ipfw + MAC nothing happens?

heath, Chia Hui Chen heath0504 at gmail.com
Sat Jan 8 20:11:01 PST 2005 

It's work, thank you very much.
:)

----- Original Message ----- 
From: "Christian Hiris" <4711 at chello.at>
To: <freebsd-ipfw at freebsd.org>
Cc: "heath, Chia Hui Chen" <heath0504 at gmail.com>
Sent: Sunday, January 09, 2005 8:24 AM
Subject: Re: ipfw + MAC nothing happens?


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Saturday 08 January 2005 22:36, Christian Hiris wrote:
> > The diverted packets are not layer-2 packets, so they must be able to
> > bypass the layer-2 rules. In our case all diverted packets match rule
30,
> > because none of the two layer-2 rules (10 and 20) applies.
> > So please add the rule below to your ruleset. If this doesn't work, I
will
> > try to reproduce this on one of my boxes.
>
> Sorry, I'm kinda braindead today ...
>
> 00030    3     144 deny tcp from any to any dst-port 443
>
> The above rule will not work, because at ip_input, the layer-2 headers
already
> striped off and the packet will be treated as layer-3 packet.
>
> Good news are: I tested another solution on one of my boxen. The result is
> that all filtering on MAC _and_ port must be done on layer-2. I also
forgot
> to add the necessary rules to allow layer-2 packets in the last example
> (shame on me).
>
> So here are the rules I tested, but I did not test them with natd enabled
and
> the divert rule.
>
>
>   # Bypass all packets w/o layer-2 headers
>   ipfw add 10 skipto 30 all from any to any not layer2
>
>   # Branch to MAC filter, if we find layer-2 and dst-port 443
>   ipfw add 11 skipto 20 all from any to any 443 layer2
>
>   # For all other layer-2 packets jump to rule 30
>   ipfw add 12 skipto 30 MAC any any
>
>   # MAC filter for layer-2 packets we got from rule 11
>   ipfw add 20 deny MAC any 00:e0:18:62:xx:xx
>
>   # Allow rest of layer-2 packets
>   ipfw add 30 pass MAC any any
>
>   # Process packets as usual
>
>   00050 divert 8668 ip from any to any via fxp0
>   00100 allow ip from any to any via lo0
>   00200 deny ip from any to 127.0.0.0/8
>   00300 deny ip from 127.0.0.0/8 to any
>   65000 allow ip from any to any
>   65535 deny ip from any to any
>   ============================================================
>
> PS: I would also think about users that try to circumvent the rules by
using
> proxies and/or users that are smart enough to spoof their MAC addresses.
>
> - -- 
> Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE
> OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (FreeBSD)
>
> iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq
> 87O4RZ1U19Hh4vznXIgYksg=
> =Z5yx
> -----END PGP SIGNATURE-----

More information about the freebsd-ipfw mailing list