Date: Sat, 2 Apr 2016 04:39:46 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Carmel <carmel_ny@outlook.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Firewall Rule Message-ID: <20160402033719.N39547@sola.nimnet.asn.au> In-Reply-To: <mailman.93.1459512002.52558.freebsd-questions@freebsd.org> References: <mailman.93.1459512002.52558.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 617, Issue 6, Message: 7 On Fri, 1 Apr 2016 06:26:34 -0400 Carmel <carmel_ny@outlook.com> wrote: > I have two laptops that I use when I travel. I need them to have access > to my LDAP server. I tried configuring this in my IPFW firewall rules, > but they fail: > > #!/bin/sh > cmd="ipfw -q add" > pif="em0" > > ## Lots of rules - truncated > > $cmd allow log tcp from any MAC "0C:54:A5:04:BA:DD" to me 389 in via $pif setup keep-state > $cmd allow log tcp from any MAC "00:1A:A0:89:CA:EA" to me 389 in via $pif setup keep-state > > This is the error message repeated twice: > > ipfw: missing ``to'' > > If I substitute an IP address and remove the "any MAC "address" it works > fine. I got this example from a web search. Can anyone tell me what I > am doing wrong? There are a few issues with this. 1) MAC addresses can only be examined on ethernet packets, at layer2, which requires that sysctl net.link.ether.ipfw be set to 1, adding another two passes to ipfw's examination of packets. See section PACKET FLOW in ipfw(8) for an explanation of how this works and an example set of rules to separate layer2 (ethernet) flows from layer3 (IP) flows. Search ipfw(8) for 'layer-*2' - assuming viewing in less(1) - to catch both 'layer2' and 'layer-2' references, which is mildly tacky. 2) the order of 'to' and 'from' addresses is reversed at layer2, so the syntax should be more like 'MAC any "0C:54:A5:04:BA:DD" if I read your intent right. See section RULE OPTIONS '{ MAC | mac } dst-mac src-mac' 3) I don't think you can match statefully at layer2, but may be wrong. 4) most relevant to your stated purpose, MAC addresses are only used on local networks (wired or wireless) and are not transmitted over the IP internet, so you can't use this method remotely - except perhaps via a VPN tunnel, appearing as a local network, but I'm not sure about that. 5) MAC addresses, even locally, are easy to spoof and while useful are not a security measure per se. I think you need to find another method to identify and authenticate remote callers to LDAP. I know very close to nothing about that, except that there are LDAP-savvy people here .. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160402033719.N39547>