Date: Sat, 9 Jun 2012 23:26:41 +0800 From: Bill Yuan <bycn82@gmail.com> To: Christian Hiris <4711@chello.at> Cc: freebsd-questions@freebsd.org Subject: Re: how to filter network by MAC and IP at the same time Message-ID: <CAC%2BJH2zoB3%2Ba_Cp3MrZ8eaApEFjjb4cqy7gVAzBLhqfhaGRxHw@mail.gmail.com> In-Reply-To: <201206091112.50161.4711@chello.at> References: <CAC%2BJH2zw0%2BXrJG=xnnFWEh8_JkGc7YnnqFE2VAtQBS5T7RubbA@mail.gmail.com> <44y5nxy29s.fsf@be-well.ilk.org> <CAC%2BJH2wQcXY2fO2hbb6DH_PM60nKiPh9pBnDX1m2POFyCYRCAw@mail.gmail.com> <201206091112.50161.4711@chello.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks very much,
According to your description , I changed my firewall settings ,
(
Because I already tried add the "via em0" or "via em1", it's not working,
so I remove it ,
my FreeBSD is WAN is em0 ,LAN is em1
)
and made it like this below
and I still cannot download things through it , and i found the result
Seems some place still not working properly , the traffic has been block by
some reason!
On Sat, Jun 9, 2012 at 5:12 PM, Christian Hiris <4711@chello.at> wrote:
> hi Bill,
> afaik, in your case the packets checked twice against the ipfw-rules - once
> for the layer2-filtering part and 2nd time for the ip-filtering part.
>
> 1st enable filtering on ethernet demux/eth. output frame:
> # sysctl net.link.ether.ipfw=1
>
> then start your fw-script:
>
> # -- sniplet from fw-script -- #
> iif="em0"
> ip_client="192.168.123.45"
> ether_client="88:99:aa:bb:cc:dd"
> ether_broadcast="ff:ff:ff:ff:ff:ff"
>
> ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif}
> ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif}
> ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif}
> ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif}
> ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif}
> # -- sniplet from fw-script -- #
>
> this results in:
>
> # ipfw show
> 00010 1 28 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \
> 88:99:aa:bb:cc:dd via em0
> 00020 74 9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0
> 00021 87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0
> 00030 74 9564 allow ip from 192.168.123.45 to any via em0
> 00031 86 85290 allow ip from any to 192.168.123.45 via em0
> 65535 487 35078 deny ip from any to any
>
> Most of this logic is described in the section "PACKET FLOW" section in man
> ipfw.
>
> "Note that as packets flow through the stack, headers can be stripped or
> added to it, and so they may or may not be available for inspection.
> E.g., incoming packets will include the MAC header when ipfw is invoked
> from ether_demux(), but the same packets will have the MAC header
> stripped off when ipfw is invoked from ip_input() or ip6_input()."
>
> Cheers
> ch
>
>
> On Saturday 09 June 2012, Bill Yuan wrote:
> > rule like below
> >
> > #allow the traffic which source mac is belong to the machine
> > ipfw add 1 allow all from any to any MAC <MAC ADDR1> any
> > #allow the ...... destination mac is that machine
> > ipfw add 1 allow all from any to any MAC any <MAC ADDR1>
> > ipfw add 1 deny all from any to any
> >
> >
> > it is not working , all the traffic will be block by the deny !!! how
> come
> > ?
> >
> >
> >
> > On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert <
> >
> > freebsd-questions-local@be-well.ilk.org> wrote:
> > > Bill Yuan <bycn82@gmail.com> writes:
> > > > i am using freebsd 9.0 as a firewall and i want to filter the traffic
> > > > by the mac and the ip at the same time,
> > > >
> > > > for example, i only allow my laptop <MAC Address 1> can go throught
> the
> > > > firewalll when it's using IP <IP Address 1>
> > > >
> > > > for how to config the firewall rules?
> > > >
> > > >
> > > > I tried to configure the firewall by the rule below , but it doesnt
> > > > work
> > > >
> > > > ipfw add 1 allow all from <IP Address 1> to any MAC <MAC Address 1>
> > > > any ipfw add 1 allow all from any to <IP Address 1> MAC any <MAC
> > > > Address
> > >
> > > 1>
> > >
> > > Well, for one thing if I understand your intent, you have the MAC
> > > addresses in the wrong order. Unless your firewall is acting as a
> > > bridge, you also need to keep in mind that the MAC addresses are
> changed
> > > when passing through, so those rules will only work on one side (i.e.,
> > > you'll need "in via" type rules).
> > >
> > > > but it doesnt work. also found the explanation on google, someone
> > > > already asked this question before.
> > >
> > > I don't understand. Was there a suggested approach or not?
> > >
> > > > but I did not find the solution for this requirement. can someone
> tell
> > >
> > > me
> > >
> > > > how ? thanks in advance.
> > >
> > > I can't guarantee this will work, and I don't have any way to test it,
> > >
> > > but my above comments would suggest something more like:
> > > > ipfw add 1 allow all from <IP Address 1> to any MAC any <MAC
> Address
> > >
> > > in via $iif
> > >
> > > > ipfw add 1 allow all from any to <IP Address 1> MAC <MAC Address
> 1>
> > >
> > > any out via $oif
> > >
> > > Good luck.
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2zoB3%2Ba_Cp3MrZ8eaApEFjjb4cqy7gVAzBLhqfhaGRxHw>