Date: Mon, 11 Jun 2012 03:53:57 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Bill Yuan <bycn82@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: how to allow by MAC Message-ID: <20120611025332.N46641@sola.nimnet.asn.au> In-Reply-To: <20120610120041.4D0F610657C3@hub.freebsd.org> References: <20120610120041.4D0F610657C3@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 418, Issue 18, Message: 1
On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan <bycn82@gmail.com> wrote:
> how to allow by MAC in ipfw
>
> currently i set the rule like below
>
> 1 allow ip from any to any MAC any to <MAC Address 1>
> 1 allow ip from any to any MAC <MAC Address 1> any
> 2 deny all from any to any
>
> i want to only allow the mac address to go through the freebsd firewall,
>
> but I found it is not working on my freebsd but it works on pfsense!
>
> so maybe that means the environment is not the same ? and how to setup the
> ipfw properly to support this ?
Bill, you did get some good clues in the earlier thread, but it's not
clear if you took note of them. There's also been some confusion ..
Firstly, read up on layer2 (ethernet, MAC-level) filtering options in
ipfw(8). Thoroughly, several times, until you've got it. Seriously.
After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf)
ipfw will be invoked 4 times instead of the normal 2, on every packet.
Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the
inbound pass invoked from ether_demux() and the outbound pass invoked
from ether_output_frame() can you test for MAC addresses (or mac-types);
the 'normal' layer3 passes examine packets that have no layer2 headers.
You could just add 'layer2' to any rules filtering on MAC addresses, and
omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using
a method like shown there to separate layer2 and layer3 flows early on:
# packets from ether_demux
ipfw add 10 skipto 1000 all from any to any layer2 in
# packets from ip_input
ipfw add 10 skipto 2000 all from any to any not layer2 in
# packets from ip_output
ipfw add 10 skipto 3000 all from any to any not layer2 out
# packets from ether_output_frame
ipfw add 10 skipto 4000 all from any to any layer2 out
So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering
rules (remembering the reversed order of MAC addresses vs IP addresses,
and to allow broadcasts as well), pass good guys and/or block bad guys,
then deal with your normal IPv4|v6 traffic in a separate section(s).
Or you could just split the flows into two streams, one for layer2 for
your MAC filtering, the other for layer3, ie the rest of your ruleset.
HTH, Ian [please cc me on any reply]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120611025332.N46641>