From owner-freebsd-pf@FreeBSD.ORG Fri May 10 04:19:47 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6B97D7D3 for ; Fri, 10 May 2013 04:19:47 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ia0-x231.google.com (mail-ia0-x231.google.com [IPv6:2607:f8b0:4001:c02::231]) by mx1.freebsd.org (Postfix) with ESMTP id 34D95B28 for ; Fri, 10 May 2013 04:19:47 +0000 (UTC) Received: by mail-ia0-f177.google.com with SMTP id z3so1156177iad.8 for ; Thu, 09 May 2013 21:19:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=CSZOCU8Jn0Tuk6O4DFBk4r0Wlgy3nNDCsCYDpG4yq0I=; b=HX9Emzq/zi5ko6ggXoO6Wibp7eHRN+xH/Nh+yYcELXSf8YtLSsH+EOuRHh0TsJXwEi o8L9WvuUCsHm+JshiOAhrXn0wEcqZ5Q4IOXmfMTw5y4j4wwJGWaNdLqZ/W29o3J0aYng mDphCZz/0UqF7PAuPVFOzetPwk48FJAMdYeJQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=CSZOCU8Jn0Tuk6O4DFBk4r0Wlgy3nNDCsCYDpG4yq0I=; b=LoBXUrlRPcceuYigM/FBa0UGN3GvC5dNvpvykhI0k8XOudYZGHso3F1QjNGRZLTtP7 cWw7Ts2VE+U/scz5q3ejmHjcJBBL4GOkMjtGAAz+Nhpz8W0/wJ8w1XlAf9zQyOefWwK8 HrWc3mQCTTft7W1eAZ5jWIOZRZR/HgfsqP5aYKwo08kGOADMU8EIsC3o38S84ltFz8SQ FwQEY5RK+IwxbZhns0MZorJSBBcBKySQkxz8ChI/RhezFXZLO2wAWjAIlas6oEK8rBE/ odSDz9yHcZRPhjgxZQpHRZqiRE1ZR/TruTpSqYlPr4HfieGvvxCbHdLeadte/KJJLC0m hwng== X-Received: by 10.50.136.138 with SMTP id qa10mr687655igb.74.1368159586612; Thu, 09 May 2013 21:19:46 -0700 (PDT) Received: from [192.168.30.77] (24-236-152-143.dhcp.aldl.mi.charter.com. [24.236.152.143]) by mx.google.com with ESMTPSA id 9sm1871643igy.7.2013.05.09.21.19.38 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 09 May 2013 21:19:45 -0700 (PDT) References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> <518BC6C2.5030702@stuxnet.org> Mime-Version: 1.0 (1.0) In-Reply-To: <518BC6C2.5030702@stuxnet.org> Message-Id: <5D8FA439-4EA7-462F-B410-A815C1C78769@DataIX.net> X-Mailer: iPhone Mail (10B329) From: Jason Hellenthal Subject: Re: packet tagging Date: Fri, 10 May 2013 00:19:36 -0400 To: Christophe X-Gm-Message-State: ALoCoQm5HkJoEDLgSDiQC/oKA0o6+ZOXdmQlca7QIFl9IyMmYPEbgViV137feXqjCaTFAxt9757F Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 04:19:47 -0000 As for 8-STABLE this functionality is not available. I'm not tracking 9-* so someone else will have to answer for that. But as far as L2 filtering on the bridge... You will probably want ipfw instead as on 8-* were using pf4.3=C2=BF which o= n FreeBSD is L3, & L4 filtering only. If you are looking for a BSD solution for filtering only and your concern is= mainly based on using pf, I will sadly say you should lean on OpenBSD unles= s something changes or you are willing to use access lists on your switches.= Now if your concern is mainly wireless the if_wlan interface is capable of i= ts own l2 filtering but nothing like pf. Good luck & best packeting, --=20 Jason Hellenthal IS&T Services Professional Inbox: jhellenthal@DataIX.net JJH48-ARIN On May 9, 2013, at 11:54, Christophe wrote: > Hi, >=20 > Nomad Esst wrote, >> I want filter packets based on their MAC address. After many hours of goo= gling I found out that such filtering is done via bridge. I just want to kno= w are there any ways besides this??? I also found these patches which are to= old an I could not apply them on my FBSD 8.2 .... >> Any suggestions? I'm so disappointed ... >=20 > Never made such a config on FreeBSD but on OpenBSD : >=20 > A bridge (even with a single interface) is, as far as I know, mandatory to= filter MAC based packets. >=20 >=20 > A "rulefile" : /etc/l2filter like this : >=20 > ### WKS1 ######## > pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan >=20 > ### WKS2 ######## > pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan >=20 > ### WKS3 ######## > pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan >=20 > ### WKS4 ######## > pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan >=20 > ### WKS5 ######## > pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan >=20 > ### WKS6 ######### > pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan >=20 > ... >=20 >=20 > Bringing the rulefile on the bridge : >=20 > ifconfig bridge0 rulefile /etc/l2filter >=20 >=20 > pf rule sample : >=20 > pass in quick on $int_if inet proto tcp from $lan_nets to ! = port { www, https } tagged wks4lan tag fromlan keep state >=20 >=20 >=20 > If modifications are made in /etc/l2filter (and trunk0 and re2 bridged the= mselves) : >=20 > ifconfig bridge0 flushrule re2 > ifconfig bridge0 flushrule trunk0 > ifconfig bridge0 rulefile /etc/l2filter >=20 >=20 >=20 > to disable : >=20 > ifconfig bridge0 flushrule re2 > ifconfig bridge0 flushrule trunk0 > ifconfig bridge0 rule pass in on re2 > ifconfig bridge0 rule pass in on trunk0 >=20 >=20 >=20 > Remember it is an OpenBSD (native) configuration, I don't know if it appli= es on FreeBSD. >=20 >=20 > Regards. > Christophe. >=20 >=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"