From owner-freebsd-questions@FreeBSD.ORG Mon Jun 11 03:16:57 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97E66106564A for ; Mon, 11 Jun 2012 03:16:57 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4570A8FC18 for ; Mon, 11 Jun 2012 03:16:57 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2363055vbm.13 for ; Sun, 10 Jun 2012 20:16:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kej7mF8+nIFAZhWfFYdBQwkvLlX0xIf94x4NdAOKlgg=; b=l5tXsPJdGoYkM56V2dAiMwfRNzUiEIKuyKZqGHx3/Qt2hjLmgYeQtMN/HdbWze3/y1 htWIcYmiktKDXEMjxayZUY5wa4J2xK2wB+4Bnt7nWeC6OOPCec2zC+NZK1pbIR+HnyX9 RhymujPAiQOtWXiOfalxQC23sIvtoSqNzutWviiLA3/hjVFcoF2X0F4zX27yqmsOfhBk RVZ+U9tQhrlp57GrKmjhc6BCEqMjRfDZBDJxB46lfR81qfhUV1ys551qREqJwC5S7b6R 83EjvpQ1HjDTHVq/u5NoygrR6//DizGrpvK313PZioFAkuzawhccDQ7zH9SHCJs3QIIg AYsQ== MIME-Version: 1.0 Received: by 10.52.26.240 with SMTP id o16mr9885516vdg.20.1339384616681; Sun, 10 Jun 2012 20:16:56 -0700 (PDT) Received: by 10.220.214.70 with HTTP; Sun, 10 Jun 2012 20:16:56 -0700 (PDT) In-Reply-To: References: <20120610120041.4D0F610657C3@hub.freebsd.org> <20120611025332.N46641@sola.nimnet.asn.au> Date: Mon, 11 Jun 2012 11:16:56 +0800 Message-ID: From: Bill Yuan To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: how to allow by MAC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 03:16:57 -0000 forget to po the link here http://lists.freebsd.org/pipermail/freebsd-questions/2008-June/177636.html On Mon, Jun 11, 2012 at 11:16 AM, Bill Yuan wrote: > Hi Lan, > > Thanks for your reply, I am reading some old emails which you sent in 2008 > while other place asked a same question as mine, > > > On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith wrote: > >> In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 >> On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan wrote: >> >> > how to allow by MAC in ipfw >> > >> > currently i set the rule like below >> > >> > 1 allow ip from any to any MAC any to >> > 1 allow ip from any to any MAC any >> > 2 deny all from any to any >> > >> > i want to only allow the mac address to go through the freebsd >> firewall, >> > >> > but I found it is not working on my freebsd but it works on pfsense! >> > >> > so maybe that means the environment is not the same ? and how to setup >> the >> > ipfw properly to support this ? >> >> Bill, you did get some good clues in the earlier thread, but it's not >> clear if you took note of them. There's also been some confusion .. >> >> Firstly, read up on layer2 (ethernet, MAC-level) filtering options in >> ipfw(8). Thoroughly, several times, until you've got it. Seriously. >> >> After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) >> ipfw will be invoked 4 times instead of the normal 2, on every packet. >> >> Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the >> inbound pass invoked from ether_demux() and the outbound pass invoked >> from ether_output_frame() can you test for MAC addresses (or mac-types); >> the 'normal' layer3 passes examine packets that have no layer2 headers. >> >> You could just add 'layer2' to any rules filtering on MAC addresses, and >> omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using >> a method like shown there to separate layer2 and layer3 flows early on: >> >> # packets from ether_demux >> ipfw add 10 skipto 1000 all from any to any layer2 in >> # packets from ip_input >> ipfw add 10 skipto 2000 all from any to any not layer2 in >> # packets from ip_output >> ipfw add 10 skipto 3000 all from any to any not layer2 out >> # packets from ether_output_frame >> ipfw add 10 skipto 4000 all from any to any layer2 out >> >> So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering >> rules (remembering the reversed order of MAC addresses vs IP addresses, >> and to allow broadcasts as well), pass good guys and/or block bad guys, >> then deal with your normal IPv4|v6 traffic in a separate section(s). >> >> Or you could just split the flows into two streams, one for layer2 for >> your MAC filtering, the other for layer3, ie the rest of your ruleset. >> >> HTH, Ian [please cc me on any reply] >> > >