ipfw + MAC nothing happens?

[Christian Hiris]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 08 January 2005 22:36, Christian Hiris wrote:
> On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote:
> > It's strange.
> > I use two computer to test.
> > One called A (00:e0:18:62:xx:xx)
> > another called B.
> >
> > And the rulesets is same as you said.
> > I try reboot and use A to connect port 443 of one site.
> > IPFW output are below:
> > ============================================================
>
> The diverted packets are not layer-2 packets, so they must be able to
> bypass the layer-2 rules. In our case all diverted packets match rule 30,
> because none of the two layer-2 rules (10 and 20) applies.
> So please add the rule below to your ruleset. If this doesn't work, I will
> try to reproduce this on one of my boxes.

Sorry, I'm kinda braindead today ...

00030    3     144 deny tcp from any to any dst-port 443

The above rule will not work, because at ip_input, the layer-2 headers already 
striped off and the packet will be treated as layer-3 packet.   

Good news are: I tested another solution on one of my boxen. The result is 
that all filtering on MAC _and_ port must be done on layer-2. I also forgot 
to add the necessary rules to allow layer-2 packets in the last example 
(shame on me). 

So here are the rules I tested, but I did not test them with natd enabled and 
the divert rule. 


  # Bypass all packets w/o layer-2 headers 
  ipfw add 10 skipto 30 all from any to any not layer2

  # Branch to MAC filter, if we find layer-2 and dst-port 443 
  ipfw add 11 skipto 20 all from any to any 443 layer2

  # For all other layer-2 packets jump to rule 30  
  ipfw add 12 skipto 30 MAC any any

  # MAC filter for layer-2 packets we got from rule 11 
  ipfw add 20 deny MAC any 00:e0:18:62:xx:xx

  # Allow rest of layer-2 packets  
  ipfw add 30 pass MAC any any

  # Process packets as usual 

  00050 divert 8668 ip from any to any via fxp0
  00100 allow ip from any to any via lo0
  00200 deny ip from any to 127.0.0.0/8
  00300 deny ip from 127.0.0.0/8 to any
  65000 allow ip from any to any
  65535 deny ip from any to any
  ============================================================

PS: I would also think about users that try to circumvent the rules by using 
proxies and/or users that are smart enough to spoof their MAC addresses. 

- -- 
Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE 
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq
87O4RZ1U19Hh4vznXIgYksg=
=Z5yx
-----END PGP SIGNATURE-----