Date: Fri, 26 Sep 2008 11:51:44 +0300 From: "Gleb Kurtsou" <gleb.kurtsou@gmail.com> To: "raffaele.delorenzo@libero.it" <raffaele.delorenzo@libero.it> Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: [IPFW add ARP support] - Request for testing Message-ID: <4c1d27f20809260151u4e44bb8epee482eb0eafebd0a@mail.gmail.com> In-Reply-To: <K7R7Q6$C3E9A114EEC13185E344FBD19103383A@libero.it> References: <K7R7Q6$C3E9A114EEC13185E344FBD19103383A@libero.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 25, 2008 at 4:49 PM, raffaele.delorenzo@libero.it <raffaele.delorenzo@libero.it> wrote: > Hi all, > In the last 2 weeks i implemented a new filter method inside the ipfw firewall for ARP protocols. > My idea for the new method was to create a new "proto" microinstruction exclusively for ARP protocol named "arp". This method permits filter tering from/to particular MAC address to be restricted to ARP protocol. > > Example: > > ipfw add deny arp from 52:54:00:12:34:56 to 00:11:43:cd:87:6t // Deny all ARP packets generated by "from" and destinated to "to". > > The wildcard "any" and "me" are supported; the semantic is the same for all old protocol rules: > > ipfw add deny arp from 00:11:43:cd:87:6t to any > > > Moreover, I implemented some filter methods that restrict the filtering to some ARP header fields: > > 1) Source MAC address (srcmac-arp) > 2) Source IP address (srcip-arp) > 3) Destination MAC address (dstmac-arp) > 4) Destination IP address (dstip-arp) > > Example: > > ./ipfw add deny arp from 00:11:43:cd:87:6e to 52:54:00:12:34:56 srcmac-arp 52:54:00:12:34:56 dstip-arp 192.9.217.29 > > To work properly, the ARP implementation requires that ipfw receives packets from Layer 2, In other words, you must set the sysctl variable "net.link.ether.ipfw=1". > > I attached the new sources and all diffs with reference to FreeBSD 7.0 Release source Tree. Please let me know what you think about this work and if possible eventually test it. > > Ciao Ciao > Raffaele > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Just my 2 cents. There is another implementation of ARP filtering with IPFW available. It was implemented as a part of Google Summer of Code'2008. I'm still waiting for a review by Max Laier Original message containing path to freebsd-net@: http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019458.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4c1d27f20809260151u4e44bb8epee482eb0eafebd0a>