simple mac address filter

Robert Klein RoKlein at roklein.de
Tue Sep 7 13:28:52 PDT 2004 

Hi,

On Dienstag, 7. September 2004 15:49, brisbanebsd at mac.com wrote:
> hi all - i am not sure where to post this question, I am
> trying to set up my first ipfw rule, but I just cannot get it
> to work.
>
> I need to set up MAC filtering on a 5.2.1 Freebsd box. I am
> using the command
>
> ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e
>
> I am just trying to allow traffic ( at this stage) one machine
> to the freebsd box.
>
> If I use
>
> ipfw add allow ip from any to any
>
> I can ping from the above NIC, when I add the first rule ( as
> in first example above ) it stops.

Your problem is, you're "mixing" rules. You see, when a packet 
enters your computer IPFW (IPFW2, that is) rules are checked 
twice, first at layer two, and later at layer three.  Your first 
rule doesn't allow anything, because it fails at both tests: The 
first one fails, because there are no "IP" packets at layer two. 
The second one fails, because there are no MAC addresses at 
layer three.

To get a better illustration of when the ruleset is checked, 
please read the section "PACKET FLOW" in the IPFW(8) man page. 
Please ensure youve set the necessary system variables 
net.inet.ip.fw.enable=1 and net.link.ether.ipfw=1 to enable 
packet checking at level three and two, respectively.

Please see the script below; it is the one I use to allow access 
by MAC address. The first rule applying to your case is
 $IPFW add allow all from any to any not layer2
which says "pass all IP traffic through". I'm not doing any 
filtering at IP level with IPFW2, so I can safely do this. The 
next rule is
 $IPFW add allow layer2 out via em0
where I'm allowing all traffic out from the filtering box, 
regardless of MAC address. The third rule is
 $IPFW add allow MAC any 00:0d:93:81:82:1e in via em0
where I allow the MAC stated there to pass the filter. My last 
rule there is
 $IPFW add deny log logamount 0 MAC any any in via em0
which I use to get a logfile of every user using an unregistered 
MAC address...

#!/bin/sh

IPFW=/sbin/ipfw
# ALL="add allow all from any to any MAC any  "
ALL="add allow MAC any  "
EM="in via em0"
$IPFW -q flush
$IPFW -q pipe flush
# allow everything not on layer 2
 $IPFW add allow all from any to any not layer2

# localhost traffic
 $IPFW add allow layer2 via lo0

# outbound interface
 $IPFW add allow layer2 via fxp0

# out via em0; 
 $IPFW add allow layer2 out via em0

# in via em0; hostile internal network
 $IPFW $ALL 00:0d:93:81:82:1e $EM
# some 40 other rules like the one before
$IPFW add deny log logamount 0 MAC any any $EM


Regards,
Robert

More information about the freebsd-ipfw mailing list