Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Jun 2012 23:26:41 +0800
From:      Bill Yuan <bycn82@gmail.com>
To:        Christian Hiris <4711@chello.at>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: how to filter network by MAC and IP at the same time
Message-ID:  <CAC%2BJH2zoB3%2Ba_Cp3MrZ8eaApEFjjb4cqy7gVAzBLhqfhaGRxHw@mail.gmail.com>
In-Reply-To: <201206091112.50161.4711@chello.at>
References:  <CAC%2BJH2zw0%2BXrJG=xnnFWEh8_JkGc7YnnqFE2VAtQBS5T7RubbA@mail.gmail.com> <44y5nxy29s.fsf@be-well.ilk.org> <CAC%2BJH2wQcXY2fO2hbb6DH_PM60nKiPh9pBnDX1m2POFyCYRCAw@mail.gmail.com> <201206091112.50161.4711@chello.at>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks very much,
According to your description , I changed my firewall settings ,
(
Because I already tried add the "via em0" or "via em1",  it's not working,
so I remove it ,
my FreeBSD is WAN is em0  ,LAN is em1
)
and made it like this below

and I still cannot download things through it , and i found the result


Seems some place still not working properly , the traffic has been block by
some reason!





On Sat, Jun 9, 2012 at 5:12 PM, Christian Hiris <4711@chello.at> wrote:

> hi Bill,
> afaik, in your case the packets checked twice against the ipfw-rules - once
> for the layer2-filtering part and 2nd time for the ip-filtering part.
>
> 1st enable filtering on ethernet demux/eth. output frame:
> # sysctl net.link.ether.ipfw=1
>
> then start your fw-script:
>
> # -- sniplet from fw-script -- #
>  iif="em0"
>  ip_client="192.168.123.45"
>  ether_client="88:99:aa:bb:cc:dd"
>  ether_broadcast="ff:ff:ff:ff:ff:ff"
>
>  ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif}
>  ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif}
>  ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif}
>  ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif}
>  ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif}
> # -- sniplet from fw-script -- #
>
> this results in:
>
> # ipfw show
> 00010   1    28 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \
>  88:99:aa:bb:cc:dd via em0
> 00020  74  9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0
> 00021  87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0
> 00030  74  9564 allow ip from 192.168.123.45 to any via em0
> 00031  86 85290 allow ip from any to 192.168.123.45 via em0
> 65535 487 35078 deny ip from any to any
>
> Most of this logic is described in the section "PACKET FLOW" section in man
> ipfw.
>
> "Note that as packets flow through the stack, headers can be stripped or
>     added to it, and so they may or may not be available for inspection.
>     E.g., incoming packets will include the MAC header when ipfw is invoked
>     from ether_demux(), but the same packets will have the MAC header
>     stripped off when ipfw is invoked from ip_input() or ip6_input()."
>
> Cheers
> ch
>
>
> On Saturday 09 June 2012, Bill Yuan wrote:
> > rule like below
> >
> > #allow the traffic which source mac is belong to the machine
> > ipfw add 1 allow all from any to any MAC <MAC ADDR1> any
> > #allow the ......  destination mac is that machine
> > ipfw add 1 allow all from any to any MAC any <MAC ADDR1>
> > ipfw add 1 deny all from any to any
> >
> >
> > it is not working , all the traffic will be block by the deny !!!  how
> come
> > ?
> >
> >
> >
> > On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert <
> >
> > freebsd-questions-local@be-well.ilk.org> wrote:
> > > Bill Yuan <bycn82@gmail.com> writes:
> > > > i am using freebsd 9.0 as a firewall and i want to filter the traffic
> > > > by the mac and the ip at the same time,
> > > >
> > > > for example, i only allow my laptop <MAC Address 1> can go throught
> the
> > > > firewalll when it's using IP <IP Address 1>
> > > >
> > > > for how to config the firewall rules?
> > > >
> > > >
> > > > I tried to configure the firewall by  the rule below , but it doesnt
> > > > work
> > > >
> > > >  ipfw add  1 allow all from <IP Address 1> to any MAC <MAC Address 1>
> > > >  any ipfw add  1 allow all from any to <IP Address 1>  MAC any <MAC
> > > >  Address
> > >
> > > 1>
> > >
> > > Well, for one thing if I understand your intent, you have the MAC
> > > addresses in the wrong order. Unless your firewall is acting as a
> > > bridge, you also need to keep in mind that the MAC addresses are
> changed
> > > when passing through, so those rules will only work on one side (i.e.,
> > > you'll need "in via" type rules).
> > >
> > > > but it doesnt work. also found the explanation on google, someone
> > > > already asked this question before.
> > >
> > > I don't understand. Was there a suggested approach or not?
> > >
> > > > but I did not find the solution for this requirement.  can someone
> tell
> > >
> > > me
> > >
> > > > how ? thanks in advance.
> > >
> > > I can't guarantee this will work, and I don't have any way to test it,
> > >
> > > but my above comments would suggest something more like:
> > > >  ipfw add  1 allow all from <IP Address 1> to any MAC any <MAC
> Address
> > >
> > > in via $iif
> > >
> > > >  ipfw add  1 allow all from any to <IP Address 1>  MAC <MAC Address
> 1>
> > >
> > > any out via $oif
> > >
> > > Good luck.
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2zoB3%2Ba_Cp3MrZ8eaApEFjjb4cqy7gVAzBLhqfhaGRxHw>