From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:25:00 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2EDD16A420 for ; Tue, 21 Feb 2006 14:25:00 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 6420B43D55 for ; Tue, 21 Feb 2006 14:24:58 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 70494 invoked by uid 0); 21 Feb 2006 11:25:00 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.164.146):. Processed in 0.776314 secs); 21 Feb 2006 14:25:00 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.164.146) by capeta.freebsdbrasil.com.br with SMTP; 21 Feb 2006 11:24:59 -0300 Message-ID: <43FB22B5.4030407@freebsdbrasil.com.br> Date: Tue, 21 Feb 2006 11:24:53 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cesar References: <000a01c636f0$d3303280$0e4fdfc8@ironman> In-Reply-To: <000a01c636f0$d3303280$0e4fdfc8@ironman> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: ipfw2 with mac filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:25:01 -0000 Cesar wrote: > Hi, > > I wanted to finish my firewall rules doing a "deny all from any to > any", but I can't do that with mac filtering at same time. Let me explain. > > Since I use ipfw mac filter, I have the sysctl variable > "net.link.ether.ipfw: 1"; > > My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2. > > An example of my rules: > > 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any > 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any > 65535 0 0 allow ip from any to any > > This works fine, the rules 1 and 2 get some match when I do ping from > Windows box to FreeBSD. > After this test, I added the rule "65534 0 0 deny ip from any to any". > It still works, but after some time if I have no traffic from 10.0.0.2, > FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", > I get : > > ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet] > > So, I can't ping my FreeBSD box anymore because it doesnt accept my arp > packets. I tried to log the deny rule and I get some lines telling "Deny > mac in". > I tried to add another rule before the deny all "ipfw add 100 allow mac > any any", but this rule become "allow ip from any to any MAC any any", > so I cant end my firewall rules with a "deny all from any to any". > > Is this a problem? Are there any workaround for this? > I didnt tried to use a fixed arp table, but I will dont do that if not > necessary. > > Thanks > > Cesar I had a similar problem before when I forgot to permit arp traffic on layer2, so, I guess "mac-type arp" is not allowed to pass throught your firewall. You may consider "allow mac-type arp layer2" in your firewall somewhere or denying everything on L3 only, say "deny log all from any to any not layer2" -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"