ipfw with nat - allowing by MAC address

AT Matik asstec at matik.com.br
Fri Apr 27 01:06:55 UTC 2007 

On Thursday 26 April 2007 19:54, Lubomir Georgiev wrote:
>   Yeah! People, we can congratulate ourselves! We've done it! With a few
> modifications I've finally found the smallest working MAC filtered NAT
> system. So here's what I ended up with - I'm including the queues just for
> the entirety of the ruleset, they have nothing to do with the filtering.
>

not so loud, the honors are coming only at the end and often only after the 
end :) when we are dead already :) unfortunatly of course but life is hard :
( :)   

fun aside, even if you might be able to *block* access using a layer2 rule any 
further layer2 rules as skipping in order to jump to another rule on a 
*router* is not catching anything else as arp, means it is certainly useless 

a natd router is what the name says a router and so the legitmate traffic in 
this scenario is *IP* hitting the GW IP and *NOT* layer2, being then "routed" 
to the servers default gateway - so - as long as the mac of the src-ip is in 
the arptable it's traffic goes through whatever nasty fun you do 
with "layer2" level rules

if then exists a natd this traffic might be diverted before leaving the box

finally,  here is *NO* layer2 traffic (BRIDGED traffic) 

hence, what you can do is make traffic flow decision based on src/dst IPs or 
ports, nothing else

then,  even if you (can) block layer2 mac traffic (arp) on a router it does 
not touch any legitimate ip traffic, so obviously your arptable will *age 
out*  and suddenly no arp goes through (or to) this box anymore and/or 
depending on your rules anything is diverted and you lose access to the 
router ... so as hint, any who likes to play with arp of any kind should not 
only do ipfw flush but also run arp -ad in order to get clean and reliable 
results for nasty rules "in real time" :) 

blocking a mac by blocking arp is one thing
controlling traffic flow based on MAC is another

in order to control layer2 TRAFFIC flow you need a bridge

what follows is a thought because i never needed something like this but the 
only possible setup for *YOUR* wish I can imagin is first making it a bridge 
with no IP on the inner NIC, then associating the GW IP of the internal 
subnet to the bridge or the external nic

if you have then two IPs on the external NIC you divert on IP and not the NIC

*NOW* finally you get bridged traffic (LAYER2) to the gw ip which you CAN 
control as "skipto proto ip layer2 mac" not from authorized macs to a rule 
higher than the divert rule in order not hitting the divert rule. Ok?

Resuming, as long you have a router you can not control layer2 traffic, you 
only might be able to block certain arp traffic to a certain extense

Sooo, at the end this are only my thoughts and opinions, like I said before 
router and layer2 with ipfw sounds strange to me so I do not use it today and 
what I said here might work for one and not for another so please don't hit 
me if you get unexpected results :) 


some comments, no ofense pleease:

> 00100 allow ip from any to me not dst-port 8668 via xl0
> 00101 allow ip from me not 8668 to any via xl0

useless

> 00300 allow ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any
> 00:19:d2:36:b8:48 } layer2

not sure if you want "or" or even {}

> 00800 deny log logamount 200 ip from any to any MAC any any layer2 via xl0

this is your time-bomb which kills access to the router internally, means your 
ruleset might work until the active macs (arptable) are timing out (!on a 
router)

> 01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0
> 01205 divert 8668 ip from any to me in via fxp0

ook


> 01250 queue 1 ip from any to any src-port 80 not layer2 via fxp0
> 01251 queue 1 ip from any to any dst-port 80 not layer2 via fxp0
> 01300 queue 2 ip from any to any not src-port 80 not layer2 via fxp0
> 01500 allow ip from any to any
> 65535 deny ip from any to any
>

whatever ... but

if your interest or concern is only with tcp:80 you might consider squid which 
has some kind of mac acl and you reduce your ipfw-brain-damage on this 
issue :)

João









A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik  https://datacenter.matik.com.br

More information about the freebsd-ipfw mailing list