.168.123.45 to any via em0 00031 86 85290 allow ip from any to 192.168.123.45 via em0 65535 487 35078 deny ip from any to any Most of this logic is described in the section "PACKET FLOW" section in man ipfw. "Note that as packets flow through the stack, headers can be stripped or added to it, and so they may or may not be available for inspection. E.g., incoming packets will include the MAC header when ipfw is invoked from ether_demux(), but the same packets will have the MAC header stripped off when ipfw is invoked from ip_input() or ip6_input()." Cheers ch On Saturday 09 June 2012, Bill Yuan wrote: > rule like below > > #allow the traffic which source mac is belong to the machine > ipfw add 1 allow all from any to any MAC any > #allow the ...... destination mac is that machine > ipfw add 1 allow all from any to any MAC any > ipfw add 1 deny all from any to any > > > it is not working , all the traffic will be block by the deny !!! how come > ? > > > > On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert < > > freebsd-questions-local@be-well.ilk.org> wrote: > > Bill Yuan writes: > > > i am using freebsd 9.0 as a firewall and i want to filter the traffic > > > by the mac and the ip at the same time, > > > > > > for example, i only allow my laptop can go throught the > > > firewalll when it's using IP > > > > > > for how to config the firewall rules? > > > > > > > > > I tried to configure the firewall by the rule below , but it doesnt > > > work > > > > > > ipfw add 1 allow all from to any MAC > > > any ipfw add 1 allow all from any to MAC any > > Address > > > > 1> > > > > Well, for one thing if I understand your intent, you have the MAC > > addresses in the wrong order. Unless your firewall is acting as a > > bridge, you also need to keep in mind that the MAC addresses are changed > > when passing through, so those rules will only work on one side (i.e., > > you'll need "in via" type rules). > > > > > but it doesnt work. also found the explanation on google, someone > > > already asked this question before. > > > > I don't understand. Was there a suggested approach or not? > > > > > but I did not find the solution for this requirement. can someone tell > > > > me > > > > > how ? thanks in advance. > > > > I can't guarantee this will work, and I don't have any way to test it, > > > > but my above comments would suggest something more like: > > > ipfw add 1 allow all from to any MAC any > > > in via $iif > > > > > ipfw add 1 allow all from any to MAC > > > > any out via $oif > > > > Good luck. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"