From owner-freebsd-pf@FreeBSD.ORG Thu May 9 12:44:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A4648BB7 for ; Thu, 9 May 2013 12:44:54 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm35-vm5.bullet.mail.bf1.yahoo.com (nm35-vm5.bullet.mail.bf1.yahoo.com [72.30.238.77]) by mx1.freebsd.org (Postfix) with ESMTP id 589BD618 for ; Thu, 9 May 2013 12:44:54 +0000 (UTC) Received: from [98.139.215.143] by nm35.bullet.mail.bf1.yahoo.com with NNFMP; 09 May 2013 12:44:46 -0000 Received: from [98.139.212.237] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 09 May 2013 12:44:46 -0000 Received: from [127.0.0.1] by omp1046.mail.bf1.yahoo.com with NNFMP; 09 May 2013 12:44:46 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 890852.8599.bm@omp1046.mail.bf1.yahoo.com Received: (qmail 77992 invoked by uid 60001); 9 May 2013 12:44:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1368103486; bh=muXVLUrxOqyUYcJRKT5OWz5HmIzH8Uusc6vIcStMAdM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=kxCP4dff1hCXRLzcCksLy/ey7jFjY1nORelusnq9tPnddthCZ92+7jd22u0Gkv8m8rRxN4K+iUA7SPbIDVgJmIab+n+JuouyZ9lBgVbyjGjXHmN4VWOD45N+ufz/pjoiylU0+44mhFpzokWjZFHmn4pyKJbrpXp/nZAxApAw5Yc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=2XLKl6J7NYOLW+jP5smPseem6EmYlQfVD3EqXFyQYsM8MohXg0nmGfudTu0daYMaHWyTvTIPW46OVR3NNZlWYF2m8Fw91xEy7JTrc9MTs3yr35gxObfCWsY26FwQ4EJk5SG5fWlQgAbjtV2EHkHMGPPgNeRakz5c+zP9xo9/EVM=; X-YMail-OSG: lqq7v.YVM1kDmfdVzw38XDMHdLzFon5PJkYNc1dQRciQtzw Wg_Yz_O_kCbePCcfBjQDxSd3QM1dWYmXJ_wFs30P9X3xMupF_pYR270K5gWS hvaqhb5TaN2ddC1nv7vkPI_Supw7CG5FpK8lDj.KeTZATk8aWxqXIbF5qD5I bNE.l4.1ug59IqdJmFJcJDF7iUWK722zydKOXpBmKTLixd45x5SgxDYE1PD9 NN88tW2dA3lp1QYPkv7T_SL.IWd8sLq9_vtv8Ymdf7ySTz5oeBtK6tyBsOD6 1r8.vrFAgm_oQltpKnV3m_EAJDZwdWXIc550SyAls5nUGzgWb1xpMXN6MgTD Xr0NUeS3x71yflTNHsKhgwRpDqEDv6iAAogUwT2anp8zm87XIHPM1mi7Yodh 0gRaSqorRTQvxrB4EehH5HxQ7abXX2Peh2B8O8etBAayCke7Ni1QgOERkSEA der_zb_WBNf9cu0FbB1HiQ1O7Yw5PgNQhFZlUfd5sCru3kQQZBFSdB.J46eG pqkv1oDIEjPG95mTOeG5C7kWo_a8pDV8T Received: from [89.165.120.140] by web162706.mail.bf1.yahoo.com via HTTP; Thu, 09 May 2013 05:44:46 PDT X-Rocket-MIMEInfo: 002.001, PiA.IFNob3VsZCB0aGUgc3lzdGVtIGFjdCBhcyBhIGJyaWRnZSBpbiBvcmRlciB0byBkbyB0aGUgdGFnZ2luZyBvciBpcyBpdAoKPiA.IChicmlkZ2UpIGp1c3QgdXNlZCB0byBkbyB0aGUgdGFnZ2luZyByZWdhcmRsZXNzIG9mIHRoZSBzeXN0ZW0gcnVsZT8KPsKgCj7CoFlvdSBjYW4gdGFnIHBhY2tldHMgb24gaW5jb21pbmcgYW5kIGZpbHRlciBvbiB0aGUgdGFncyBsYXRlciBpbiB5b3VyCj7CoHJ1bGVzZXQgaW4gbm9uLWJyaWRnZSBjb25maWd1cmF0aW9ucyB0b28uIEJ1dCBvZiBjb3Vyc2UgYnJpZGdlcyABMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> Message-ID: <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> Date: Thu, 9 May 2013 05:44:46 -0700 (PDT) From: Nomad Esst Subject: Re: packet tagging To: "Peter N. M. Hansteen" , "freebsd-pf@freebsd.org" In-Reply-To: <878v3obakf.fsf@deeperthought.bsdly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 12:44:54 -0000 > > Should the system act as a bridge in order to do the tagging or is it= =0A=0A> > (bridge) just used to do the tagging regardless of the system rul= e?=0A>=A0=0A>=A0You can tag packets on incoming and filter on the tags late= r in your=0A>=A0ruleset in non-bridge configurations too. But of course bri= dges have=0A>=A0their own tagging and filtering facilities that may be comb= ined with PF=0A>=A0features.=0A=0AI want filter packets based on their MAC = address. After many hours of googling I found out that such filtering is do= ne via bridge. I just want to know are there any ways besides this??? I als= o found these patches which are to old an I could not apply them on my FBSD= 8.2 ....=0AAny suggestions? I'm so=A0disappointed ... From owner-freebsd-pf@FreeBSD.ORG Thu May 9 15:55:56 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1E1DC1AF for ; Thu, 9 May 2013 15:55:56 +0000 (UTC) (envelope-from tech@stuxnet.org) Received: from s1.stux6.net (s1.stux6.net [IPv6:2a01:240:fe00:8217::1]) by mx1.freebsd.org (Postfix) with ESMTP id 71496EC1 for ; Thu, 9 May 2013 15:55:55 +0000 (UTC) Received: from s1 (localhost [127.0.0.1]) by s1.stux6.net (s1.stux6.net) with ESMTP id 8C94D694C57 for ; Thu, 9 May 2013 17:55:52 +0200 (CEST) X-Virus-Scanned: amavisd-new at stux6.net Received: from s1.stux6.net ([127.0.0.1]) by s1 (s1.stux6.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id O7A77ppRUzgW for ; Thu, 9 May 2013 17:55:45 +0200 (CEST) Received: from localmx.stux.fr (localmx.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:dcad:beff:feef:2511]) by s1.stux6.net (s1.stux6.net) with ESMTP id 10D86694C55 for ; Thu, 9 May 2013 17:55:45 +0200 (CEST) Received: from zimbra.stux.fr (zimbra.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:dcad:beff:feef:2534]) by localmx.stux.fr (Postfix) with ESMTP id C4B67F61AA for ; Thu, 9 May 2013 17:55:44 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.stux.fr (Postfix) with ESMTP id B03B01784C5 for ; Thu, 9 May 2013 17:55:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at zimbra.stux.fr Received: from zimbra.stux.fr ([127.0.0.1]) by localhost (zimbra.stux.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XJmxv3MiY8C for ; Thu, 9 May 2013 17:55:43 +0200 (CEST) Received: from [IPv6:2a01:240:feaf:1000:21d:72ff:feb0:b394] (wks1.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:21d:72ff:feb0:b394]) by zimbra.stux.fr (Postfix) with ESMTPSA id A83D91784C4 for ; Thu, 9 May 2013 17:55:43 +0200 (CEST) Message-ID: <518BC6C2.5030702@stuxnet.org> Date: Thu, 09 May 2013 17:54:42 +0200 From: Christophe User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: packet tagging References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> In-Reply-To: <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 15:55:56 -0000 Hi, Nomad Esst wrote, > I want filter packets based on their MAC address. After many hours of googling I found out that such filtering is done via bridge. I just want to know are there any ways besides this??? I also found these patches which are to old an I could not apply them on my FBSD 8.2 .... > Any suggestions? I'm so disappointed ... Never made such a config on FreeBSD but on OpenBSD : A bridge (even with a single interface) is, as far as I know, mandatory to filter MAC based packets. A "rulefile" : /etc/l2filter like this : ### WKS1 ######## pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan ### WKS2 ######## pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan ### WKS3 ######## pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan ### WKS4 ######## pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan ### WKS5 ######## pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan ### WKS6 ######### pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan ... Bringing the rulefile on the bridge : ifconfig bridge0 rulefile /etc/l2filter pf rule sample : pass in quick on $int_if inet proto tcp from $lan_nets to ! port { www, https } tagged wks4lan tag fromlan keep state If modifications are made in /etc/l2filter (and trunk0 and re2 bridged themselves) : ifconfig bridge0 flushrule re2 ifconfig bridge0 flushrule trunk0 ifconfig bridge0 rulefile /etc/l2filter to disable : ifconfig bridge0 flushrule re2 ifconfig bridge0 flushrule trunk0 ifconfig bridge0 rule pass in on re2 ifconfig bridge0 rule pass in on trunk0 Remember it is an OpenBSD (native) configuration, I don't know if it applies on FreeBSD. Regards. Christophe. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"