From owner-freebsd-questions@FreeBSD.ORG Wed Jun 25 18:55:20 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B94BC106566B for ; Wed, 25 Jun 2008 18:55:20 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 271E18FC39 for ; Wed, 25 Jun 2008 18:55:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id EAA29939; Thu, 26 Jun 2008 04:54:30 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 26 Jun 2008 04:54:29 +1000 (EST) From: Ian Smith To: Chris St Denis In-Reply-To: <20080624211333.4D1A710656C9@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Yavuz Maslak , freebsd-questions@freebsd.org Subject: Re: how to reject all mac addresses except some mac addresses using ipfw? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 18:55:20 -0000 On Tue, 24 Jun 2008 12:23:48 -0700 Chris St Denis wrote: > Yavuz Maslak wrote: > > I use ipfw on freebsd7. > > > > I have two questions > > > > 1- I want to fix an ip address for each mac address. But some pc > > and servers have more than an ip address. How can I map multiple ip > > addresses for a mac address? > > 2- I want to allow these fixed mac addresses using ipfw. After that > > I want to deny all mac address via the server's local ethernet card. > > How can I do these cases? > I haven't used ipfw for mac level filtering before, but it looks like > the syntax is. > > ipfw add allow MAC any > ipfw add allow MAC any > ipfw add allow MAC any > ipfw add deny MAC any any > > You'll probably have to include the server's own MAC in that list. Firstly, a similar caveat; I haven't actually used this myself yet, but scanning ipfw(8) for 'mac|MAC' reveals that it's not quite so simple. You need to separate layer2 packets that have an associated MAC address, from layer3 packets, that don't. To filter layer2 packets you need to set sysctl net.link.ether.ipfw=1 'Controls whether layer-2 packets are passed to ipfw. Default is no (0)' With this set, ipfw will be invoked twice on each incoming packet, and twice on each outgoing one. Testing here just on the input path, perhaps .. see ipfw(8): # packets from ether_demux or bdg_forward ipfw add 10 skipto 1000 all from any to any layer2 in recv $some_if # packets from ip_input (layer 3) ipfw add 10 skipto 2000 all from any to any not layer2 in recv $some_if [.. see ipfw(8) example ..] # incoming packets from ether_demux, having a mac address, on $some_if # first example re Q1, two IP addresses having the same MAC (aliases?) ipaddr1='192.168.0.30' ipaddr2='192.168.0.31' # or could use a list, or a table .. srcmac1='de:ad:be:ef:c0:de' ipaddr3='192.168.0.50' srcmac3='de:af:fe:ca:dd:ed' [..] ipfw add 1000 skipto 1500 all from $ipaddr1 to any MAC any $srcmac1 ipfw add 1001 skipto 1500 all from $ipaddr2 to any MAC any $srcmac1 # another box ipfw add 1010 skipto 1500 all from $ipaddr3 to any MAC any $srcmac3 [..] ipfw add 1490 deny log all from any to any # unknown MAC/IP pairs ipfw add 1500 allow all from any to any # proceed to layer 3 pass .. [..] ipfw add 2000 [.. layer 3 filtering as per usual ..] Note that MAC addresses are specified dst-mac first, then src-mac, and that you will also need to allow, if not check, outgoing layer2 pkts. Completely untested: may contain syntax errors, traces of nuts, etc. cheers, Ian