Date: Thu, 9 May 2013 05:44:46 -0700 (PDT) From: Nomad Esst <noname.esst@yahoo.com> To: "Peter N. M. Hansteen" <peter@bsdly.net>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: packet tagging Message-ID: <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> In-Reply-To: <878v3obakf.fsf@deeperthought.bsdly.net> References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Should the system act as a bridge in order to do the tagging or is it= =0A=0A> > (bridge) just used to do the tagging regardless of the system rul= e?=0A>=A0=0A>=A0You can tag packets on incoming and filter on the tags late= r in your=0A>=A0ruleset in non-bridge configurations too. But of course bri= dges have=0A>=A0their own tagging and filtering facilities that may be comb= ined with PF=0A>=A0features.=0A=0AI want filter packets based on their MAC = address. After many hours of googling I found out that such filtering is do= ne via bridge. I just want to know are there any ways besides this??? I als= o found these patches which are to old an I could not apply them on my FBSD= 8.2 ....=0AAny suggestions? I'm so=A0disappointed ... From owner-freebsd-pf@FreeBSD.ORG Thu May 9 15:55:56 2013 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1E1DC1AF for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 15:55:56 +0000 (UTC) (envelope-from tech@stuxnet.org) Received: from s1.stux6.net (s1.stux6.net [IPv6:2a01:240:fe00:8217::1]) by mx1.freebsd.org (Postfix) with ESMTP id 71496EC1 for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 15:55:55 +0000 (UTC) Received: from s1 (localhost [127.0.0.1]) by s1.stux6.net (s1.stux6.net) with ESMTP id 8C94D694C57 for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:52 +0200 (CEST) X-Virus-Scanned: amavisd-new at stux6.net Received: from s1.stux6.net ([127.0.0.1]) by s1 (s1.stux6.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id O7A77ppRUzgW for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:45 +0200 (CEST) Received: from localmx.stux.fr (localmx.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:dcad:beff:feef:2511]) by s1.stux6.net (s1.stux6.net) with ESMTP id 10D86694C55 for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:45 +0200 (CEST) Received: from zimbra.stux.fr (zimbra.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:dcad:beff:feef:2534]) by localmx.stux.fr (Postfix) with ESMTP id C4B67F61AA for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:44 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.stux.fr (Postfix) with ESMTP id B03B01784C5 for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at zimbra.stux.fr Received: from zimbra.stux.fr ([127.0.0.1]) by localhost (zimbra.stux.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XJmxv3MiY8C for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:43 +0200 (CEST) Received: from [IPv6:2a01:240:feaf:1000:21d:72ff:feb0:b394] (wks1.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:21d:72ff:feb0:b394]) by zimbra.stux.fr (Postfix) with ESMTPSA id A83D91784C4 for <freebsd-pf@freebsd.org>; Thu, 9 May 2013 17:55:43 +0200 (CEST) Message-ID: <518BC6C2.5030702@stuxnet.org> Date: Thu, 09 May 2013 17:54:42 +0200 From: Christophe <tech@stuxnet.org> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: packet tagging References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> In-Reply-To: <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 09 May 2013 15:55:56 -0000 Hi, Nomad Esst wrote, > I want filter packets based on their MAC address. After many hours of googling I found out that such filtering is done via bridge. I just want to know are there any ways besides this??? I also found these patches which are to old an I could not apply them on my FBSD 8.2 .... > Any suggestions? I'm so disappointed ... Never made such a config on FreeBSD but on OpenBSD : A bridge (even with a single interface) is, as far as I know, mandatory to filter MAC based packets. A "rulefile" : /etc/l2filter like this : ### WKS1 ######## pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan ### WKS2 ######## pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan ### WKS3 ######## pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan ### WKS4 ######## pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan ### WKS5 ######## pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan ### WKS6 ######### pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan ... Bringing the rulefile on the bridge : ifconfig bridge0 rulefile /etc/l2filter pf rule sample : pass in quick on $int_if inet proto tcp from $lan_nets to ! <localnets_v4> port { www, https } tagged wks4lan tag fromlan keep state If modifications are made in /etc/l2filter (and trunk0 and re2 bridged themselves) : ifconfig bridge0 flushrule re2 ifconfig bridge0 flushrule trunk0 ifconfig bridge0 rulefile /etc/l2filter to disable : ifconfig bridge0 flushrule re2 ifconfig bridge0 flushrule trunk0 ifconfig bridge0 rule pass in on re2 ifconfig bridge0 rule pass in on trunk0 Remember it is an OpenBSD (native) configuration, I don't know if it applies on FreeBSD. Regards. Christophe. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1368103486.77403.YahooMailNeo>