Date: Sun, 9 Jan 2005 12:11:07 +0800 From: "heath, Chia Hui Chen" <heath0504@gmail.com> To: "Christian Hiris" <4711@chello.at> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + MAC nothing happens? Message-ID: <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at> <200501090124.55534.4711@chello.at>
next in thread | previous in thread | raw e-mail | index | archive | help
It's work, thank you very much. :) ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: <freebsd-ipfw@freebsd.org> Cc: "heath, Chia Hui Chen" <heath0504@gmail.com> Sent: Sunday, January 09, 2005 8:24 AM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 22:36, Christian Hiris wrote: > > The diverted packets are not layer-2 packets, so they must be able to > > bypass the layer-2 rules. In our case all diverted packets match rule 30, > > because none of the two layer-2 rules (10 and 20) applies. > > So please add the rule below to your ruleset. If this doesn't work, I will > > try to reproduce this on one of my boxes. > > Sorry, I'm kinda braindead today ... > > 00030 3 144 deny tcp from any to any dst-port 443 > > The above rule will not work, because at ip_input, the layer-2 headers already > striped off and the packet will be treated as layer-3 packet. > > Good news are: I tested another solution on one of my boxen. The result is > that all filtering on MAC _and_ port must be done on layer-2. I also forgot > to add the necessary rules to allow layer-2 packets in the last example > (shame on me). > > So here are the rules I tested, but I did not test them with natd enabled and > the divert rule. > > > # Bypass all packets w/o layer-2 headers > ipfw add 10 skipto 30 all from any to any not layer2 > > # Branch to MAC filter, if we find layer-2 and dst-port 443 > ipfw add 11 skipto 20 all from any to any 443 layer2 > > # For all other layer-2 packets jump to rule 30 > ipfw add 12 skipto 30 MAC any any > > # MAC filter for layer-2 packets we got from rule 11 > ipfw add 20 deny MAC any 00:e0:18:62:xx:xx > > # Allow rest of layer-2 packets > ipfw add 30 pass MAC any any > > # Process packets as usual > > 00050 divert 8668 ip from any to any via fxp0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > ============================================================ > > PS: I would also think about users that try to circumvent the rules by using > proxies and/or users that are smart enough to spoof their MAC addresses. > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq > 87O4RZ1U19Hh4vznXIgYksg= > =Z5yx > -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?018201c4f601$407b9e60$f8813b3d>