ipfw + MAC nothing happens?
Christian Hiris
4711 at chello.at
Sat Jan 8 16:24:58 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 08 January 2005 22:36, Christian Hiris wrote:
> On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote:
> > It's strange.
> > I use two computer to test.
> > One called A (00:e0:18:62:xx:xx)
> > another called B.
> >
> > And the rulesets is same as you said.
> > I try reboot and use A to connect port 443 of one site.
> > IPFW output are below:
> > ============================================================
>
> The diverted packets are not layer-2 packets, so they must be able to
> bypass the layer-2 rules. In our case all diverted packets match rule 30,
> because none of the two layer-2 rules (10 and 20) applies.
> So please add the rule below to your ruleset. If this doesn't work, I will
> try to reproduce this on one of my boxes.
Sorry, I'm kinda braindead today ...
00030 3 144 deny tcp from any to any dst-port 443
The above rule will not work, because at ip_input, the layer-2 headers already
striped off and the packet will be treated as layer-3 packet.
Good news are: I tested another solution on one of my boxen. The result is
that all filtering on MAC _and_ port must be done on layer-2. I also forgot
to add the necessary rules to allow layer-2 packets in the last example
(shame on me).
So here are the rules I tested, but I did not test them with natd enabled and
the divert rule.
# Bypass all packets w/o layer-2 headers
ipfw add 10 skipto 30 all from any to any not layer2
# Branch to MAC filter, if we find layer-2 and dst-port 443
ipfw add 11 skipto 20 all from any to any 443 layer2
# For all other layer-2 packets jump to rule 30
ipfw add 12 skipto 30 MAC any any
# MAC filter for layer-2 packets we got from rule 11
ipfw add 20 deny MAC any 00:e0:18:62:xx:xx
# Allow rest of layer-2 packets
ipfw add 30 pass MAC any any
# Process packets as usual
00050 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any
============================================================
PS: I would also think about users that try to circumvent the rules by using
proxies and/or users that are smart enough to spoof their MAC addresses.
- --
Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq
87O4RZ1U19Hh4vznXIgYksg=
=Z5yx
-----END PGP SIGNATURE-----
More information about the freebsd-ipfw
mailing list