From owner-freebsd-questions@FreeBSD.ORG Sat Jun 9 15:26:43 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17524106566B for ; Sat, 9 Jun 2012 15:26:43 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id BE9708FC0A for ; Sat, 9 Jun 2012 15:26:42 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so1815122vcb.13 for ; Sat, 09 Jun 2012 08:26:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ei4ZBXr9HTRMSGV+AFuUlCBqCWC5n1DUrqPzesdXwG4=; b=xx1pPexfembXVtOPt9Sw8LWcXstKONfHmrFQJvvgChFqMxH2RkGywbpubjXNUDPaCz GZK+3+4fu76MfXuvbmWJgMv21uhdjc+BKLnyJ5K0cc/byU6NeFgvH/PKsfL/npS4IIW0 HAlVcDA9zrJL9yMF5jyU5hsghixorLzZY8WepNPGY+K/n8kVKy8rTnFuO2xvGSeQb1lO i2U7wWotgW4qofXIQbJZpOFoK8VWRB34FnGYva5gq15in2n55Fb6A2AiJPwWqK6CYF/B WAqRJOdUhnsOa81AmyuFtVdPRSJVXcu7mauM0euOeHMPAf0Ruo2uZTdyMV4GnsIbYKvO mGAg== MIME-Version: 1.0 Received: by 10.52.93.133 with SMTP id cu5mr7821811vdb.125.1339255602049; Sat, 09 Jun 2012 08:26:42 -0700 (PDT) Received: by 10.220.214.70 with HTTP; Sat, 9 Jun 2012 08:26:41 -0700 (PDT) In-Reply-To: <201206091112.50161.4711@chello.at> References: <44y5nxy29s.fsf@be-well.ilk.org> <201206091112.50161.4711@chello.at> Date: Sat, 9 Jun 2012 23:26:41 +0800 Message-ID: From: Bill Yuan To: Christian Hiris <4711@chello.at> Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: how to filter network by MAC and IP at the same time X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 15:26:43 -0000 Thanks very much, According to your description , I changed my firewall settings , ( Because I already tried add the "via em0" or "via em1", it's not working, so I remove it , my FreeBSD is WAN is em0 ,LAN is em1 ) and made it like this below and I still cannot download things through it , and i found the result Seems some place still not working properly , the traffic has been block by some reason! On Sat, Jun 9, 2012 at 5:12 PM, Christian Hiris <4711@chello.at> wrote: > hi Bill, > afaik, in your case the packets checked twice against the ipfw-rules - once > for the layer2-filtering part and 2nd time for the ip-filtering part. > > 1st enable filtering on ethernet demux/eth. output frame: > # sysctl net.link.ether.ipfw=1 > > then start your fw-script: > > # -- sniplet from fw-script -- # > iif="em0" > ip_client="192.168.123.45" > ether_client="88:99:aa:bb:cc:dd" > ether_broadcast="ff:ff:ff:ff:ff:ff" > > ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif} > ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif} > ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif} > ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif} > ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif} > # -- sniplet from fw-script -- # > > this results in: > > # ipfw show > 00010 1 28 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \ > 88:99:aa:bb:cc:dd via em0 > 00020 74 9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0 > 00021 87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0 > 00030 74 9564 allow ip from 192.168.123.45 to any via em0 > 00031 86 85290 allow ip from any to 192.168.123.45 via em0 > 65535 487 35078 deny ip from any to any > > Most of this logic is described in the section "PACKET FLOW" section in man > ipfw. > > "Note that as packets flow through the stack, headers can be stripped or > added to it, and so they may or may not be available for inspection. > E.g., incoming packets will include the MAC header when ipfw is invoked > from ether_demux(), but the same packets will have the MAC header > stripped off when ipfw is invoked from ip_input() or ip6_input()." > > Cheers > ch > > > On Saturday 09 June 2012, Bill Yuan wrote: > > rule like below > > > > #allow the traffic which source mac is belong to the machine > > ipfw add 1 allow all from any to any MAC any > > #allow the ...... destination mac is that machine > > ipfw add 1 allow all from any to any MAC any > > ipfw add 1 deny all from any to any > > > > > > it is not working , all the traffic will be block by the deny !!! how > come > > ? > > > > > > > > On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert < > > > > freebsd-questions-local@be-well.ilk.org> wrote: > > > Bill Yuan writes: > > > > i am using freebsd 9.0 as a firewall and i want to filter the traffic > > > > by the mac and the ip at the same time, > > > > > > > > for example, i only allow my laptop can go throught > the > > > > firewalll when it's using IP > > > > > > > > for how to config the firewall rules? > > > > > > > > > > > > I tried to configure the firewall by the rule below , but it doesnt > > > > work > > > > > > > > ipfw add 1 allow all from to any MAC > > > > any ipfw add 1 allow all from any to MAC any > > > Address > > > > > > 1> > > > > > > Well, for one thing if I understand your intent, you have the MAC > > > addresses in the wrong order. Unless your firewall is acting as a > > > bridge, you also need to keep in mind that the MAC addresses are > changed > > > when passing through, so those rules will only work on one side (i.e., > > > you'll need "in via" type rules). > > > > > > > but it doesnt work. also found the explanation on google, someone > > > > already asked this question before. > > > > > > I don't understand. Was there a suggested approach or not? > > > > > > > but I did not find the solution for this requirement. can someone > tell > > > > > > me > > > > > > > how ? thanks in advance. > > > > > > I can't guarantee this will work, and I don't have any way to test it, > > > > > > but my above comments would suggest something more like: > > > > ipfw add 1 allow all from to any MAC any Address > > > > > > in via $iif > > > > > > > ipfw add 1 allow all from any to MAC 1> > > > > > > any out via $oif > > > > > > Good luck. > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" >