Date: Fri, 10 May 2013 00:19:36 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Christophe <tech@stuxnet.org> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: packet tagging Message-ID: <5D8FA439-4EA7-462F-B410-A815C1C78769@DataIX.net> In-Reply-To: <518BC6C2.5030702@stuxnet.org> References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> <518BC6C2.5030702@stuxnet.org>
next in thread | previous in thread | raw e-mail | index | archive | help
As for 8-STABLE this functionality is not available.
I'm not tracking 9-* so someone else will have to answer for that.
But as far as L2 filtering on the bridge...
You will probably want ipfw instead as on 8-* were using pf4.3=C2=BF which o=
n FreeBSD is L3, & L4 filtering only.
If you are looking for a BSD solution for filtering only and your concern is=
mainly based on using pf, I will sadly say you should lean on OpenBSD unles=
s something changes or you are willing to use access lists on your switches.=
Now if your concern is mainly wireless the if_wlan interface is capable of i=
ts own l2 filtering but nothing like pf.
Good luck & best packeting,
--=20
Jason Hellenthal
IS&T Services Professional
Inbox: jhellenthal@DataIX.net
JJH48-ARIN
On May 9, 2013, at 11:54, Christophe <tech@stuxnet.org> wrote:
> Hi,
>=20
> Nomad Esst wrote,
>> I want filter packets based on their MAC address. After many hours of goo=
gling I found out that such filtering is done via bridge. I just want to kno=
w are there any ways besides this??? I also found these patches which are to=
old an I could not apply them on my FBSD 8.2 ....
>> Any suggestions? I'm so disappointed ...
>=20
> Never made such a config on FreeBSD but on OpenBSD :
>=20
> A bridge (even with a single interface) is, as far as I know, mandatory to=
filter MAC based packets.
>=20
>=20
> A "rulefile" : /etc/l2filter like this :
>=20
> ### WKS1 ########
> pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan
>=20
> ### WKS2 ########
> pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan
>=20
> ### WKS3 ########
> pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan
>=20
> ### WKS4 ########
> pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan
>=20
> ### WKS5 ########
> pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan
>=20
> ### WKS6 #########
> pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan
>=20
> ...
>=20
>=20
> Bringing the rulefile on the bridge :
>=20
> ifconfig bridge0 rulefile /etc/l2filter
>=20
>=20
> pf rule sample :
>=20
> pass in quick on $int_if inet proto tcp from $lan_nets to ! <localnets_v4>=
port { www, https } tagged wks4lan tag fromlan keep state
>=20
>=20
>=20
> If modifications are made in /etc/l2filter (and trunk0 and re2 bridged the=
mselves) :
>=20
> ifconfig bridge0 flushrule re2
> ifconfig bridge0 flushrule trunk0
> ifconfig bridge0 rulefile /etc/l2filter
>=20
>=20
>=20
> to disable :
>=20
> ifconfig bridge0 flushrule re2
> ifconfig bridge0 flushrule trunk0
> ifconfig bridge0 rule pass in on re2
> ifconfig bridge0 rule pass in on trunk0
>=20
>=20
>=20
> Remember it is an OpenBSD (native) configuration, I don't know if it appli=
es on FreeBSD.
>=20
>=20
> Regards.
> Christophe.
>=20
>=20
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5D8FA439-4EA7-462F-B410-A815C1C78769>