From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 9 04:11:00 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB37516A4CF for ; Sun, 9 Jan 2005 04:11:00 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45E3343D1D for ; Sun, 9 Jan 2005 04:11:00 +0000 (GMT) (envelope-from heath0504@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so63063wri for ; Sat, 08 Jan 2005 20:10:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=CxAa4YvKW4p12dAyTz8hlY81fJ0je8KraeU7yqnTdCsS15Rn+zlf2YNQnpVoMzulKndOWhfr3+04yEASUtLLpsJOW4YuLGtuC0oSL32eb758LavYhfxqNc9PKN3YjAPjaraoud+CMt3xe7tYCCIvQxtjRdqxO0SoIdqG+tI+QWs= Received: by 10.54.27.65 with SMTP id a65mr282097wra; Sat, 08 Jan 2005 20:10:59 -0800 (PST) Received: from linuxlmx20ji5l ([61.59.129.248]) by smtp.gmail.com with ESMTP id d6sm417136wra.2005.01.08.20.10.58; Sat, 08 Jan 2005 20:10:59 -0800 (PST) Message-ID: <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> From: "heath, Chia Hui Chen" To: "Christian Hiris" <4711@chello.at> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at> <200501090124.55534.4711@chello.at> Date: Sun, 9 Jan 2005 12:11:07 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 04:11:01 -0000 It's work, thank you very much. :) ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: Cc: "heath, Chia Hui Chen" Sent: Sunday, January 09, 2005 8:24 AM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 22:36, Christian Hiris wrote: > > The diverted packets are not layer-2 packets, so they must be able to > > bypass the layer-2 rules. In our case all diverted packets match rule 30, > > because none of the two layer-2 rules (10 and 20) applies. > > So please add the rule below to your ruleset. If this doesn't work, I will > > try to reproduce this on one of my boxes. > > Sorry, I'm kinda braindead today ... > > 00030 3 144 deny tcp from any to any dst-port 443 > > The above rule will not work, because at ip_input, the layer-2 headers already > striped off and the packet will be treated as layer-3 packet. > > Good news are: I tested another solution on one of my boxen. The result is > that all filtering on MAC _and_ port must be done on layer-2. I also forgot > to add the necessary rules to allow layer-2 packets in the last example > (shame on me). > > So here are the rules I tested, but I did not test them with natd enabled and > the divert rule. > > > # Bypass all packets w/o layer-2 headers > ipfw add 10 skipto 30 all from any to any not layer2 > > # Branch to MAC filter, if we find layer-2 and dst-port 443 > ipfw add 11 skipto 20 all from any to any 443 layer2 > > # For all other layer-2 packets jump to rule 30 > ipfw add 12 skipto 30 MAC any any > > # MAC filter for layer-2 packets we got from rule 11 > ipfw add 20 deny MAC any 00:e0:18:62:xx:xx > > # Allow rest of layer-2 packets > ipfw add 30 pass MAC any any > > # Process packets as usual > > 00050 divert 8668 ip from any to any via fxp0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > ============================================================ > > PS: I would also think about users that try to circumvent the rules by using > proxies and/or users that are smart enough to spoof their MAC addresses. > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq > 87O4RZ1U19Hh4vznXIgYksg= > =Z5yx > -----END PGP SIGNATURE-----