Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Feb 2006 11:24:53 -0300
From:      Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
To:        Cesar <listas@itm.net.br>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw2 with mac filtering
Message-ID:  <43FB22B5.4030407@freebsdbrasil.com.br>
In-Reply-To: <000a01c636f0$d3303280$0e4fdfc8@ironman>
References:  <000a01c636f0$d3303280$0e4fdfc8@ironman>
next in thread | previous in thread | raw e-mail | index | archive | help 
Cesar wrote:
> Hi,
> 
>   I wanted to finish my firewall rules doing a "deny all from any to 
> any", but I can't do that with mac filtering at same time. Let me explain.
> 
>   Since I use ipfw mac filter, I have the sysctl variable 
> "net.link.ether.ipfw: 1";
> 
>   My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2.
> 
>   An example of my rules:
> 
>   00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any
>   00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any
>   65535 0 0 allow ip from any to any
> 
>  This works fine, the rules 1 and 2 get some match when I do ping from 
> Windows box to FreeBSD.
>  After this test, I added the rule "65534 0 0 deny ip from any to any".
>  It still works, but after some time if I have no traffic from 10.0.0.2, 
> FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", 
> I get :
> 
>  ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet]
> 
>  So, I can't ping my FreeBSD box anymore because it doesnt accept my arp 
> packets. I tried to log the deny rule and I get some lines telling "Deny 
> mac in".
>  I tried to add another rule before the deny all "ipfw add 100 allow mac 
> any any", but this rule become "allow ip from any to any MAC any any", 
> so I cant end my firewall rules with a "deny all from any to any".
> 
>  Is this a problem? Are there any workaround for this?
>  I didnt tried to use a fixed arp table, but I will dont do that if not 
> necessary.
> 
> Thanks
> 
> Cesar

I had a similar problem before when I forgot to permit arp traffic on 
layer2, so, I guess "mac-type arp" is not allowed to pass throught your 
firewall. You may consider "allow mac-type arp layer2" in your firewall 
somewhere or denying everything on L3 only, say "deny log all from any 
to any not layer2"

-- 
Patrick Tracanelli

FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
316601@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43FB22B5.4030407>