Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Jul 2020 22:26:38 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        l.m.v.breda@xs4all.nl
Cc:        pf@FreeBsd.org
Subject:   Re: The best of both worlds =?utf-8?q?=E2=80=9Cusing?= mac filtering in =?utf-8?q?pf=E2=80=9D?=
Message-ID:  <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org>
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl>
References:  <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10 Jul 2020, at 19:57, l.m.v.breda@xs4all.nl wrote:
> Hello,
>
> I am using pfSense, build on top of pf. And of course pfSense/pf is a 
> terrific firewall, however the world is changing in the direction of 
> IPV6 and that leads to new issues and related new requirements.
>
> One of the major issues is that IPV6 does not provide a stable source 
> address you can use to filter in your firewall.
>
> Many firewalls “out there” are *using the level-2 mac as a way 
> around this issue*. � However ….. pfSense cannot provide that 
> functionality, since it is built on top of …… pf.
>
> Tja, and then there is a “striking” issue ….. suppose that 
> pfSense would have been built on top of OpenBSD, still using pf 
> ………. That had been possible …….
>
> So as user I would be very pleased if there could be a joined 
> “pf-release” having *best of both worlds* !!!!
>
> Assume we were running OpenBSD …… things like � �
>
> step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag 
> <sometag>
> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy 
> based rule)
>
> would have been an option, …. not saying it is the best option ….. 
>  �better option would be if pf could set the tag itself
>
> Whatever please consider adding this functionality to pf preferable on 
> short term, since IPV6 is fast becoming very important!
>
> Sincerely,
>
>  �
>
> Louis
>
> PS … should I raise an feature request for this?
>
You can, but adding L2 filtering functionality to pf isn’t even on my 
long-term todo list. It is essentially out of the question that it’d 
be added in the short term (or even in the next year or two, unless 
someone decides it’s worth contracting me for several months to do 
it).

I don’t personally see the use case for it either, but perhaps I’m 
missing something. Can you explain what exactly you’d like to 
accomplish with L2 filtering?

(It’s already possible to use pf on top of a bridge in 
bump-in-the-wire mode. Given the gotchas in that code I **strongly** 
recommend people don’t use that functionality.)

Best regards,
Kristof
From owner-freebsd-pf@freebsd.org  Fri Jul 10 20:30:46 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 23E25372B69
 for <freebsd-pf@mailman.nyi.freebsd.org>; Fri, 10 Jul 2020 20:30:46 +0000 (UTC)
 (envelope-from ultima1252@gmail.com)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4B3PnK6Vbgz3cvm
 for <freebsd-pf@freebsd.org>; Fri, 10 Jul 2020 20:30:45 +0000 (UTC)
 (envelope-from ultima1252@gmail.com)
Received: by mailman.nyi.freebsd.org (Postfix)
 id DF16E37287A; Fri, 10 Jul 2020 20:30:45 +0000 (UTC)
Delivered-To: pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DEDF9372E17
 for <pf@mailman.nyi.freebsd.org>; Fri, 10 Jul 2020 20:30:45 +0000 (UTC)
 (envelope-from ultima1252@gmail.com)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com
 [IPv6:2607:f8b0:4864:20::12f])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B3PnJ6mPwz3ct9
 for <pf@freebsd.org>; Fri, 10 Jul 2020 20:30:44 +0000 (UTC)
 (envelope-from ultima1252@gmail.com)
Received: by mail-il1-x12f.google.com with SMTP id t18so6186704ilh.2
 for <pf@freebsd.org>; Fri, 10 Jul 2020 13:30:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=tJ7xMO8y+zSC1CyDgRvmoyhrHn1cRhpnXoakuRe2Bf4=;
 b=Qruv6DF8lbZ7ARBcnNb1+Y1pgEbK6sdtSNbrkiGP+0vUV5+ZZij5vhqtY7+Fsn40zE
 Au2guXXaoUxYIsOI1i/F15PRqZlPBj8SPPvTYn/KCvy0vlc9MxvBrL5It7RjCOR5OeWT
 F7lok/sSkoVNDhDzE/7/MWWUliM6bAwOBgp89hU/U/D9b1c6n3OxoHKm9WyzCy7Fee0W
 M5wMKYEk8k9f0DhWr3TGOO9P399P8aa5tq6QT8Yn/p1KfNLvR9F7LaYBlIM9Hv8jLbQr
 TvG1J3XDwwH1L1TURn/iGczih1VkI9ZJOjGKzL9L+L0xF2cN6uLcr/8xtn2JIOYddffj
 9tmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=tJ7xMO8y+zSC1CyDgRvmoyhrHn1cRhpnXoakuRe2Bf4=;
 b=SCOR7aXyz4x0jQcGjqDJOwWgEIl15zwucNvGsqt8W/ctrbdNP5uS/5+g66+uCmg/QC
 9Xc5Fg5YAC5YIbNiyEhzUOR9hbxbqn07kMGjE3lMy0yIL6t5jMkTqdubj/jpydifKQlN
 WEjAGA93s6SwGEkIZz9+6uNkx+aucp22Zb7M7Yy9Tg2SmM771eZYPDOsk1e/ld1mZdim
 nfP1lZDusSJ0cne+5TgjeRSYZZgY1JHsxDYp6bjGDXrAauDqt4g5F/cGzrvyNKe5FVd1
 7QLclWPe1ltMq74LEGWjYeOrOC0RATQ7L5TS6xm/7YIA16XZYFB1j3n1qp7SrMWjmRJy
 2bDw==
X-Gm-Message-State: AOAM532SpClEITT30Zkiy34b0tkBt+Y2xqSOwzrVmYIrAaG/COsj3nRq
 uK0f08+YY1nRj4bpWsxMeHsmLTtHwNlu5ZIl6ck=
X-Google-Smtp-Source: ABdhPJyB0J4lY6RHGb81ZxrlNVHPTYUgOJ1uo5+MbHPkmUxfOUcFl69ItoQteiqyvZ2UrbSsNwtb8KMg7yF8Q28GeKs=
X-Received: by 2002:a92:d086:: with SMTP id h6mr53948505ilh.8.1594413042526;
 Fri, 10 Jul 2020 13:30:42 -0700 (PDT)
MIME-Version: 1.0
References: <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl>
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl>
From: Ultima <ultima1252@gmail.com>
Date: Fri, 10 Jul 2020 13:30:31 -0700
Message-ID: <CANJ8om4aOTgwBc+Y9w5P5ed37LT-HB-tRXc70LeoUoq0Egcevw@mail.gmail.com>
Subject: =?UTF-8?Q?Re=3A_The_best_of_both_worlds_=E2=80=9Cusing_mac_filtering_i?=
 =?UTF-8?Q?n_pf=E2=80=9D?=
To: l.m.v.breda@xs4all.nl
Cc: pf@freebsd.org
X-Rspamd-Queue-Id: 4B3PnJ6mPwz3ct9
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=Qruv6DF8;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of ultima1252@gmail.com designates
 2607:f8b0:4864:20::12f as permitted sender)
 smtp.mailfrom=ultima1252@gmail.com
X-Spamd-Result: default: False [-3.34 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.95)[-0.946];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
 FREEMAIL_FROM(0.00)[gmail.com];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_DN_NONE(0.00)[];
 NEURAL_HAM_LONG(-1.03)[-1.030]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12f:from];
 NEURAL_HAM_SHORT(-0.36)[-0.363]; FREEMAIL_TO(0.00)[xs4all.nl];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 20:30:46 -0000

Please go in detail about this issue on why you would need to filter layer
2.

I see very little benefit to having the ability to filter on layer 2 except
in some very special cases and IPv6 isn't one of them that I'm aware of.

Best regards,
Richard Gallamore

On Fri, Jul 10, 2020 at 10:57 AM <l.m.v.breda@xs4all.nl> wrote:

> Hello,
>
> I am using pfSense, build on top of pf. And of course pfSense/pf is a
> terrific firewall, however the world is changing in the direction of IPV6
> and that leads to new issues and related new requirements.
>
> One of the major issues is that IPV6 does not provide a stable source
> address you can use to filter in your firewall.
>
> Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as =
a way around this
> issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot provide that functio=
nality, since it
> is built on top of =E2=80=A6=E2=80=A6 pf.
>
> Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. sup=
pose that pfSense would
> have been built on top of OpenBSD, still using pf =E2=80=A6=E2=80=A6=E2=
=80=A6. That had been
> possible =E2=80=A6=E2=80=A6.
>
> So as user I would be very pleased if there could be a joined =E2=80=9Cpf=
-release=E2=80=9D
> having *best of both worlds* !!!!
>
> Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD =
=EF=BF=BD
>
> step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag
> <sometag>
> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy
> based rule)
>
> would have been an option, =E2=80=A6. not saying it is the best option =
=E2=80=A6..
> =EF=BF=BDbetter option would be if pf could set the tag itself
>
> Whatever please consider adding this functionality to pf preferable on
> short term, since IPV6 is fast becoming very important!
>
> Sincerely,
>
>  =EF=BF=BD
>
> Louis
>
> PS =E2=80=A6 should I raise an feature request for this?
>
>  =EF=BF=BD
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13D8D0CF-3C18-4FE6-B501-62B042099004>