how to filter network by MAC and IP at the same time

Christian Hiris 4711 at chello.at
Sat Jun 9 09:12:52 UTC 2012 

hi Bill,
afaik, in your case the packets checked twice against the ipfw-rules - once 
for the layer2-filtering part and 2nd time for the ip-filtering part.

1st enable filtering on ethernet demux/eth. output frame:
# sysctl net.link.ether.ipfw=1

then start your fw-script:

# -- sniplet from fw-script -- #	
  iif="em0"
  ip_client="192.168.123.45"
  ether_client="88:99:aa:bb:cc:dd"
  ether_broadcast="ff:ff:ff:ff:ff:ff"

  ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif}
  ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif}
  ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif}
  ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif}
  ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif}
# -- sniplet from fw-script -- #

this results in:

# ipfw show
00010   1    28 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \
 88:99:aa:bb:cc:dd via em0
00020  74  9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0
00021  87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0
00030  74  9564 allow ip from 192.168.123.45 to any via em0
00031  86 85290 allow ip from any to 192.168.123.45 via em0
65535 487 35078 deny ip from any to any

Most of this logic is described in the section "PACKET FLOW" section in man 
ipfw. 

"Note that as packets flow through the stack, headers can be stripped or
     added to it, and so they may or may not be available for inspection.
     E.g., incoming packets will include the MAC header when ipfw is invoked
     from ether_demux(), but the same packets will have the MAC header
     stripped off when ipfw is invoked from ip_input() or ip6_input()."

Cheers
ch 


On Saturday 09 June 2012, Bill Yuan wrote:
> rule like below
> 
> #allow the traffic which source mac is belong to the machine
> ipfw add 1 allow all from any to any MAC <MAC ADDR1> any
> #allow the ......  destination mac is that machine
> ipfw add 1 allow all from any to any MAC any <MAC ADDR1>
> ipfw add 1 deny all from any to any
> 
> 
> it is not working , all the traffic will be block by the deny !!!  how come
> ?
> 
> 
> 
> On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert <
> 
> freebsd-questions-local at be-well.ilk.org> wrote:
> > Bill Yuan <bycn82 at gmail.com> writes:
> > > i am using freebsd 9.0 as a firewall and i want to filter the traffic
> > > by the mac and the ip at the same time,
> > > 
> > > for example, i only allow my laptop <MAC Address 1> can go throught the
> > > firewalll when it's using IP <IP Address 1>
> > > 
> > > for how to config the firewall rules?
> > > 
> > > 
> > > I tried to configure the firewall by  the rule below , but it doesnt
> > > work
> > > 
> > >  ipfw add  1 allow all from <IP Address 1> to any MAC <MAC Address 1>
> > >  any ipfw add  1 allow all from any to <IP Address 1>  MAC any <MAC
> > >  Address
> > 
> > 1>
> > 
> > Well, for one thing if I understand your intent, you have the MAC
> > addresses in the wrong order. Unless your firewall is acting as a
> > bridge, you also need to keep in mind that the MAC addresses are changed
> > when passing through, so those rules will only work on one side (i.e.,
> > you'll need "in via" type rules).
> > 
> > > but it doesnt work. also found the explanation on google, someone
> > > already asked this question before.
> > 
> > I don't understand. Was there a suggested approach or not?
> > 
> > > but I did not find the solution for this requirement.  can someone tell
> > 
> > me
> > 
> > > how ? thanks in advance.
> > 
> > I can't guarantee this will work, and I don't have any way to test it,
> > 
> > but my above comments would suggest something more like:
> > >  ipfw add  1 allow all from <IP Address 1> to any MAC any <MAC Address
> > 
> > in via $iif
> > 
> > >  ipfw add  1 allow all from any to <IP Address 1>  MAC <MAC Address 1>
> > 
> > any out via $oif
> > 
> > Good luck.
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list