From owner-freebsd-net@FreeBSD.ORG  Fri Jun 12 08:08:15 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 63B35AC6
 for <freebsd-net@hub.freebsd.org>; Fri, 12 Jun 2015 08:08:15 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CE7A81F68
 for <freebsd-net@freebsd.org>; Fri, 12 Jun 2015 08:08:14 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t5C87sj3082887;
 Fri, 12 Jun 2015 18:07:54 +1000 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Fri, 12 Jun 2015 18:07:54 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Guido Falsi <mad@madpilot.net>
cc: John Reynolds <johnjen@reynoldsnet.org>, freebsd-net@freebsd.org
Subject: Re: question on NAT + IPFW
In-Reply-To: <557A835C.1090106@madpilot.net>
Message-ID: <20150612174047.Q74737@sola.nimnet.asn.au>
References: <557A48A2.4090805@reynoldsnet.org> <557A80F8.1070109@madpilot.net>
 <557A835C.1090106@madpilot.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 08:08:15 -0000

On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote:

 > > looks correct, assuming xl0 is your internal interface (better put it in
 > > a variable and use the variable in your rules imho)
 > 
 > Forgot one thing, working around this block is as easy as changing the
 > machine IP, teenager can learn this easily and it can be done in a lot
 > of ways, even if they are not root(or equivalent) on their machine, they
 > can just boot from a CD with some live OS. You could have a better block
 > by also checking the MAC address, like this:
 > 
 > $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0
 > 
 > (not tested)
 > 
 > MAC addresses can be modified too but it's somewhat more difficult.

While that's all true, blocking at layer 2 requires extra work that may 
be beyond what's needed here, to have ipfw deal with layer 2 traffic.

sysctl net.link.ether.ipfw=1 must be set for ipfw to see layer 2 packets 
at all, and then you'd need to follow ipfw(8) section PACKET FLOW to 
separate the layer 2 and 3 traffic in order to look at MAC addresses on 
the appropriate one of the extra two passes through ipfw this entails.

Maybe best not telling the teenagers exactly how you're blocking them, 
which at least gives you a headstart in the race :)

cheers, Ian