Date: Mon, 11 Jun 2012 11:16:17 +0800 From: Bill Yuan <bycn82@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: how to allow by MAC Message-ID: <CAC%2BJH2w6B7fXu6tvcJ8t1FZbPb7pFQVbSwk93r-9JRYpFy2hcw@mail.gmail.com> In-Reply-To: <20120611025332.N46641@sola.nimnet.asn.au> References: <20120610120041.4D0F610657C3@hub.freebsd.org> <20120611025332.N46641@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Lan, Thanks for your reply, I am reading some old emails which you sent in 2008 while other place asked a same question as mine, On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 > On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan <bycn82@gmail.com> wrote: > > > how to allow by MAC in ipfw > > > > currently i set the rule like below > > > > 1 allow ip from any to any MAC any to <MAC Address 1> > > 1 allow ip from any to any MAC <MAC Address 1> any > > 2 deny all from any to any > > > > i want to only allow the mac address to go through the freebsd firewall, > > > > but I found it is not working on my freebsd but it works on pfsense! > > > > so maybe that means the environment is not the same ? and how to setup > the > > ipfw properly to support this ? > > Bill, you did get some good clues in the earlier thread, but it's not > clear if you took note of them. There's also been some confusion .. > > Firstly, read up on layer2 (ethernet, MAC-level) filtering options in > ipfw(8). Thoroughly, several times, until you've got it. Seriously. > > After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) > ipfw will be invoked 4 times instead of the normal 2, on every packet. > > Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the > inbound pass invoked from ether_demux() and the outbound pass invoked > from ether_output_frame() can you test for MAC addresses (or mac-types); > the 'normal' layer3 passes examine packets that have no layer2 headers. > > You could just add 'layer2' to any rules filtering on MAC addresses, and > omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using > a method like shown there to separate layer2 and layer3 flows early on: > > # packets from ether_demux > ipfw add 10 skipto 1000 all from any to any layer2 in > # packets from ip_input > ipfw add 10 skipto 2000 all from any to any not layer2 in > # packets from ip_output > ipfw add 10 skipto 3000 all from any to any not layer2 out > # packets from ether_output_frame > ipfw add 10 skipto 4000 all from any to any layer2 out > > So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering > rules (remembering the reversed order of MAC addresses vs IP addresses, > and to allow broadcasts as well), pass good guys and/or block bad guys, > then deal with your normal IPv4|v6 traffic in a separate section(s). > > Or you could just split the flows into two streams, one for layer2 for > your MAC filtering, the other for layer3, ie the rest of your ruleset. > > HTH, Ian [please cc me on any reply] >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2w6B7fXu6tvcJ8t1FZbPb7pFQVbSwk93r-9JRYpFy2hcw>