[IPFW add ARP support] - Request for testing

Gleb Kurtsou gleb.kurtsou at gmail.com
Fri Sep 26 09:12:03 UTC 2008 

On Thu, Sep 25, 2008 at 4:49 PM, raffaele.delorenzo at libero.it
<raffaele.delorenzo at libero.it> wrote:
> Hi all,
> In the last 2 weeks i implemented a new filter method inside the ipfw firewall for ARP protocols.
> My idea for the new method was to create a new "proto" microinstruction exclusively for ARP protocol named "arp". This method permits filter tering from/to particular MAC address to be restricted to ARP protocol.
>
> Example:
>
>      ipfw add deny arp from 52:54:00:12:34:56 to 00:11:43:cd:87:6t // Deny all ARP packets generated by "from" and destinated to "to".
>
> The wildcard "any" and "me" are supported; the semantic is the same for all old protocol rules:
>
>      ipfw add deny arp from 00:11:43:cd:87:6t to any
>
>
> Moreover, I implemented some filter methods that restrict the filtering to some ARP header fields:
>
>    1) Source MAC address (srcmac-arp)
>    2) Source IP address (srcip-arp)
>    3) Destination MAC address (dstmac-arp)
>    4) Destination IP address (dstip-arp)
>
> Example:
>
>      ./ipfw add deny arp from 00:11:43:cd:87:6e to 52:54:00:12:34:56 srcmac-arp 52:54:00:12:34:56 dstip-arp 192.9.217.29
>
> To work properly, the ARP implementation  requires that ipfw receives packets from Layer 2, In other words, you must set the  sysctl variable "net.link.ether.ipfw=1".
>
> I attached the new sources and all diffs with reference to FreeBSD 7.0 Release source Tree. Please let me know what you think about this work and if possible eventually test it.
>
> Ciao Ciao
> Raffaele
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

Just my 2 cents. There is another implementation of ARP filtering with
IPFW available.
It was implemented as a part of Google Summer of Code'2008.
I'm still waiting for a review by Max Laier

Original message containing path to freebsd-net@:
http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019458.html

More information about the freebsd-ipfw mailing list