From owner-freebsd-net@FreeBSD.ORG Fri Sep 26 08:51:46 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E11571065686 for ; Fri, 26 Sep 2008 08:51:45 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id 88DE08FC1A for ; Fri, 26 Sep 2008 08:51:45 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: by gxk10 with SMTP id 10so7981516gxk.19 for ; Fri, 26 Sep 2008 01:51:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=MxMrj49ElJ89mla42N1OJddAbfKB9PXlG1/L31fknf4=; b=mHLLarZueTkeNp4zIkRUPFmEgK8SbIIzqBJrg2/k+jISUNEOQSLAl8MGPRP2FYwOcd ExvnSoEFauBQwCIBunxV/MJTSNGcz0c3eFlxvDjflM0dM6eopt1no8OrUtgcK1EWCzDs 8/fxjbBLAYgeHZUdxW9G0XvBh6v4O2vrW+2Fo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=nG1kHcQT8AoFsdft83acjuVwJpCziEJZw9ZCG1HXho737prkuSq77ug2HkrnVGa5KH ouxr7QdgG4dAAwcgU/wJl3M+Oy+izJV8DYnf5HPsaiVxkye8faO0+sKE8lxrNoDIFspH Czz7vcKKUv5Azi9CowzPZACKt/uRgfeZ13waI= Received: by 10.100.251.5 with SMTP id y5mr774336anh.60.1222419104504; Fri, 26 Sep 2008 01:51:44 -0700 (PDT) Received: by 10.100.34.12 with HTTP; Fri, 26 Sep 2008 01:51:44 -0700 (PDT) Message-ID: <4c1d27f20809260151u4e44bb8epee482eb0eafebd0a@mail.gmail.com> Date: Fri, 26 Sep 2008 11:51:44 +0300 From: "Gleb Kurtsou" To: "raffaele.delorenzo@libero.it" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-ipfw , freebsd-net Subject: Re: [IPFW add ARP support] - Request for testing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2008 08:51:46 -0000 On Thu, Sep 25, 2008 at 4:49 PM, raffaele.delorenzo@libero.it wrote: > Hi all, > In the last 2 weeks i implemented a new filter method inside the ipfw firewall for ARP protocols. > My idea for the new method was to create a new "proto" microinstruction exclusively for ARP protocol named "arp". This method permits filter tering from/to particular MAC address to be restricted to ARP protocol. > > Example: > > ipfw add deny arp from 52:54:00:12:34:56 to 00:11:43:cd:87:6t // Deny all ARP packets generated by "from" and destinated to "to". > > The wildcard "any" and "me" are supported; the semantic is the same for all old protocol rules: > > ipfw add deny arp from 00:11:43:cd:87:6t to any > > > Moreover, I implemented some filter methods that restrict the filtering to some ARP header fields: > > 1) Source MAC address (srcmac-arp) > 2) Source IP address (srcip-arp) > 3) Destination MAC address (dstmac-arp) > 4) Destination IP address (dstip-arp) > > Example: > > ./ipfw add deny arp from 00:11:43:cd:87:6e to 52:54:00:12:34:56 srcmac-arp 52:54:00:12:34:56 dstip-arp 192.9.217.29 > > To work properly, the ARP implementation requires that ipfw receives packets from Layer 2, In other words, you must set the sysctl variable "net.link.ether.ipfw=1". > > I attached the new sources and all diffs with reference to FreeBSD 7.0 Release source Tree. Please let me know what you think about this work and if possible eventually test it. > > Ciao Ciao > Raffaele > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Just my 2 cents. There is another implementation of ARP filtering with IPFW available. It was implemented as a part of Google Summer of Code'2008. I'm still waiting for a review by Max Laier Original message containing path to freebsd-net@: http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019458.html