[IPFW add ARP support] - Request for testing
raffaele.delorenzo at libero.it
raffaele.delorenzo at libero.it
Thu Sep 25 14:01:37 UTC 2008
Hi all,
In the last 2 weeks i implemented a new filter method inside the ipfw firewall for ARP protocols.
My idea for the new method was to create a new "proto" microinstruction exclusively for ARP protocol named "arp". This method permits filter tering from/to particular MAC address to be restricted to ARP protocol.
Example:
ipfw add deny arp from 52:54:00:12:34:56 to 00:11:43:cd:87:6t // Deny all ARP packets generated by "from" and destinated to "to".
The wildcard "any" and "me" are supported; the semantic is the same for all old protocol rules:
ipfw add deny arp from 00:11:43:cd:87:6t to any
Moreover, I implemented some filter methods that restrict the filtering to some ARP header fields:
1) Source MAC address (srcmac-arp)
2) Source IP address (srcip-arp)
3) Destination MAC address (dstmac-arp)
4) Destination IP address (dstip-arp)
Example:
./ipfw add deny arp from 00:11:43:cd:87:6e to 52:54:00:12:34:56 srcmac-arp 52:54:00:12:34:56 dstip-arp 192.9.217.29
To work properly, the ARP implementation requires that ipfw receives packets from Layer 2, In other words, you must set the sysctl variable "net.link.ether.ipfw=1".
I attached the new sources and all diffs with reference to FreeBSD 7.0 Release source Tree. Please let me know what you think about this work and if possible eventually test it.
Ciao Ciao
Raffaele
-------------- next part --------------
A non-text attachment was scrubbed...
Name: =?iso-8859-1?Q?ipfw=5Farp=5Fext.tar.bz2?=
Type: application/octet-stream
Size: 118186 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20080925/f537a2f9/iso-8859-1Qipfw5Farp5Fext.tar-0001.obj
More information about the freebsd-ipfw
mailing list