From owner-freebsd-questions@freebsd.org Fri Apr 1 17:39:58 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AEB7AE66C2 for ; Fri, 1 Apr 2016 17:39:58 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC3F015E4 for ; Fri, 1 Apr 2016 17:39:56 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u31HdliF059482; Sat, 2 Apr 2016 04:39:47 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 2 Apr 2016 04:39:46 +1100 (EST) From: Ian Smith To: Carmel cc: freebsd-questions@freebsd.org Subject: Re: IPFW Firewall Rule In-Reply-To: Message-ID: <20160402033719.N39547@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2016 17:39:58 -0000 In freebsd-questions Digest, Vol 617, Issue 6, Message: 7 On Fri, 1 Apr 2016 06:26:34 -0400 Carmel wrote: > I have two laptops that I use when I travel. I need them to have access > to my LDAP server. I tried configuring this in my IPFW firewall rules, > but they fail: > > #!/bin/sh > cmd="ipfw -q add" > pif="em0" > > ## Lots of rules - truncated > > $cmd allow log tcp from any MAC "0C:54:A5:04:BA:DD" to me 389 in via $pif setup keep-state > $cmd allow log tcp from any MAC "00:1A:A0:89:CA:EA" to me 389 in via $pif setup keep-state > > This is the error message repeated twice: > > ipfw: missing ``to'' > > If I substitute an IP address and remove the "any MAC "address" it works > fine. I got this example from a web search. Can anyone tell me what I > am doing wrong? There are a few issues with this. 1) MAC addresses can only be examined on ethernet packets, at layer2, which requires that sysctl net.link.ether.ipfw be set to 1, adding another two passes to ipfw's examination of packets. See section PACKET FLOW in ipfw(8) for an explanation of how this works and an example set of rules to separate layer2 (ethernet) flows from layer3 (IP) flows. Search ipfw(8) for 'layer-*2' - assuming viewing in less(1) - to catch both 'layer2' and 'layer-2' references, which is mildly tacky. 2) the order of 'to' and 'from' addresses is reversed at layer2, so the syntax should be more like 'MAC any "0C:54:A5:04:BA:DD" if I read your intent right. See section RULE OPTIONS '{ MAC | mac } dst-mac src-mac' 3) I don't think you can match statefully at layer2, but may be wrong. 4) most relevant to your stated purpose, MAC addresses are only used on local networks (wired or wireless) and are not transmitted over the IP internet, so you can't use this method remotely - except perhaps via a VPN tunnel, appearing as a local network, but I'm not sure about that. 5) MAC addresses, even locally, are easy to spoof and while useful are not a security measure per se. I think you need to find another method to identify and authenticate remote callers to LDAP. I know very close to nothing about that, except that there are LDAP-savvy people here .. cheers, Ian